Ransomware is one of the most significant cyber threats to face organizations today. Time and again, threat actors have leveraged known security vulnerabilities and gaps in defenses to implement an attack. It is possible to mount effective defenses against even the most sophisticated ransomware threats.
To help you do just that, we conducted the following interview with two security experts:
Faisal Habib from Cybereason and Harman Bhogal from Atos.
In this interview, we walk through two of the most effective forms of ransomware protection — Endpoint Detection and Response (EDR) and Managed Detection and Response (MDR) (with or without an XDR platform) — to help you build or improve your existing defenses.
Question: Why is ransomware such a hot topic right now? Why is this the threat that everyone needs to focus on today?
Faisal: “It’s easy to think “ransomware” is just another buzzword, but lets consider a few facts.
First, ransomware attacks are increasing in frequency and severity. It’s estimated that a ransomware attack happens every 11 seconds. The average ransomware fee increased 40x between 2018 and 2020, and the largest ransom on record — $40 million — was paid in 2021.
Second, ransomware is rapidly evolving. Ransomware strains are using more sophisticated tactics, and criminal groups are now building entire businesses that provide Ransomware-as-a-Service (RaaS). Cybercriminal groups are spending massive amounts on R&D to improve their attacks, stay ahead of Fortune 100-class InfoSec teams, and develop advanced technologies and operational know-how that make it easy for anyone to launch an advanced ransomware attack.
Finally, ransomware is more than just a problem for IT departments that want to maintain tech-driven business continuity. Ransomware now makes headlines, introducing legal issues, marketing problems, and loss of consumer trust, turning ransomware into a board-level issue at every organization.”
Harman: “Agreed on all points. In addition, there’s now federal action on ransomware. Early this year, US President Biden released an Executive Order primarily in response to multiple high-profile ransomware attacks. The White House just hosted an international summit on stopping ransomware. You ’don’t see that happen with other attack patterns. Ransomware is what matters today.
We also saw a joint advisory from the Cybersecurity and Infrastructure Security Agency (CISA) and FBI on Nov 22nd – before the Thanksgiving Holiday in the US, emphasizing ransomware attacks. A similar one was issued at the end of August this year, ahead of the Labor Day weekend. We may see similar advisories before the Christmas holidays too. The reason – ransomware threat actors often target businesses during the holidays or just before a weekend to take advantage of lean staffing.”
Question: Why are traditional defenses failing to stop this threat? Why do we need new solutions to ransomware?
Harman: “In part, it’s because technology environments have changed. We no longer have 100% on-premise environments anymore. We now have hybrid environments that are hard to build perimeters around and filled with distributed, dynamic and diverse endpoints. Ultimately, ransomware takes advantage of this new environment, and ’it’s gotten good at bypassing traditional defenses, breaking through traditional perimeters, and then hopping from endpoint to endpoint.”
Faisal: “Exactly — the attack surface has become a moving target. Legacy prevention solutions have proven ineffective against modern attacks, and we have just lacked good tools to monitor and secure endpoints and their data within current environments.
Many organizations understand this and now rely on data backups to respond to ransomware. But this is a defeatist attitude that assumes adversaries will break down your defenses and that the only hope is to recover quickly from a successful incident. We can do better and use new solutions to stop attacks.”
Harman: “Agreed, though organizations need more than one security solution to do so. While ransomware focuses on endpoints, it is a multi-vector attack pattern that can’t be solved with legacy point tools that only address one vector in a silo.”
Question: How does ransomware work? What do organizations need to defend themselves against it?
Harman: “First, to clear up a common misconception, it’s important to note that all ransomware is malware, but not all malware is ransomware. Plus, it’s good to understand that even though every ransomware attack is different, most modern attacks follow a similar pattern.
First, the attacker makes an initial intrusion into the network, usually through something simple like a phishing attack or exploiting poor IT hygiene on one or more assets.
The attacker then performs reconnaissance to see what other assets and data they can compromise. Then, the attacker moves laterally to compromise those assets and often exfiltrates data to an external server.
Once the attacker has established a significant enough foothold across enough assets and exfiltrated enough data, they will generally lock those assets, encrypt the data on them. 100% of successful ransomware attacks involve encryption — the attacker must lock you out of your systems and data to create enough pain to convince you to pay their ransom.
Plus, modern attacks include double and triple extortion. With double extortion, the attacker threatens to leak or sell the data they exfiltrated from you. With triple extortion, they will exfiltrate data from your clients and customers — in addition to your data. Both of these put extra pressure on you, allowing the attacker to demand a bigger ransom, and increasing the chances that ransom gets paid.”
