Beyond vulnerability scanning: Enhancing attack surface management for more proactive security

THE DEFINITIVE GUIDE TO

RANSOMWARE

All you need to know about ransomware and how to avoid falling victim to it.

What is Ransomware?

Ransomware attacks are on the rise, with 304.7 million attacks occurring in just the first half of 2021. That’s greater than the number of attacks in the entire year 2020. With increasing network connectivity and new vulnerabilities like the Log4j 2 vulnerability, it’s easier for hackers to get in and take control of entire systems. In this section, we’ll look at what ransomware is and how it can affect your business.

What is Ransomware?

Ransomware is a type of malware that encrypts a victim’s files until the victim pays the amount the attacker demands. It can target anyone, from individuals to major corporations. And when it attacks enterprises, the costs can be devastating. The average cost of a ransomware breach in 2021 is $4.62 million.

What Attack Vectors are Used?

Attackers use a variety of vectors to get in and gain initial access. While phishing has long been a common method, remote desktop protocol (RDP) compromise is now the leading way hackers get in, and vulnerability exploitation is growing quickly.The log4j vulnerability can be exploited using multiple attack vectors.

Phishing

Phishing is one of the most common forms of attack, and it can be difficult to avoid. If an employee clicks on a pop-up or a bad link in an email, threat actors could gain entry. While many people think they’d recognize phishing when they see it, it isn’t always so easy. Now, many phishing emails are well-written and designed, appearing to come from a legitimate source.

RDP

RDP allows employees to access their company computers from anywhere, and it’s become a necessity for many with remote working. However, this brings new vulnerability to systems. If attackers gain access through any unsecured area, they may also be able to take full control of the network. In the past year, 30% of ransomware attacks on large enterprises were accomplished using RDP.

Social Engineering

Social engineering attacks are more commonly used when attacking individuals, but corporations also fall victim to these. A threat actor may impersonate someone trusted in order to get valuable information. Even seemingly innocent questions may lead someone to inadvertently give away a password or contact information. 

3rd Party Compromise

This is a problem for companies that rely heavily on SaaS, especially if they don’t keep track of all of it. An individual or team might download some software, unaware of any vulnerabilities in it, and not report to IT that they’re using it.

Brute Force Compromise

A brute force attack is a password compromise technique in which attackers try multiple combinations of letters and numbers to gain access to a site. This is more likely to be successful if employees use simple passwords and two-factor authentication is not enabled.

Impact of Ransomware

Ransomware has devastating consequences for a business, and these are not only financial. It impacts reputation, takes up valuable time, disrupts productivity and supply chain, and may cause permanent loss of data. Plus, the costs of clean-up and damage control may be ongoing for some time.

The obvious cost of ransomware is the pay-out of the ransom demanded. While paying the ransom may not be the recommended course of action, 36% of companies choose to pay it as their only hope of recovering their data.

Falling victim to a ransomware attack can cause irreparable damage to a business’s reputation if sensitive data is lost. Especially for enterprises dealing with confidential health information or financial services, a breach can lead to compliance violation charges and lawsuits, along with prompting customers to consider choosing other, more trustworthy providers.

Since you’re dealing with criminals, there’s no guarantee that you’ll get your data back even if you do pay the ransom. About 30% of the time, the attackers will just take the money and run. Unless you have comprehensive, recent backups, large amounts of work, customer data, and critical company information may be permanently deleted.

When your business-critical data is taken hostage by threat actors, all work grinds to a halt for days. Business costs all still need to be paid even though employees are unable to work. Delays will affect customers, and it can take weeks to months to get back on schedule.

Finally, one of the greatest costs is repairing the damage done. Remediation costs often make up 60% of the total costs of handling a ransomware breach. This includes the cost of manpower for investigation, added security protocols, and paying damages to customers.

THE DEFINITIVE GUIDE TO

RANSOMWARE

All you need to know about ransomware and how to avoid falling victim to it.

Causes of Ransomware Attacks

What are the Main Causes of Ransomware Attacks?

