Ransomware changes rapidly. At a technical level, attack infrastructure can change by the minute, operationally changing attack techniques while strategically targeting certain sectors, industries or regions at appropriate times.
Access brokers work across multiple groups, operators switch botnets, and malware developers continuously refine their techniques. They borrow each other’s tactics, fall out with each other and make up again.
Over the last 24 months, this activity has created a more chaotic, diverse and complex threat environment – an environment that we must monitor and learn from, to better prepare our detection and prevention tools and controls.
Although we are all working on backup, recovery and resilience projects, we must not forget that a core objective for our network defenders should be to never have to use them.
We do this by enabling and tasking our cyber threat intelligence function to monitor the ransomware threat and our attack surface, allowing for actionable recommendations that could prevent a ransomware attack from occurring.
Looking externally, monitoring the actions of the threat actors, their tactics and techniques, attack infrastructure and collecting indicators allows us to refine our security controls, detection logic and threat-hunting capabilities.
Each of these activities further limits the possibility of a ransomware outbreak.
Those with the budget or internal capability will also look to simulate what they have learnt with penetration testers, or red or purple teams.
To support such activity, there must be a comprehensive vulnerability and exploit intelligence capability.
Aligning the vulnerabilities and exploits that actors are utilising against an organisation’s systems is critical. The intelligence functions should provide assessment to support vulnerability management. Is the vulnerability hidden away in the dark depths of the network, or accessible via the perimeter systems? Is it being scanned for by actors you know are currently targeting your region or industry?
It is vital to ensure context to support patching priorities. Doing this, while continuously scanning your own perimeters for weaknesses, shadow services or misconfigurations, are all tools for reducing the likelihood of a successful ransomware attack.
Within the intelligence function, two important tasks remain.
The first is monitoring the associated ecosystem. Although this usually comprises elements such as critical service providers, partners, regional offices and group companies, for example, the supply chain is currently the most critical element.
Numerous firms deal with ransomware breaches and data breaches, not from within their own firm, but from their supply chain. Whether or not the supplier has direct network access, provides software with potential malicious updates or holds sensitive data, monitoring the wider ecosystem – particularly the supply chain – is now as important as monitoring your organisation.
Knowing who may target your suppliers and what the attack surface looks could have a significant impact on the likelihood of your organisation or its data being compromised by ransomware operators.
Secondly, as wonderful as all of this is, this work will not meet its full potential unless you share it.
There is no better intelligence available anywhere than insights from similar organisations that have detected an attack. Whether sharing the technical indicators, the operation techniques observed, the detection logic or threat hunting string used, it all has value.
Ransomware became endemic because the return on investment (RoI) for operators is high.
The harder we make it for them by sharing insights, the more we drive down that RoI to the point where the risks versus rewards reduce so much that we might just start winning the war.