Faisal: “At this point, the organization has to make a choice. Do they pay the ransom or not? This usually comes down to how well they can respond to the attack on their own. If they ’can’t, then they have to pay. But if they can launch a full-fledged response — especially if they detected the attack pre-ransom or have immutable backups and a proper plan to restore it– they reduce their chance of paying the attacker.”
Question: What is the difference between EDR and MDR in ransomware defense? How do these solutions stop ransomware?
Faisal: “The difference is simple. Endpoint Detection and Response, or EDR, is typically a stand-alone tool that fits into a larger stack of cybersecurity solutions. Internal security teams use EDR tools to cover one of the single most significant sources of vulnerability to modern ransomware attacks. In-house InfoSec teams or managed security vendors directly pilot these tools to manage detection and response of cyber threats.”
Harman: “Fundamentally Managed Detection and Response, or MDR, is a more comprehensive security solution. MDR is a full-service program performed by an external third-party organization that handles the day-to-day work for the organization. MDR programs are often powered by either an XDR platform or an MDR platform that integrates multiple security technologies, including an EDR, NDR, and other tools and capabilities.”
Question: So, which is the right solution to stop ransomware — EDR or MDR? Which should an organization bring to their defense?
Harman: “Before we dig in, let’s be clear: no single solution can stop ransomware threats. This is a complex attack pattern that can only be controlled by a comprehensive defensive posture — and, of course, any specific tool or partner used to create that defensive posture must be chosen carefully.”
Faisal: “That’s a good point. For example, EDR has proven effective against ransomware threats, as organizations must focus on monitoring and securing their vulnerable endpoints. Most ransomware attacks take advantage of endpoints that organizations lack visibility into and which carry vulnerabilities that threat actors can compromise without being noticed
However, EDR only stops ransomware when ’it’s optimally configured for the ’organization’s environment and when the correct EDR platform is used. An example of an effective anti-ransomware platform is Cybereason.
Cybereason creates visibility from the kernel to the cloud to monitor an ’organization’s entire attack surface, uncover the subtle-but-perceptible traces that ransomware attackers leave, and root-out ransomware operators wherever they hide. ’Cybereason’s protection is both predictive — it infers malicious behavior and proactively blocks attacks — and multi-layered — it prevents known and unknown threats and predicts which files will be encrypted, and restores them ASAP.”
Harman: “From a broader perspective, EDR is necessary but not sufficient. MDR sees that ransomware spans many vectors — not just endpoints — including the cloud, networks, user behavior, applications, logs, and the entire IT stack. A good MDR provider will detect and respond to ransomware attacks across all these vectors, not just endpoints. By doing so, MDR provides a deeper level of detection than a single EDR tool would deliver on its own.
The best MDR providers also layer in AI, Machine Learning, and Big Data analytics to detect a wide range of known and unknown threats. This also allows them to perform automated, continuous monitoring and hunting for threats at any scale.
In addition, a good MDR provider will provide a comprehensive suite of capabilities and actions performed by their staff. These will include threat intelligence, threat hunting, security monitoring, incident analysis and investigation, threat containment, and full-service incident response that evicts attackers in full.
For that reason, MDR that includes a leading-edge EDR platform, is the best choice if an organization requires a full-service, hands-free approach that secures them against the entirety of a ransomware attack pattern and incident. MDR can give you this complete defensive posture instantly, even if you currently lack any ransomware defense at all. Atos Managed Detection and Response services provide just this. We work with leading EDR vendors and bring our proprietary technologies and proven SOCs for robust protection against ransomware.”
Question: Finally, how must an organization prepare to defend itself against a ransomware attack?
Harman: “Fundamentally, they must ensure they have the right tools and capabilities in place — either by supplementing their existing security stack with an EDR platform or contracting a partner for a complete MDR capability.”
Faisal: “And let me add that it ’isn’t enough to have the right tools and partners. Organizations must know how to utilize them correctly and creatively.
For example, you can’t assume an EDR platform is a “silver bullet” against ransomware that lets you drop the basics of good fundamental security. Even the most sophisticated EDR platform means very little if you are not hardening your endpoints, practicing good IT hygiene, and maintaining a secure environment that you can effectively layer advanced security technologies on top of.”
Harman: “Likewise, it’s important to use something like MDR in the best way for your organization. You can use a trusted MDR partner to gain a complete “hands-free” capability, or you can use MDR to boost your internal capabilities and fill the gaps in any internal staff you are missing.
And after you set up the basics and deploy the right solution properly, you need to make sure you’re ready for an incident. To do so, you have to run tabletop exercises on various ransomware scenarios. You have to practice and optimize your response. A comprehensive external Incident Response service on speed dial is necessary to support your internal teams and accelerate your response.”
Atos offers Managed EDR Services with Cybereason EDR.