Share this article on:
Security analysts have been dealing with the threat for long enough that a rough playbook on the general flow of an attack is emerging, Rohan Langdon at ExtraHop writes.
There’s a certain set of truths that are often encountered when security discussions turn to ransomware.
The first truth is that every infection purportedly bears all the hallmarks of a sophisticated attack.
It’s become an almost boilerplate statement in every cyber incident disclosure; after all, no one wants to have to disclose that they were found out by a basic error or oversight. There’s often a degree of scepticism that accompanies these sophistication claims, but little concrete evidence to prove or disprove it.
These may well be vastly sophisticated attacks, but it is difficult to know. And that’s the second truth of ransomware: the most an outsider will ever know about a ransomware attack is that it happened. I say the most, because many victims often try to hide even that much. Our own research shows that of the 85 per cent of Australian organisations that suffered a ransomware incident in the past five years, 72 per cent tried to keep it quiet. Only 28 per cent go public and are transparent.
Knowing that an attack happened is only the tip of the iceberg for useful intelligence. The largest part of the attack – how it began and how it escalated to the point of extortion – is often completely unknown outside of the victim organisation and a few close confidantes, such as their insurer and perhaps a specialist incident responder. It likely involved a range of techniques and exploits, with ever-increasing sophistication. But as so few organisations disclose attacks, and fewer still publish a post-incident report containing any detail, it’s often impossible to independently establish how sophisticated an attack was, or the exact workflow of the attackers.
A third truth is that victims often put too much weight on their perimeter defences and when those are inevitably breached, rely on backups as a recovery mechanism. This plays into the hands of ransomware operators. Concentrating protections around initial access falls afoul of “the defenders’ dilemma”. Attackers have the upper hand at the perimeter because they control what, when, and how they attack, tweaking as they go, whereas the defender has to have all the controls in place before the attack and be right 100 per cent of the time to win. While any security team would prefer to stop an attacker at the beginning of the kill chain, it makes more practical sense to take on attackers where you, as the defender, have the advantage.
Truth number four is that organisations that persist with a security strategy focused on reducing the risk of that initial intrusion, rely on ineffective tactics like phishing training for employees and penetration testing of systems in the hope these will keep them safe. In reality, neither is particularly effective as a confidence-boost that would dramatically reduce the risk of falling victim to ransomware attacks.
After one full year of phishing training, we know that 4.4 per cent of users will still click the bait. Based on a 4.8 per cent click rate, if an attacker sends 100 well-crafted emails, they have a 99.27 per cent chance that at least one user will open the bait. In addition, 93 per cent of all penetration tests result in a successful intrusion, without using social engineering techniques. Pentesters conduct their work in hours and with agreed rules of engagement. Attackers meanwhile have the luxury of time and first-mover advantage at this part of an attack to go looking for the first hole, or the first user willing to click any link put in front of them.
The fifth truth is that the most successful defence against ransomware is in the post-compromise stage, otherwise known as the “midgame”. The midgame is where modern ransomware does its damage and also where defenders hold an observable advantage if they are ready to fight on the inside.
In the midgame, the ransomware intruder lands blind into the victim's infrastructure. The inside of the network looks like a wide-open field to maraud about or a gauntlet of tripwires if it is being observed, creating an intruder's dilemma. Defenders, meanwhile, should have a home field advantage, know the environment, understand what is expected and have context on users, assets, and workloads if they are watching.
Attackers will typically try five types of moves. They’ll use network-scanning tools to get a lay of the land and try to tap into the organisation’s Active Directory, use stolen credentials or exploit hierarchy vulnerabilities or configuration errors for privilege escalation. They’ll then try to move laterally within the environment, often reusing tooling made available by IT operations for network-wide systems administration.
Once they’ve mapped the environment, enumerated assets, and marked data to compromise, they call home to command and control (C&C) infrastructure to get orders and additional tooling, and then use data staging to access, exfiltrate or encrypt data.
Each step an attacker takes on the network opens up another opportunity for defenders to respond before destruction is done, and the ransom note delivered. For this reason, visibility and response inside the perimeter is really an organisation’s best hope to prevent crippling damage from a ransomware attack.
Rohan Langdon is vice president of ExtraHop Australia and New Zealand.