Why you should self-isolate, but your IT infrastructure should not

One of the many distressing fallouts from the pandemic is the significant increase of COVID-19 related threats, as financially motivated cybercriminals prey on people's fear and thirst for information, making them easy targets. By Zeki Turedi, CTO EMEA, CrowdStrike.

  • Sunday, 8th November 2020 Posted 4 years ago in by Phil Alsop

For businesses, this means defending against a much higher rate of attacks as cybercriminals try to breach enterprise networks by any means necessary. In fact, CrowdStrike has observed a 330 percent increase in malicious files using COVID-19 themes since the pandemic first struck in March, and cyber criminals show no signs of slowing down their brazen behaviour. Even more worrying, we've seen a change in tactics where ransomware actors are increasingly moving to extortion where they are stealing sensitive files and threatening to release them if they are not paid.

 

While lockdown restrictions are still largely in place, many employers have adopted informal stay-at-home instructions, leaving many of us unable to return to the office and enterprise networks largely distributed and more vulnerable. With many businesses already buckling under the pressure of the global pandemic, a large scale attack could bring hault business operations entirely and bring it to its knees.

 

CrowdStrike’s 2020 Global Threat Report revealed that Big Game Hunting (BGH), the shift towards harnessing ransomware attacks with high payouts, characterised by low volume, high-return victim targeting, is increasingly on the rise. The number one issue when dealing with ransomware and BGH is that conventional signature-based endpoint protection has proven itself to be woefully inadequate, even with additional measures such as whitelisting, Indicators of Compromise (IOCs) or machine learning. This is due to the nature of BGH which it harnesses not just sophisticated ransomware but also the expertise and persistence of a hands on keyboard attack. CrowdStrike tracked that the volume of hands-on-keyboard intrusions reached 112 percent of the levels of 2019 in the first half of 2020 alone. 82 per cent of this activity has been attributed to eCrime and this shift is set to continue — especially as we settle into the future of home working.

 

In the battle against the rising level of highly sophisticated ransomware threats, organisations need to adopt an integrated multi-pronged approach. Here I’ve outlined some methods of prevention and detection that organisations should look to add to their strategy to help prevent and detect against an increasingly complex and rapidly evolving threat landscape.

 

IOAs, the enemy of ransomware

One essential method to deploy when trying to defend against ransomware are Indicators of Attack (IOAs). Unlike IOCs used by legacy endpoint detection solutions, IOAs focus on detecting and preventing the intent of what an attacker is trying to accomplish, regardless of the malware or exploit used in an attack. When using IOAs, security teams can detect red flags that an attack may be in progress within the network, and halt the adversary in their tracks before they can accomplish their objectives. Using this method is extremely effective against fileless attacks and hands on keyboard attack methods, which are starting to be used by more attackers in place of traditional malware.

 

In addition, IOAs provide a reliable way to prevent ransomware from deleting backups, encrypting systems and moving laterally across your network. This gives users the ability to restore encrypted files, even if file encryption began before the ransomware was stopped.

 

Three is the magic number

Due to the increasingly sophisticated nature of ransomware attacks, organisations must ensure they have a robust and holistic cyber strategy in place to defend their network. This requires a combination of solutions to create a layered and integrated three-pronged approach that combines next-generation antivirus (NGAV) with endpoint detection and response (EDR) and managed hunting.

 

As the first layer of defence, businesses should adopt a NGAV solution. These solutions typically provide the most proven and advanced prevention capabilities to defend against known and unknown malware, and even attacks that do not use malware. Next-gen antivirus solutions which leverage AI-powered machine learning can also allow organisations to rapidly analyse IOAs to help identify a ransomware attack and slam the breaks before the bad actors can complete their mission and inflict damage.

 

Corporate networks need constant surveillance and built-in EDR can act as a ‘CCTV camera’ which helps security teams monitor everything that takes place across all endpoints. This second layer of defence can help security teams monitor actions such as running an application, connecting to a network, visiting a website or writing a file. By leveraging built-in EDR capabilities, security teams can gain a more holistic view of their organisations’ network with the fidelity necessary to identify IOAs.

 

Beyond this, organisations need to ensure they factor in a human element into their strategy, as technology can only go so far in defending against attacks. Ransomware delivery tactics have become far more superior than traditional 'spray and pray' techniques, where bad actors try to flood corporate inboxes in the hope someone might open the malicious file, which are continuing to decline in popularity. The rise of "living off the land" (LOTL) techniques, which involves the bad actor painstakingly preparing the environment, deleting backups and clearing logs well before ransomware binaries are deployed, are increasingly on the rise. Criminal techniques continue to grow in sophistication, so a rigorous people process and technology is key to mitigating risk. 

 

Organisations should seek to couple their technology with a human-powered effort which combines threat intelligence resources with advanced security technology to proactively protect systems and information. This is where threat hunting – the practice of proactively searching for cyber threats that are lurking undetected in a network – comes into play. Without threat hunters, security teams can easily miss a crucial opportunity to thwart ransomware operators before they have the opportunity to begin encrypting files. Threat hunters are highly trained experts who use the information gathered by the NGAV and the EDR solutions plus threat intelligence information on the tactics, techniques, and procedures of adversaries. They use this intel to investigate security data and discover any hidden attacks that may not be flagged by automated elements of defences. It's the holistic nature of these elements working together that provides the ultimate power behind this three-pronged approach.

 

Don’t forget about good hygiene!

As our networks evolve and move from physical systems to the cloud or from desktops to virtual environments, we need to make sure we have visibility into these changes. Hygiene plays a key and crucial role in making sure we are able to identify security gaps quickly but more importantly, make the life of an attacker as difficult as possible. Having the tools to quickly identify new and serious vulnerabilities or account miss-use is now even more important, with our ever growing disparate and hybrid workforce. 

 

Stay secure for the new normal 

With the rise in COVID-19 motivated attacks and rapid adoption of distributed working styles, it’s crucial that organisations and their security teams ensure their cyber defence strategies are in tip-top shape. By using AI-powered next-gen solutions in combination with threat hunters, security teams can breathe a sigh of relief as they know the network is secure and teams are still able to be productive. COVID-19 has brought up many challenges for businesses but security should not be one of them if the correct solutions are in place.