Since ransomware is such a serious threat to your business, it’s important to understand the causes so you can mitigate risks.

Shadow IT

In the past two years, 67% of organizations have been compromised due to Shadow IT. Shadow IT is outside the control of your security teams, making it a prime target for attack. It includes IT solutions that are usually deployed without the IT team’s oversight or are acquired via poor hygiene, external software, appliances and mergers and acquisitions. Since security teams don’t know about it, they’re also unaware of the vulnerabilities in it.

Check out our Definitive Guide to Shadow IT to learn more.

Weak Security Controls

Lax security procedures make it easy for threat actors to find a way in. Easy to guess passwords, no two-factor authentication, and employee devices that aren’t password protected are common problems. Other problems include not patching vulnerabilities and not monitoring the network frequently enough.

Human error

The Human Error paragraph should be this: “Human error accounts for a large portion of ransomware attacks. If employees lack awareness of the risks, they may fall prey to phishing and social engineering. Shadow IT and weak security protocols are also often linked to human error, although those are sometimes unavoidable

Real World Examples of Ransomware Attacks

Khonsari Log4j Exploit

The discovery of the log4j/log4shell vulnerability affecting millions of Java-enabled devices has given threat actors a prime opportunity for exploitation, and ransomware gangs began taking advantage of it just days later. The first known exploit was the deployment of Khonsari ransomware on December 14, 2021.

While Khonsari is relatively unsophisticated, the attacks show what’s possible. Any unpatched system–and with this vulnerability, that’s millions of systems–could fall victim to a ransomware attack. 

Colonial Pipeline

The most infamous recent example of a ransomware attack is the Colonial Pipeline attack in May 2021, which impacted the oil supply to 17 states and Washington, D.C., leading to a declaration of a state of emergency. In response to the attack, Colonial Pipeline paid the ransom of over $4 million. Filling stations ran out of fuel for days while remediations were being conducted.

How did this happen to such a crucial industry? Attackers were able to get in using a single password. While most modern systems use two-factor authentication, Colonial’s system was accessible using a legacy VPN, which only requires one step, entering a password.

JBS

Another major attack affecting essential infrastructure, just a few weeks after the Colonial breach, was the attack on JBS, the world’s largest meat producer. This attack disrupted systems in the US, Australia, and Canada. JBS gave in to the attackers’ demands as well, paying the ransom of $11 million. Despite the high cost, JBS was able to recover quickly as it had encrypted back-up servers and an extensive cybersecurity team.

Could the breach have been prevented? While the exact details of the attack vectors are unknown, it’s clear that the attackers  began targeting the system months earlier, in February. They began searching for RDP connections and attempting to gain an entry that way. Employee data was leaked shortly after that, indicating that they were successful. Over the following months, they exfiltrated at least 45Gb of data. This only became known after the major attack.

New Cooperative

Poor cybersecurity hygiene is especially common in the food production industry, with 1 in 5 businesses having known vulnerabilities in their exposed assets. In September 2021, another major food supplier was struck. NEW Cooperative is an Iowa-based grain producer which provides supplies to poultry farms across the US.  Attackers encrypted its data and demanded $5.9 million in ransom. Fortunately, the company discovered a workaround, but had to take the system offline and resorted to using paper tickets to log shipments.

Vulnerabilities were rampant in the company; an investigation quickly discovered that there had been 653 cases of breached credentials. One basic problem was that employees were all commonly using the password “chicken1” across multiple sites. While two-factor authentication was in place, the business had been exploited by the SolarWinds breach, a common 2FA vulnerability.

How to Prevent Ransomware Attacks

Even if your business generally practices good cybersecurity hygiene, you’re not immune to a ransomware attack. Knowing the risks involved, it’s crucial to take every possible step to stay ahead of an attack.

Harden Your Attack Surface

As in the JBS attack, hackers spend a lot of time scoping out attack surfaces for potentially valuable, exploitable weaknesses. If you evaluate your attack surface from an attacker’s perspective, you’ll clearly see what’s most critical to protect.

