Ransomware is evolving. Threat actors are moving away from indiscriminate attacks, instead choosing their marks very carefully with precisely targeted ransomware to achieve their desired outcome. In addition to targeting specific companies, they are striking at the most important and lucrative parts of the network. Often this is done with complete disregard for ethics. For example, they have targeted COVID vaccine research and other confidential personal data, delivering such grim consequences as to give even the most steadfast CISO sleepless nights.
Pinpoint targeting makes malicious programmes challenging to prevent using conventional security controls. The solution is a layered defence. Conventional firewalls, endpoint protection, and detection and response tools need the backing of an in-network approach to counter threat actors once they try to move from their initial infected system. Organizations can build their layered defences by using deception techniques to lure threat actors away from the real IT environment, along with concealment techniques that hide and deny access from even the craftiest of attackers. All the while, critical data and network services like Active Directory stays safe and untouched.
Stand and deliver
Although “spray and pray” attacks are still occurring, they have become far less effective. Perimeter defences are better at spotting and stopping common malware. Users have also learned to be cautious about opening links and downloading files from blatant phishing attacks.
Threat actors have responded by altering their approach. Well-researched, multi-phased attacks now attempt to penetrate the perimeter security and quietly scope out the most high-value targets. To achieve this, they specifically seek to enumerate Active Directory, discover locally exposed credentials, or identify vulnerabilities exposed within open ports. Armed with this information, the threat actor can then fingerprint systems and covertly bypass defensive measures.
Some attackers will execute a two-pronged strike, exfiltrating valuable data, and unleashing the ransomware infection. Even if the victim refuses to pay up, the perpetrator can make a tidy profit selling the data, using it in future attacks, or for extorting the organization’s customers.
Estimates are that businesses spent a total of $7.5billion in 2019 recovering from ransomware attacks. Further, research indicates that a company falls victim to ransomware every 40 seconds, which means it is very much a case of when, not if, an attack will occur.
The importance of a layered defence
The majority of organisations have endpoint protection measures to identify and block attacks with known threat signatures. An increasing number of businesses bolster these defences with behavioural analytics tools to detect suspicious behaviour that might indicate an intruder accessing the network with stolen credentials. A combined prevention and detection endpoint defence like this is a recommended way to protect assets from attackers.
However, this still leaves gaps. Threat actors may use advanced persistent threat (APT) style techniques, for example, to break out to other systems and avoid detection by moving as slowly and carefully as possible. When it comes to targeted ransomware, such gaps can be quite damaging and are not covered as universally as one may believe from endpoint protection and detection and response solutions.
One solution is to add an in-network layer as back up to perimeter defences – a deceptive one that combines camouflage and data concealment in a way that the attacker cannot realize until it is too late.
Using deception and denial to deflect targeted ransomware
Rather than creating another mechanism that reacts to exploitation from intruders, deception technology camouflages decoys as key network resources to steer attackers into a convincing dummy environment instead. The credible decoy assets appear to be the real thing, creating a tempting lure for any attacker seeking a worthy prize.
First, the decoys fool the attackers’ automated scanning tools as they scope out networks for valuable assets. The threat actors will assume they have found a target for their ransomware infection. In reality, they will have followed a false trail leading them to a fake environment containing nothing of value. Decoy assets look and behave like the real thing, even withstanding direct interaction with the attackers.
Once the ransomware engages with the decoy assets, the environment can keep it occupied by continuously feeding it data while rate-limiting the connection. These actions dramatically slow the rates of infection as the malware spends time encrypting useless data instead of spreading. The delay gives security teams valuable time to move in and eliminate the infection before it can spread to the real network.
A novel and recent innovation in derailment tactics is to hide and deny access to what an attacker is seeking. Most ransomware begins by attacking local files before spreading outwards. As they seek to spread, data cloaking technologies can hide files, folders, mapped cloud and network shares, and even removable drives from the sight of an attacker. What makes this particularly interesting is the ability for employees to operate as usual within their file management systems. However, if attackers attempt to delete, encrypt, or alter files, they won’t be able to see it, let alone change the data in any way.
With both methods, teams will also have an unrivaled opportunity to study the threat actor in detail to learn more about their tactics, techniques, and procedures (TTPs). They can use this intelligence to harden the company’s defences against future attacks using similar approaches.
Targeted ransomware attacks are one of the most insidious security threats companies face today. They can inflict colossal financial and operational damage to businesses and result in the loss of jobs from the C-Suite through to the security teams themselves. By adding an invisible layer of deception and concealment technology to their existing defences, organisations receive high-fidelity alerts, buying themselves valuable incident response time. The defender gains the upper hand, having learned all there is to know about their would-be attacker.
Carolyn Crandall, Chief Deception Officer at Attivo Networks.