While ransomware is arguably the greatest current security threat to organizations, its rise has distracted us from the true issue at hand: extortion-based crimes.
By Jeff Palatt, Vice President, Technical Advisory Services at MOXFIVE
Encrypted files, corrupted applications, deleted backups, and stolen data – all are debilitating symptoms attributed to ransomware. With the shift to digital currencies, the monetization from attacks has only become easier for threat actors to turn unauthorized access to an organization’s computer network into financial gain.
Where We Are
Since cyber thieves first began physically skimming credit card machines to collect the information needed for counterfeit credit cards, unauthorized access to private data has led to a windfall of financial gain for the threat actors. In the time between WannaCry and the Colonial Pipeline attacks, ransomware has shifted from single-system encryption events with extortion amounts of less than $15,000 to enterprise-level encryption events with demands routinely in the tens of millions of dollars. There has been an alarming increase in the number of instances where organizations have backups to restore their IT operations, yet still pay a ransom to “buy silence” from the threat actor. Ransomware is currently the sharpest tool attackers have to monetize these attacks, but it is by no means the only one.
Where We’re Going
As ransomware continues to gain attention, threat actors will adopt additional escalation techniques to continue profiting. We are already seeing a sampling of what’s to come, including:
- Distributed Denial of Service (DDOS) Attacks: While not as common today, the threat of a DDOS can be increased to where threat actors target critical networking gear and block control of network traffic into and out of the network, which would cripple an environment. Organizations that rely on a significant Internet presence need to contract with DDOS mitigation firms in a proactive manner to help mitigate the threat of DDOS attacks. Furthermore, organizations should implement centralized management of network gear to easily manage, and secure, network devices in their environment.
- Destructive Attacks: If desperate, or lucrative enough, threat actors could shift to threatening to bring the environment completely and permanently down if a ransom is not paid in a certain amount of time. While this type of attack would be difficult, it is not impossible and could leave an organization scrambling to investigate and remediate as quickly as possible to mitigate damage. Defending against these types of attacks requires a layered security approach that starts with the basics and matures into a robust security program. Organizations need a prioritized security roadmap that pinpoints specific risk areas in an organization and targets pinpoint solutions that maximize the return on value of security investments.
The Disease: Extortion-Based Attacks
An endless supply of highly skilled adversaries, a precedent of successfully extorting victims for higher payouts, and less friction collecting (and spending) funds thanks to digital currencies has opened the floodgates for the frequency and severity of extortion-based attacks. While ransomware has the spotlight for now, we need to remember that it is merely a symptom of the extortion-based crime disease. To truly combat extortion-based crimes, starting with ransomware, organizations need a robust defense strategy that protects environments from current and future trends. Cybersecurity needs to go beyond addressing the immediate threat of ransomware to impair the ability of threat actors monetizing attacks, starting at the organizational level to reduce overall risk and repercussions.
Depending on the size and complexity of the network, and the maturity of the security program a determination should be made with respect to resources, technology, and capability. Smaller organizations should consider outsourcing a good portion of their security to a Managed Detection and Response vendor that can leverage an Endpoint Detection and Response (EDR) or Extended Detection & Response (XDR) solution. Larger organizations can often handle security in house but may want to consider a hybrid model where the security strategy and program is run internally, and specific services may be provided by a Managed Security Service Provider (MSSP). In any case, all organizations need to have basic controls in place, from immutable backups and network segmentation to multifactor authentication (MFA) and privileged access management.
The Cure: Holistic Cybersecurity
A key part of the game for threat actors is the continual escalation of techniques for profit. To combat extortion-based crimes, organizations need robust defense strategies that protect environments against current and future attack trends, addressing the threat of ransomware and impairing the threat actors from monetizing attacks. Beyond encrypting systems and implementing backup solutions, organizations need a holistic approach that bands the security, software, and hardware communities together to eradicate these threats.
Organizations must continue to address the symptoms of extortion-based attacks, like ransomware, but must also not lose sight of the true disease. The solution will not be quick, complete, or without pain. But together as an industry, we can reverse the concerning trend in the rise of extortion-based attacks.
About the Author
As Vice President of Technical Advisory Services, Jeff leads MOXFIVE’s team of expert Technical Advisors who provide strategic incident management services and solutions to clients. Prior to MOXFIVE, Jeff was the Director of Cyber Defense and Incident Response at RSA Security, joining RSA through the NetWitness acquisition in 2011 where he helped build the Incident Response Practice from the ground up. Jeff has held other leadership positions including Delivery Manager for Emergency Response Services at IBM where he was instrumental in getting IBM ISS listed as a PCI Qualified Incident Response Assessor (QIRA) in 2006 during the acquisition of Internet Security Systems and assisting with the integration of the teams through the transfer of trade. Before moving into practice leadership roles, Jeff was a Principal Consultant (Incident Responder) with Internet Security Systems and has held various other positions as a Security Engineer, Security Analyst, and Security Auditor.
Jeff has a Master of Forensic Sciences in High Technology Crime Investigations from the George Washington University, and a Bachelor of Science in Business Administration from Old Dominion University. He is a Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP, and a Certified Information Systems Auditor (CISA). Jeff currently resides in Virginia Beach with his wife and three children. Jeff can be reached online at our company website https://www.moxfive.com/.