Cyber resilience against ransomware: fiction or reality?
Ransomware attacks on the domestic economy are increasingly making headlines. The attackers are becoming more professional, and the damage is increasing. In this article, we will discuss why preventive measures and a well-planned holistic security concept that relies on cyber resilience are indispensable, and why training employees is not enough.
From hurricanes to hackers: How cyber resilience can help you weather the cyber storm
Imagine you are a homeowner in an area that is prone to natural disasters like hurricanes. You know it’s only a matter of time before a major storm hits, so you take steps to make your home more resilient. You reinforce your windows and doors, install a backup generator and stock up on food and water in case of an extended power outage. When a storm hits, your home will be better able to withstand the damage, and you and your family will be better able to deal with the aftermath.
Similarly, ensuring strong cyber resilience helps you protect your organization from a cyber disaster. A cyber resilient business has taken steps to prepare for the possibility of a cyberattack, knowing that it is likely to occur at some point. It will have strengthened its defenses, established backup systems, and trained its employees to recognize and respond to threats. A cyber resilient business can continue to operate even in the face of a cyberattack, minimizing damage and getting back on its feet as quickly as possible. However, to achieve cyber resilience, you must first understand how these attacks can harm you.
Extortion attacks take place on multiple levels
Ransomware attacks are usually two-tiered. The first form of pressure is the encryption of company data. Within a short period of time, the systems or the files on them are rendered unusable, process chains fail, and the company comes to a standstill. The likelihood of paying a ransom is based on the extent of the damage: Did the backups survive the attack? How long would it take to restore the system landscape?
A short time later, the attackers apply the second pressure point, because data is frequently stolen before it is encrypted. If the ransom for the sensitive data is not paid, the cybercriminals threaten to publish or sell it. At this point, the search for the culprits begins. In the majority of cases, the gateway was a phishing email that was opened. Often, the person who clicked the link is blamed, but this is an oversimplification and a bad practice that will not help uncover the underlying vulnerabilities that are truly at fault.
By prioritizing cyber resilience, organizations can ensure that they have the right people, training and expertise in place to quickly detect and respond to attacks, minimizing the damage and reducing the likelihood of paying a ransom.
Awareness training is important but insufficient
Awareness training for all employees has been strongly promoted in the past. In some cases, it is almost seen as the only hope for IT security. I do not deny the importance of training, but the security of an entire company should not depend solely on whether employees recognize all phishing emails.
Employ a structured model for a holistic defense strategy
A good defense strategy can only be layered and based on the “defense-in-depth” principle. This can be visualized using a model to structure a typical course of attack: The Cyber Kill Chain® model. Created by the defense and technology company, Lockheed Martin, it divides attacks into several phases: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions.
Cybercriminals think strategically
In the reconnaissance phase, attackers gather information about the target company before assembling the necessary tools for the attacks in the weaponization phase. During deliver, a phishing email is sent, and if someone falls for it, the goal of the exploitation phase is achieved.
Backdoors are installed to maintain infrastructure access and gain permanent access to the system. Then, during the control phase, attackers scan the network for opportunities to spread and increase privileges, such as taking over administrator accounts. They then move on the next system. After gaining all the necessary access, they attack the higher-level target, such as stealing sensitive data and encrypting it.
Strategy for a stronger defense
The Cyber Kill Chain model is ideal for defense because it helps you track attacks that have taken place. Each phase has its own defense measures. In IT security, there is no single measure that can detect and prevent all eventualities. Instead, each phase must be considered separately to design effective detection and blocking mechanisms. These range from whitelisting, antivirus or endpoint detection and response solutions against execution, to resetting jump servers or network segmentation, to privileged access management and network intrusion detection/prevention systems against control and monitoring.
When developing these measures, it is always important to assume that the defense has failed in the previous phase. Security measures established in this way will enable several independent lines of defense.
Effective security strategy in joint responsibility
With these explanations, I would hope to convey that the blame for a successful attack can never be placed on one person, but that most attacks succeed because the existing security mechanisms are insufficient. After a phishing e-mail has been sent, a reasonable defense strategy still includes a number of detection and defense mechanisms. Sustainable IT security is a series of safety nets; if one breaks, another must be in place to prevent disaster.
Ultimately, cyber resilience requires a holistic approach that encompasses both technology and human factors to effectively combat the ever-evolving threat landscape.
About the author
Head of SEC Defence at SEC Consult Group, an Atos company
Stephan is the Head of SEC Defence, the managed incident response and digital forensics division of SEC Consult. He is responsible for the product at group level and thus for the teams in Germany, Austria, Switzerland, and Romania. In addition, he is team leader of the Austrian SEC Defence members.
Besides his leadership tasks, he appreciates and loves working with customers: From proactive workshops to increase cyber resilience to incident management to efficiently defend against active cyber attacks.
Never stop learning and passing on everything learned to others as best as possible are personal core elements. Together with the great members of SEC Defence, the passion for cyber security can be lived every day as new.