Find out how your group can use the MITRE ATT&CK framework to stop knowledge breaches, fines, and the lack of purchasers and prospects induced by ransomware threats.
Picture: zephyr_p/Adobe Inventory
The FBI experiences that as many as 2,048 ransomware complaints have been registered in 2021, and the Monetary Crimes Enforcement Community famous there have been 68 variants of ransomware in that very same yr, accounting for over $590 million in ransom funds.
Lately, healthcare programs together with the CommonSpirit Well being system — the fourth largest within the nation — and different hospitals in Texas and Seattle have been hit with suspected ransomware assaults. New York’s Suffolk County authorities laptop community was additionally shut down by such an assault in current months. The checklist of targets is intensive.
SEE: Cell machine safety coverage (TechRepublic Premium)
Strategies for defending in opposition to ransomware assaults
Organizations are usually not alone in defending in opposition to cyberthreats. Right here to assist is the MITRE ATT&CK framework, a free international useful resource containing documented info on methods to acknowledge adversarial behaviors, risk fashions and employed ransomware strategies.
MITRE additionally presents mitigation ways primarily based on collected knowledge, together with recognition of the eight commonalities which might be obvious throughout such assaults. An understanding of those ways helps organizations devise higher plans to detect and keep away from worst-case situations.
What do all ransomware assaults have in widespread?
All ransomware payloads apply a cryptographic cipher, which implies they use an algorithm to encrypt consumer and system recordsdata. Strategies which might be generally used to take action are effectively documented in MITRE framework underneath the “Impression” Tactic.
For payloads to achieve success, they should bypass current safety controls which may be in place already. The “Protection Evasion” Tactic lists a few of these strategies, comparable to renaming system utilities, indicator elimination, clearing occasion logs, utilizing abuse profile installers and disabling safety instruments.
On this state of affairs, hackers use legitimate accounts extracted from compromised hosts to work together with a distant community, getting access to a number of capabilities. Ransomware may even transfer from one laptop station to a different. This class may be discovered underneath MITRE ATT&CK tactic “Lateral Motion.”
Disables system defenses and restoration efforts
On this occasion, attackers delete system knowledge designed to help with the restoration of corrupted programs, thereby impeding these efforts to get again on-line.
Whereas there are numerous methods to attain this, the widespread ones utilized by many of those payloads are the abuse of scheduled duties and the creation of registry keys. These strategies may be discovered underneath the MITRE ATT&CK tactic “Privilege Escalation.”
Makes an attempt to persist
Much like the above, as soon as system defenses are compromised, makes an attempt are made to additional infect and disable the programs and customers accessible inside the software program. These strategies may be discovered underneath the MITRE ATT&CK “Persistence” tactic.
Earlier than encrypting the sufferer’s knowledge, the payload transports business-critical knowledge from the sufferer’s community to the risk actor utilizing DNS tunnels and Software Layer Protocols HTTP/HTTPS or Different Protocols. These actions may be discovered underneath the MITRE ATT&CK ways “Command and Management” and “Exfiltration.”
Calls for ransom
Therefore the identify “ransomware.” Paying the demanded ransoms is illegitimate based on the FBI, as per its definition of terrorism.
The right way to enhance programs and keep at bay ransomware assaults
Step one to enhance your organization’s cybersecurity protection is upgrading or changing outdated legacy laptop programs which might be extra susceptible to cyberattacks. What may need labored effectively for a corporation or authorities group for a few years is probably not satisfactory now to stop malware assaults.
Should-read safety protection
The price of alternative will pale compared to the price of downtime and the lack of purchasers and prospects as soon as a knowledge breach goes public. Set up improved monitoring programs that may detect an assault or a sequence of makes an attempt to breach the defenses in place, and restrict the variety of administrative privileges given out.
Subsequent, enhance worker coaching to make sure everybody in any respect ranges of a hierarchy understands that for entities which exist considerably in right now’s on-line world, knowledge safety is the first duty.
Facilitate this with outlined organizational insurance policies to exhibit that that is the organizations’ utmost precedence. Persistently remind workers to keep away from phishing assaults that begin with clicking on hyperlinks to suspicious emails as this gives hackers the entryway wanted to a whole laptop community.
It sounds simplistic, however acknowledge it might not at all times be “another person” or “that received’t occur to us,” as organizations each massive and small — together with elementary faculties and rural authorities our bodies — are targets.
There are cyber insurance coverage insurance policies accessible, with insurers demanding improved cybersecurity implementation earlier than protecting claims for incident response, lack of info and compliance/regulatory prices.
The advantages of cybersecurity preparation
Ransomware assaults would not have to be inevitable. Recognizing the commonalities these assaults share can result in upgraded working programs, heightened safety monitoring procedures and improved defenses, overseen by workers with always evolving ability units.
With savvy hackers seeking to reinvent their very own acumen regularly, recognizing the newest cyberattack traits to remain one step forward to guard knowledge, and in some instances, to easily preserve working, is an crucial for any measurement group, company or enterprise.
Jayant Kripalani is a cybersecurity skilled with 20 years of expertise working for international safety corporations comparable to Splunk, Cisco, Rapid7 and Wipro. He holds a bachelor’s diploma in laptop engineering along with a number of business certifications. He has labored extensively with SOC groups and at the moment makes a speciality of cybersecurity technique and consulting.