Of course, not all your exposed assets are valuable, and you don’t want to waste time on something that isn’t a threat. The following have the greatest potential for a ransomware attack:

  • Exploitable systems—These are business critical systems that are exposed to the internet. If attackers can gain control of these, they can shut down your productivity.
  • Exposed RDP and VPNs—Gaining access through RDPs and VPNs provides full access to your network, allowing the same control that employees have.
  • Login pages and admin portals—Once an attacker gains access to login pages and admin portals, the next step of obtaining a password isn’t much of a challenge.

To harden your attack surface and make sure these tempting targets aren’t exposed, you need to be aware of everything that’s there and constantly monitor it.

Your attack surface includes all your company’s assets that are exposed to the internet, whether you’re aware of them or not.

Identify Your Top Targets

Attack Surface Management (ASM)

To get a full view of your attack surface and identify top targets, consider using an attack surface management (ASM) solution. Leading ASM solutions provide an attacker’s perspective and alert you to internet exposed assets that you weren’t even aware of. It also alerts you to which assets are top targets so you can prioritize those for remediation.

Know Your Unknowns

Shadow IT is by definition unknown to your security teams, and it won’t be found using traditional asset management because that only alerts you to issues with known assets. There might be login pages from old versions of websites that haven’t been deleted or vulnerabilities in software that you didn’t know was installed on your system. ASM makes all of these known.

Prioritize Patching

With an extensive attack surface, it’s nearly impossible to patch every vulnerability, and you don’t need to. The fact is, 95% of vulnerabilities are never exploited. If they’re not useful to threat actors, they don’t require attention. Prioritize patching high risk, exploitable vulnerabilities to ensure you’re protected and making efficient use of your security teams’ time. 

Remove Legacy Systems

Older systems often have known vulnerabilities that make them an easy target. They’re also less likely to require two-factor authentication, so entry requires less effort. Even after enterprises have updated their systems, legacy versions may remain, simply because no one thought to delete them.

Learn more about ASM in our Definitive Guide to ASM.

Assume Compromise

Maximize Detection: Ensure Layered Visibility

Layered visibility allows you to filter through data and focus on what’s most important. It also shows how assets are connected so that you can trace how a breach might possibly occur and make sure to block that from happening.

Limit Impact: Segmentation

By segmenting your network, you can limit the impact in the event an attack does occur. This means that if attackers breach one part of your network, they won’t have access to the entire network, which still leaves you in control.

Accelerate Recovery: Back Up Your Data

Regularly backing up your data is key to recovering from an attack. When you have offline back-ups of the latest data, you won’t be compelled to pay a ransom and you’ll be able to get your systems up and running again quickly. However, you’ll need to determine when the breach occurred before you revert to a back-up. If the breach occurred months ago, your recent back-up could still give the hackers control.

Test Your Defenses

Prove Remediation Using ASM

After you’ve found known issues and taken remediation actions, it’s time to prove it. Use ASM to conduct another scan to see if the problem has been solved. If some are still unaddressed or new assets have been discovered, further actions are necessary. Remember your attack surface is constantly changing, so new discoveries may be made at any time.

Validate Effectiveness with Red Teaming

Red teaming gives you a realistic simulation of an attack so you can confirm whether your defenses are adequate. Whether you have an internal red team or hire one externally, you’ll find out where your attack surface can be breached and how your security team responds in the event that it is.

Consider CART Solutions

While red teaming is an effective exercise, it’s cost and resource intensive. Continuous and Automated Red Teaming (CART) is an automated solution that allows you to constantly simulate red teaming, without having to hire a team. An ideal CART solution enables you to test mean time to attack, determine your detection rate, and gauge the sophistication needed to reach critical assets.

Implementing Your Ransomware Prevention Plan

Implementing a ransomware prevention plan requires an alignment of solutions and constant evaluation to ensure it remains strong.

