Battling ransomware: Front-line insights from a CTO and a CISO

Youssef Mohamed Amine:

Portima is a leading software company providing innovative solutions to the insurance industry in Belgium. Our solutions are widely used in the Belgian insurance market and are designed to help insurance brokers and companies streamline their operations and improve the efficiency of their processes.

In addition to our core software platforms: Brio and Portima Connect, Portima has created an ecosystem that enables companies to connect their solutions with external partner solutions via APIs — for digital signature and phone integration, for example. So, brokers and insurance companies stay competitive and can adapt to changing market conditions.
As CISO of Portima, I’m responsible for developing and implementing the information security strategy, policies and procedures. This is to serve the ultimate goal of ensuring that Portima’s information assets, including its software products and customer data, are protected against cyberthreats and other security risks.

Zeki Turedi:

I am the field CTO for Europe at Crowdstrike. Our organization builds cutting-edge technologies, provides top-notch services and most importantly, delivers threat intelligence that keeps organizations safe from a wide range of attacks. We are experts in protecting everything from traditional endpoints to cloud infrastructure.

Youssef Mohamed Amine:

Today more than ever, ransomware is the most critical cyberthreat facing any organization. And it’s the main nightmare of every CISO.

Unlike other types of malware, ransomware is very attractive to attackers because of its huge profitability. Some international reports estimate that ransomware will become a multi-billion Euro industry.

The most distinguishing characteristic of ransomware is its ability to bring the business to a complete stop, which can cause significant financial losses and reputational damage. This can pressure businesses to pay the ransom to get their data back quickly.

In some difficult cases, ransomware exfiltrates data before encrypting it. This gives the cybercriminals a solid negotiating tactic, by threatening to disclose that data publicly. As added intimidation, they will also threaten to notify your customers, your partners and your employees.

Just imagine, it starts with a stupid phishing mail, which creates a technical issue, then you’re facing an unavailability issue with all the SLA-related commitments. You must find out if personal data is impacted, but you also must deal with communication challenges. It’s as simple as that.

The CISO must be like an octopus — simultaneously playing the role of security analyst, network engineer, expert project manager, psychologist and social media specialist.

Zeki Turedi:

Without a doubt, ransomware is still the number one cyber threat that organizations face today. When we talk about the impact of ransomware, we’re not just talking about the monetary cost of ransoms and remediation efforts; we’re also talking about the loss of valuable data, intellectual property, and the trust of customers and employees. The stakes are incredibly high.

The sophistication of the attackers is what makes ransomware so dangerous. Year after year, cybercriminals are becoming more skilled and efficient in their methods.

At Crowdstrike, we use a metric called breakout time to measure how quickly they can penetrate an organization’s defenses and turn a single incident into a full-blown breach. The numbers are staggering: in just a few short years, breakout times have plummeted from 10 hours to just 84 minutes. But that’s not even the scariest part. In nearly a third of the cases we’ve tracked, the attackers were able to breach a company’s defenses in less than 30 minutes. We’re clearly dealing with some extremely sophisticated and dangerous criminals.

This is why, at Crowdstrike, we take a threat-centric approach to cybersecurity, which means that we’re constantly working to understand the attackers themselves: their methods, motivations and goals. By staying ahead of the curve and using cutting-edge technology, we’re able to help our clients stay one step ahead of these threats and protect themselves from the devastating consequences of a successful ransomware attack.

Youssef Mohamed Amine:

In my opinion, the best way to start preparing is to imagine the event. Every CISO must ask themself the following question: “What are my first actions when I get a call?” This helps them quickly land on their feet and understand where to start.

Zeki Turedi:

When it comes to preparing for ransomware attacks, the most important thing CISOs can do is take security seriously, which means not settling for “good enough” security measures. The truth is that cybercriminals are incredibly skilled and savvy, and they know how to exploit even the smallest vulnerability in a company’s defenses.

They know when Microsoft tries to patch something and when companies can’t patch quickly enough. They are aware of the problems that CISOs are trying to solve on a daily basis, and they use those problems to target them.

It all comes down to having the right mindset. We need to recognize that cybersecurity is a full-time job. That’s why it’s so important to work with partners who specialize in security and are dedicated to staying ahead of the curve every single day. By leveraging cutting-edge technologies like threat intelligence, they can help protect our organizations from these threats and stay one step ahead of the attackers.

Identity management is one area where we really need to focus our attention. After all, the identities of our employees and our organization are essentially the keys to the kingdom, and cybercriminals are constantly looking for ways to steal those keys. We must ensure that we have tight controls over who has access to what information, and that we’re constantly monitoring for any suspicious activity.

Youssef Mohamed Amine:

In my opinion, every organization must become not just response-ready, but have a ransomware-oriented response with a consolidated plan.

