Global business is more complex and interconnected than ever before, with organisations relying heavily on electronic data and the systems that enable the storage, transport, access and manipulation of data, says David Stubley, pictured, MD of 7 Elements – the cyber security division of Redcentric.
Even simple spreadsheets can become mission critical, and this has resulted in an era where networks and the applications within them have become the backbone of every organisation regardless of its size and sector.
Implementing measures cost-effectively
Understanding the threat environment can assist in determining a resilient approach to cyber security. An organisation must set and agree a risk appetite to determine and therefore identify a cost-effective and fit-for-purpose approach. This risk position, combined with an understanding of the threat environment will allow for informed decisions on how to set the correct level of organisational response required.
Budgeting in ever-changing landscape
Budgeting ensures that cyber security measures are in line with an organisation’s risk appetite, with risk management assisting in determining a proportional response. By assessing the impact of a cyber security risk, combined with the likelihood of attack, an organisation is able to determine the amount of budget and resource it’s willing to commit to tackle a cyber security risk.
Threat forms the key part of any risk equation, as a threat actor must exploit a vulnerability to cause an event that impacts the business. Threat is a frequently ignored component, with the knowledge of the threat sitting outside of the organisation it may impact.
Identifying vulnerabilities
There is no excuse for being the third, fourth or even the 100th company breached using the same MO (Modus operandi). Groups conducting attacks, whether for financial gain or other motives, will frequently use the same methods of compromise. This means that organisations have an opportunity to identify attack approaches and vulnerabilities that could be applicable to them.
Organisations should therefore look to use the experiences of others within their sector to enhance their own incident management procedures. Organisations can gain insight into past incidents through information sharing forums (for example the National Cyber Security Centre led Information Sharing Partnership ‘CiSP’).
With regards to ransomware, organisations should be aware of the current methods deployed by ransomware actors to gain an initial foothold within the targeted network. These include the compromise of Remote Desktop Protocol (RDP), malware-based attachments, malicious links within email – designed to act as malware droppers that fetch further malware exploiting vulnerabilities within external assets.
Further to the more common methods of compromise listed, the US Cert has also noted the use of phone calls and the practise of enticing the opportunistic download of fake software containing malware, promoted via search engine optimisation. Phishing and Spear Phishing campaigns are also often used to distribute malware links and attachments and should be viewed as a delivery mechanism for an attack, rather than a standalone incident.
The use of affiliates
With the ongoing evolution of ransomware attacks, many variants now utilise a ransomware-as-a-service (RaaS) model. Put simply, this is where the developers of the ransomware variant provide the means to encrypt and extort funds from a targeted organisation, but the actual identification, exploitation and deployment of the ransomware falls to an affiliate. The affiliate receives a share of the extorted funds.
The most significant actor within this RaaS model would be the Conti Ransomware Group. Advisories from government agencies, incident responders and open-source intelligence point to ongoing and increasing levels of activity from this group.
Another RaaS actor is the REvil ransomware group. Their recent change in approach to motivate affiliates to utilise their ransomware now includes a 90 per cent payment of funds extorted by the group to the affiliate. Given this, it’s likely that there will be a further increase in activity utilising this variant.
The main takeaway here is that in the use of affiliates, the method of compromise will be varied and so will the actions on compromise and the Indicators of Compromise (IoCs). Therefore, organisations have to take a broader view of their defences and alerting capabilities.
Priorities to help minimise threats
One area often overlooked within an organisation’s approach to ransomware exposure is the loss of availability of data and the need to collect and store backups that exceed the current capability of ransomware actors. In terms of technical controls, an adequate backup and recovery solution is an essential component of any organisation’s ability to ensure continuous operations. In the event of disaster recovery activities being required to restore the organisation to full operation, access to reliable and recent data backups will be critical.
However, technology is only one aspect, policy, process, and people also play a vital role. As such, the key priority for businesses must be in gaining confidence that their backup and recovery capabilities are robust and free of potential avenues that may lead to data tampering or corruption. To address this, we’re seeing many organisations at a board level undertake targeted ‘Backup and Recovery’ audits.
A robust audit will enable an organisation to understand its entire backup and recovery capability, including identifying sources of data, protection mechanisms and where the data is replicated to and retained.
A correctly scoped audit should also cover data recovery, organisational policies and procedures, as well as identify any areas of concern and make recommendations to reduce any risks identified. For a greater level of assurance, combine this activity with IT Disaster Recovery testing to validate the effectiveness of your plans and processes, and to enhance the skills of those teams responsible for backup and recovery.
