The past year served as the moment of reckoning for the cybersecurity sector. Various cyber threats emanating from state actors and ransomware gangs kept organizations and governments on their toes. At Spiceworld Virtual 2021, Grayson Milbourne, security intelligence director at Webroot, highlighted trends that impacted critical industries, geographies, companies, and people and spoke about how organizations can destroy threats like ransomware in the year ahead.
Amid ongoing cyberattacks, the shutdown of Emotet, one of the most prolific malware variants, arrived as good news for the cybersecurity industry. In January 2021, law enforcement authorities worldwide took down the Emotet botnet, which was first observed in 2014. The malware was designed to infiltrate systems and exfiltrate sensitive information, thereby posing a potent threat to multiple sectors.
Milbourne, while conducting a session on ‘Which Cybersecurity Risks Will Prevail in 2021′, said, “Emotet used to trick users to install the initial piece of infection while email brought ‘trickbots’ and other remote access utilities that infect the system, attempt to move laterally, and ultimately in many cases deliver ransomware infections.â€
Emotet going offline has a tremendous impact, he said. “To combat the threat actors, cybersecurity really does require coordinated efforts. To bring Emotet down, over 12 countries joined hands to take down a globally distributed botnet. This is an extremely positive sign for the future of cybersecurity,†the much hopeful cybersecurity expert stated.
See More: SpiceWorld Virtual 2021: Top Highlights & Insights From Leading Tech CXOs
Ransomware: The Big Threat
Ransomware results from multistage compromise where several components are involved in its successful delivery at an endpoint, allowing attackers who are motivated to control and contain those endpoints to get the data they want by locking away files from users. The attackers then hold those systems hostage until a ransom is paid.
“Once the attackers are in control of the system, it is never enough to just have one as data lives in multi systems. Going after these other sets of data becomes important to ensure that the attacker is able to effectively hold ransom,†spoke Eric Howard, the Cisco security technical leader, during his session on ‘Why You Need a First and Last Line of Defense to Protect Against Ransomware.’
“There is a lateral movement which is typically the exploitation of credentials. Using that, allows the attacker to further go into the main control and key servers in the environment. An attacker is able to complete their ransomware in a matter of hours if not minutes in some environments,†he added.
Evolution of Tactics, Techniques, and Procedures
After penetrating an environment and gaining administrator-level privileges, threat actors use a variety of tactics, techniques, and procedures. These actions include:
- Manually run encryptors on targeted systems
- Deploy encryptors with Microsoft Group Policy Objects (GPOs) and existing software deployment tools the victim organization utilizes
- Deploy encryptors across the environment using Windows batch files
Threat actors also introduce discrete scripts within targeted environments. Quite often, these are automated tools that help the attackers to:
- Get credentials or Windows token extraction from disk or memory
- Trust relationships between systems and leverage Windows Management Instrumentation (WMI), SMB, or PsExec to bind methods and execute payloads
- Unpatched exploitation methods
With this notion of having a manual approach where the attacker can customize as needed and an automated approach where things are made easy for them to know the environment, they can move faster than before conducting a ransomware attack.
See More: SpiceWorld 2021: Steve Wozniak On Evolving Developer Roles, Data Transparency & MoreÂ
Overcoming the Threats
Education and training is the key
Security awareness training is a threat intelligence matrix that is important. Milbourne observed that we already know about many threats and risks out there like phishing, targeted phishing, spear phishing, or spam business emails. This explains the human individual and social engineering by nature.
“One of the things that is really important is to educate people, especially in security. Doing training is also a great quick and easy way. People who do training once have about 11 percent click-through for doing a wrong thing. But if you can take that through a year of campaign, regular phishing simulations can reduce-through by up to 72%,†Milbourne stated.
Saying yes to updates
Over 90% of infections on android are coming from outdated operating systems. Many people don’t like to update, but the reality is mobile phones are under attack right now. There are a lot of vulnerabilities in apps; even GooglePlay or Playstore can be infected and may compromise your device. Milbourne suggested, “The call of action here is if an update is available, update the app. The updates are certainly always worth taking.â€
Through recovery mode
Today’s cybercriminals are attacking backups first, and then once it is under their control, they come after production data. This means that many enterprises are feeling a false sense of security until it is already too late.
JG Heithcock, who is the general manager of Retrospect, a StorCentric Company, made a point. He said, “Backup is one thing, but recovery is everything.†Heithcock advises that we must choose a backup solution that ensures the recovery piece, which, surprisingly, not all of them do.
“Look for a provider with vast experience, as well as a track record for continuous innovation that ensures its offerings are prepared to meet prevailing conditions. The solution(s) should provide broad platform and application support and protect every part of your IT environment, on-site, remote, in the cloud and at the edge.Â
“Next, the backup solution should auto-verify the entire backup process, checking each file in its entirety to ensure the files match across all environments, and you are able to recover in the event of an outage, disaster or cyber-attack. And, as a last but highly critical step, at least one backup should be immutable, unable to be altered or changed in any way, at any time. Even if the ransomware took a ride along with your data to your backup site, during the last backup.â€
How DNS & endpoint security can be instrumental in preventing ransomware attacks?
Cisco Security Research Report shows 90% of malware use DNS in attacks. DNS is not often monitored or used for security. About 68% of organizations do not monitor their DNS. According to the CGA report on DNS security, one in three reported breaches could have been controlled by DNS and this could have saved $100-200 bn global losses.
Thus, adding security at the DNS layer allows you to block attacks earlier before they connect back to the network or endpoint is ever even made.
Howard believes that endpoint security layered on top of DNS security delivers efficiency. “It delivers you the ability to quickly pivot from a network control such as DNS security to the endpoint that initiated the DNS lookup and understands which process was running in the lookup itself,†he added.
Summing it up
Consumer endpoints see many more infections than their business counterparts. In regions like North America, where the infection rate is as low as 1.4%, the investments are more in cybersecurity solutions and training, Webroot’s BrightCloud Mid-Year Threat Report 2021 reveals. Even though it is surprising, it is essential to see where you are located geographically and what OS you use. This does have a huge impact on the number of infections you encounter. The infection rate for Windows 7 is four times higher than Windows 10.
The data is the reflection of encounters with actual malware binaries on the endpoint itself while protecting windows. The technology approach should be to prevent that encounter in the first place. “We have seen over the past five-six years, the overall infection rates have gone down. This is due to a combination of different things. The primary one is the growing focus on education as a prevention layer that gets you away from that potential encounter with infection. Also, the ability to recognize the source of malicious content, tracking malicious URL and hosting. Discovering all this reduces the likeliness that an endpoint is going to encounter an infection,†concluded Milbourne.Â
Do you think the steps recommended are enough to defeat ransomware for good? Comment below or let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d love to hear from you.