- Threat actors now routinely employ double extortion techniques where data is stolen before it is encrypted, and the threat of leak is employed as secondary leverage.
We are pitted against innovative and motivated criminals, who have learned to work together for significant financial gains, causing billions in damages.
A comprehensive understanding of the threat landscape, problems organisations are facing and definitive discussions taking place are fundamental if we are to have any success as security professionals.
Ransomware’s impact on organisations
Ransomware is still a big-ticket item when it comes to cybersecurity. It is the biggest, noisiest and most devastating attack facing businesses today.
The damage from successful attacks continues to grow, even prompting some insurance companies to comment that cyber could potentially become uninsurable.
The success of ransomware is down to the fact that it is so entrenched, organised, and embedded. As if the simple extortion based on encryption data weren’t enough, threat actors now routinely employ double extortion techniques where data is stolen before it is encrypted, and the threat of leak is employed as secondary leverage.
Criminals continue to innovate though and have gone on to add a third level of extortion: distributed denial-of-service (DDoS) if you do not pay and even quadruple extortion where they combe the stolen data for data of your customers, partners or employees and contact them directly, adding to the pressure.
In fact, in recent years, ransomware operators appear to be moving away from their established modus operandi where attacks on the availability of data (through encryption) are the primary lever of extortion.
The management of encryption and decryption keys, creation and maintenance of the cryptographic modules, and the testing necessary to ensure their robustness are a significant overhead for the attacker, and are proving to be not only costly, but largely unnecessary.
Attackers are rapidly migrating to a model where the theft and subsequent threat of data leak is now the primary methodology – low effort, greater leverage. This has given rise to exfiltration-only groups and has significant ramifications for defenders.
It is no longer enough to rely on being able to recover from backups, no matter how well-regimented your backup strategy. If nothing has been encrypted, there is nothing to recover!
Initial access vendors
We also have to deal with what the industry calls initial access vendors or brokers. A highly specialised and interrelated cybercriminal world comprises various actors, each operating within their own specialised niche, including the specialisation acquiring credentials for, or breaking into organisations, and then selling this access to willing buyers for unspecified purposes.
So, how do you protect your organisation? You make your data impossible to leak, very difficult to get to, and challenging to exfiltrate. This means that organisations must finally begin to deploy effective encryption of data at rest, in transit and even in use, across the board.
Encrypted data is impossible to leak. To render your precious data much more difficult to access and challenging to leak, effective, dynamic network segmentation is key.
Credential stuffing
Identify-based attacks were another prominent trend in 2022, which included not just phishing, credential stuffing, and password spraying, but also a new vector, known as Multi Factor Authentication (MFA) Fatigue.
Credential stuffing is when criminals get hold of your username and password and then try those credentials against every other service in case they have been reused, whereas password spraying is where lists of widely used passwords are tested against different services to see if they can work.
The MFA Fatigue attack was used against Cisco, IHG, Microsoft, and Uber last year, forming a very effective part of the attack chain.
This is a social engineering-based strategy where attackers, who already have the required username and password, repeatedly push second-factor authentication prompts to the target victim’s phone, or other registered device.
Overwhelmed by the volume of requests, they are banking on the victim confirming the authentication, just to make it stop. Should that be unsuccessful, they pretend to be a colleague from the victim’s own internal tech support and will give them a call.
They of course already know the annoying symptoms the victim is experiencing, giving the attacker a very credible pretext, they ask the victim to accept one last authentication and the problem will go away, which of course it does, and at this point it’s Game Over.
Today’s Security Operations Centre
The typical Security Operations Centre (SOC) of today is drowning in a huge volume of alerts. According to a recent survey by Palo Alto Networks, the average SOC team deals with over 11,000 alerts per day and keeps track of around 7 different threat intelligence feeds.
So, any enterprise dealing with that volume of alerts would need a SOC team of 687 people (3x229x8 hour shifts), just to keep up with the triage!
This is why we see the rise of technologies like XDR, and tools that are aimed at dealing with this deluge.
If data is the new oil…
All of this is today’s reality, and if data is the new oil, then algorithms are the new refineries. Oil is useless when it comes out of the ground, and data is useless unless we can refine it into something useful and powerful.
- Rik Ferguson is the Vice-President of Security Intelligence at Forescout.
Discover more from TechChannel News
Subscribe to get the latest posts sent to your email.
You must be logged in to post a comment.