A new ransomware attack occurs every 11 seconds, and today the attacks are more financially debilitating than ever before, with the average incident resulting in more than $700,000 in damages. In fact, JBS recently paid 11 million dollars following an attack on their U.S. beef plants, and one of the largest U.S. insurance companies, CNA Financial, paid nearly 40 million dollars to regain access to files and restore operations. Not to mention the major impact ransomware attacks have on company operations and customer and investor relationships, like the gas shortage caused by the Colonial Pipeline attack. The need to fight back, and fight back hard, is obvious. But to be successful, companies need to understand the threat at hand first.

Most ransomware groups are similar to corporate structures, with roles and responsibilities that mirror regular software development organizations, making it difficult to identify the responsible parties and hold them accountable. What makes these criminal organizations even more dangerous is their ability to generate different revenue streams, aside from company payouts from:

• Selling access to ransomware platforms that deliver end-to-end ransomware-as-a-service for other groups to use
• Brokers that recruit teams to build and deploy malware
• Selling corporate data access to victims for other networks to capitalize on

The sophisticated framework of ransomware groups enables hackers to meticulously target organizations with ease, especially when organizations don’t prioritize cybersecurity programs that proactively detect and prevent attacks, let alone address the cybersecurity basics. Understanding the threats at hand and the best practices for combatting them can help organizations better navigate today’s cybersecurity landscape.   

Keeping the Basics Top Of Mind

Chief information security officers (CISOs), security operations teams, and security vendors have focused on complex attacks and staying on top of the cutting edge of what adversaries can do. For example, the malicious hacking conglomerate Stuxnet is notorious for extremely innovative campaigns. The complexity of their campaigns scared organizations into investing in advanced technologies, which are expensive and difficult to integrate with surrounding security systems. But advanced technologies aren’t meant to cover basic mistakes. The Colonial Pipeline security setup consists of advanced detection tools, but the tools could not protect against the lack of multi-factor authentication and shared passwords which caused the recent breach. Failing to cover cybersecurity basics like patching, having secure configurations, or following password best practices makes it easy for hackers to gain access. While they are “basic,” they are effective and necessary for a company’s overall security posture. 

Diving Deeper Into Security Solutions

Influential security research/analysis firms, such as Forrester, Gartner, and IDC, are hearing from vendors and customers about the growing need to link incident detection with incident management and response in a unified platform that can autonomously increase threat detection and reaction speed. One way to do this is by integrating SIEM, or Security Information and Event Management, with SOAR (Security Operation Automation and Response).

Most IT departments already have SIEM systems in place. These systems work as threat protection 

by ingesting and aggregating data from the entire IT infrastructure to identify incidents and alert security professionals, allowing them to respond appropriately. The future of cyber protection will minimize the need for human intervention by unifying threat detection with threat response through SOAR. By combining vulnerability data with natural language processing and machine learning, organizations can couple indicators of ransomware with threat intelligence and malware research to identify documented adversarial techniques. From there, systems can conclude the type of threat and automate and orchestrate the response. Not only can these systems respond to active threats in real-time, they can also utilize situational awareness to predict the next phase of an attack. Newer vendors even have small agents on customers’ machines that can rapidly disconnect machines from networks and otherwise act based on how security operators want to approach a potential issue.

Opening the Lines of Communication

However, when an organization’s infrastructure is under attack, technology alone will not solve the issue. There needs to be increased internal communication between the security operations team, IT operations team and enterprise risk management team. A lack of communication across departments, whether human error or not, has been a point of contention within many organizations. Aligning objectives and goals across different departments is critical in preparing for these inevitable attacks. 

Collaboration is particularly important when it comes to law enforcement cooperation and legislation. Law enforcement agencies need to cooperate to target ransomware groups, track payments and ultimately, make it more difficult to do illicit business. Lawmakers need to be held accountable as well. Legislation and regulations will incentivize companies to prioritize cyber security protection. With organizations facing fines by failing to prevent or protect their infrastructure adequately, boardrooms will begin to take the threat seriously. 

While ransomware attacks are inevitable, organizations can better equip themselves to mitigate attacks. It is just the start to cover basic security requirements like multi-user authentication, eliminating shared passwords, and increasing communication across IT teams. The real difference will be integrating SIEM and SOAR to automate threat detection and threat response.