Having an incident response procedure is good, but it’s simply not enough. It needs to be more than just a document, the response plan must include also the first-aid kit: a sequence of spontaneous actions that the response team must master. Taking quick action is critical to minimizing the damage and preventing the infection from spreading.

The effectiveness of the response plan must be checked on a regular basis — such as during tabletop exercises. The outcome of these simulations helps identify the corrective actions.

Another key element is the recovery plan. After all, the ultimate business objective is to return to normal, within the SLA at the latest. This can only be achieved if an adequate backup plan is implemented. Unfortunately, most organizations are still focusing their backup plans on availability. A simple example is the accessibility issue — when attackers get access to the environment and the same credentials are used to access both production systems and backup systems. The attackers have the base.

Last but not least, you need to take care of the human firewall. This involves educating employees about the risks of ransomware and other cyberthreats, including how to recognize phishing emails, social engineering attacks and other tactics used by cybercriminals to gain access to the organization’s systems. One interesting program we developed in Portima last year was using gamification to increase engagement. Participants earn points for completing challenges every month, and top performers win very attractive prizes. It’s a great experience to make the training more engaging and fun.

I cannot help but add a fourth security measure that is important to remember: You need to equip and invest in monitoring solutions to handle the massive amount of security alerts that your IT systems send. It is no longer feasible for security analysts to manually review every alert, which can number in the thousands per day. Many alerts are false positives, caused by misconfigurations, network glitches or other benign factors.

At Portima, we are working with Atos to leverage machine learning and AI algorithms to identify patterns and anomalies in security data, and distinguish between real threats and false positives.

By leveraging these technologies, we were able to significantly reduce the workload on our security analysts and improve the accuracy of our threat detection. This has given us much greater confidence in our security posture. Remember, prevention is always better than cure.

Zeki Turedi:

1. Implement the right next-generation technologies. I have seen many companies that are overly focused on their endpoint infrastructure and neglect their cloud environment, despite the fact that the vast majority of their infrastructure sits in the cloud.However, attackers know how to navigate around the cloud environment just as well as they do physical infrastructure. Therefore, you must ensure that you have security parity across all networks, with solutions that can protect your cloud, virtualization, data centers and private cloud.

2. Identity is one of the most critical components of your organization’s infrastructure. Unfortunately, attackers can easily manipulate and compromise this critical infrastructure. That’s why you need to prioritize identity threat protection and threat detection technologies.Think about it: your organization’s identity architecture can be quite complex, resulting in vulnerabilities. It’s all too easy for misconfigured accounts, privileged accounts or accounts that haven’t been removed to create pathways for attackers to move laterally through your systems. And when they do, the damage can be devastating.By adopting good identity hygiene practices and being aware of the systematic vulnerabilities that exist in your identity architecture, you can better protect your organization.
3. Even though I am a CTO, I want to emphasize that it’s not just about technology and security. We also need the right people with the right training, expertise and experience to tackle the problem. While technology empowers us to respond quickly and more effectively, we are ultimately up against human threat actors who are typing on their keyboards and targeting our organization.Therefore, it’s essential to have the right people in our organization and the right security partners to handle the situation.

Youssef Mohamed Amine:

The future of ransomware will be very creative. Besides new methods of spreading, they will take advantage of new technological trends, such as AI to develop more custom and sophisticated attacks.

Another trend we’re watching closely is ransomware-as-a-service (RaaS). It allows cybercriminals to rent and use ransomware infrastructure and tools from third-party providers., creating a new segment of “non-skilled” cybercriminals, which I believe are larger, hungrier and more dangerous.

To prepare for these threats, organizations should implement a proactive approach with strong access controls and regular backups, but should also invest in advanced security tools with real-time detection and response capabilities.

Security has been, and always will be, an endless fight between attackers and defenders. The best position is to stay one step ahead of your opponents, know them, respect their creativity, and always adapt your security strategy to the threat landscape by using more sophisticated tools to annihilate their attempts.

Zeki Turedi:

I am certain that ransomware is not going away anytime soon. Criminal actors are continually changing their tactics, iterating and utilizing the best technology available to make huge amounts of money, which they reinvest in themselves. While we call it ransomware today, it will continue to evolve and become more sophisticated. As an example, we are starting to see the focus shift away from traditional ransomware use cases and towards different approaches like data theft.

Organizations must be proactive in their approach to security and take steps to ensure that threat actors cannot get inside their organization in the first place. Prevention is always better than cure, and it is still cheaper to invest up-front in security capabilities, people and tools rather than reacting after a breach has occurred.

The reality is that cybersecurity is attainable, and organizations don’t have to be security specialists — they just need to work with security partners that they trust.