Choose an ASM Solution to Continuously Evaluate Your Attack Surface

To be fully aware of your vulnerabilities to ransomware, you need constant insight into your attack surface. ASM software is the best way to get that. When choosing a solution, look for these key features:

  • Blackbox discovery—This allows you to start your attack surface discovery process effortlessly. All you need to do is enter a business email.
  • Attacker’s perspective—Getting an authentic attacker’s perspective is crucial so that you can identify prime targets.
  • Risk-based prioritization—Simply identifying all the vulnerabilities on your attack surface isn’t enough, as it overwhelms security teams and takes up valuable time on issues that aren’t important. Threats should be ranked by real-life risk.

Deploy CART to Test Your Defenses

The key that makes CART a superior method for testing your defenses is that it’s continuous. Your attack surface is constantly changing and new threats are emerging all the time. If you only test your defenses at certain points in time, for example, quarterly, you’ll only know how secure your system is at that point. The next day, that could all change.

Breach and Attack Simulation (BAS), penetration testing and red teaming all help test your system’s defenses, but they’re not sufficient to provide the most up to date information from an external perspective.

CART vs. BAS

BAS uses automation to continuously test and attack your system internally. The continuous monitoring is a benefit as it keeps your security teams up to date. But a drawback is that it’s coming from an internal perspective. It only lets you know what attackers would do once they’re already inside. CART simulates an attack from an external perspective, revealing the vulnerabilities attackers use to get in.

CART vs. Penetration Testing

Penetration testing involves manual, point-in-time testing by security teams. They attempt to penetrate the system from the outside to identify vulnerabilities. While this is effective at that time, it’s instantly out of date. CART provides the same benefits as pen testing on a continuous basis. 

CART vs. Red Teaming

With red teaming, security experts conduct a simulated attack, finding a way into the system and testing how your security team responds. But this comes with a similar downside to pen testing; it’s only done periodically and is quickly out of date. With CART, you have a virtual red team that’s continuously active, so your team is always up to date.

Report on Effectiveness, not Effort

When evaluating your security measures, look at how effective they are, not how much effort your teams are putting in or how much you’re spending on it. Putting hours of effort into testing exercises might demonstrate a dedicated team, but it doesn’t prove that your business is truly ready for an attack. Find out what’s really working and what isn’t.

If your current measures aren’t working, there may be some that can be done away with or replaced, for example, deploying CART instead of conducting red team exercises. Security measures that are lacking in certain areas can be improved with additional solutions like ASM that integrate with them.

Attackers are constantly finding new methods of attack. To stay one step ahead of them, you need to be continuously improving and innovating as well.

Conclusion

You’ve made it to the end of our guide! We’ve covered the increasing prevalence and impact of ransomware, how it’s deployed, and how you can prevent it. From real life examples like Log4j, Colonial Pipeline, JBS, and New Cooperative, it’s easy to see how oversights and weaknesses can allow hackers to wreak destructive consequences.

Traditional security methods are not enough to meet this threat because the majority of breaches involve assets security teams weren’t even aware of. Red teaming gives teams practice at defending realistic attacks, but only for the types of attacks they know about now.

To be fully prepared, additional solutions are necessary. ASM can help you discover your entire external attack surface, while CART provides continuous attack simulation so your teams are ready to defend against the latest tactics.

Randori Recon is the industry’s leading ASM software, the only ASM platform that brings a hacker’s perspective to your attack surface.

With advanced reconnaissance techniques used by real threat actors, it gives you the power to identify, prioritize, and continuously monitor your most valuable exposed assets and risks so you can protect them against ransomware.

Randori Attack is a CART solution that acts as a constant, trusted adversary. It provides real-world attack simulations that truly put your defenses to the test. The Randori Attack team was among the first to do a working exploit of Log4j.

Eliminate guesswork for your team and obtain proof of what happens when a weakness is left unaddressed. Gain certainty of the highest risks and their potential consequences.

Randori Recon is the industry’s leading ASM software, the only ASM platform that brings a hacker’s perspective to your attack surface.

Are you ready to discover your attack surface and test your defenses? Try a demo of Randori Platform, including Randori Recon and Randori Attack, today.