Today’s columnist, Troy Wachter of Cyberint, says defeating ransomware groups like the one that hit Colonial Pipeline will take teamwork across departments and threat intelligence tools that show how and where specific threats have originated and how they are evolving. OrbitalJoe CreativeCommons CC BY-NC-ND 2.0

Organizations across the world are now beginning to realize that traditional security measures are largely ineffective against the current generation of increasingly sophisticated ransomware attacks.

The recent DarkSide assault on Colonial Pipeline, the Avaddon breach of Axa Insurance and the alleged Conti attack recently used to attack the Irish healthcare system are all evidence of the professionalism of the ransomware industry. In 2020, for example, the average ransom payment increased by 171% to $312,493, according to Palo Alto Networks. Highly organized ransomware gangs such as REvil and Clop, a gang whose recent victims include Shell and Stanford University, are now behaving like regular corporations by running high-level recruitment drives and issuing press releases to establish online credibility for their organizations. Their strategy is to establish a reputation for reliability among potential victims to reassure target organizations that once a ransom has been paid the criminal gang will release the necessary encryption to get the system up and running again, even providing them with any necessary support services.

Ransomware attacks themselves have also become more sophisticated and harder to detect as threat actors now have an increasingly wide choice of attack vectors to choose from, such as the rapid growth in the number of IoT devices. To protect themselves against a constant onslaught from organized ransomware gangs, organizations ideally require intelligence in the form of prior warning of the most serious incoming attacks.

Effective threat intelligence now includes extensive use of AI to provide consistently updated threat feeds using malware analysis tools to help identify relevant threats automatically, together with automated patch prioritization recommendations that assist engineers in deciding which threats pose the greatest risk. This can help identify crucial information such as the exact build of the customized ransomware being used to attack the organizations targeted, which the attacks can reverse engineer to discover the encryption key and retrieve the stolen data.

Business continuity and disaster recovery planning can also help organizations prepare for a ransomware worst-case scenario by providing the ability to successfully restore data and recover from an attack. Monitoring of dark web publishing sites for different ransomware families also lets organizations download the sample exfiltrated data they publish to search it and understand exactly which organizations have been exposed, including business partners and clients.

Ransomware gangs can now buy from an increasingly wide range of malware available in dark web forums and frequently order ransomware designed for a unique attack on a specific target. As not all threats affect all organizations in the same way, threat intelligence needs to be customized to focus on the categories of threats most relevant to a particular organization. Security pros also base this on considerations such as the build of its IT environments, which are often situated on the organization’s premises or on the cloud. Security teams can also determine the potential danger of any threat by the types of workload used by the organization together with other considerations, including industry-specific compliance.

The threat landscape has become so varied and complex that data visualization tools of incoming threat intelligence are also essential to navigate it successfully, which lets engineers spot relevant trends within threat data and  assess the potential severity of different threats.

Effective threat intelligence also needs to show how and where specific threats have originated and how they are evolving. To discover the severity of an attack, security teams need to discover exactly who’s behind specific threats and what their motives are, as individual threat actors can range from script kiddies to nation-states.

While it’s not always possible to apprehend the criminals responsible for a ransomware attack physically, as many reside in regions outside United States. Nevertheless, knowing the identity and motivation of an attacker can help security teams construct appropriate defenses and tracking the threat actors’ moves to counter their strategies and mitigate any potential damage.

Organizations and their consultants must work closely together to gather effective threat intelligence to defend themselves against what are becoming increasingly professional and ambitious ransomware attacks. Effective threat intelligence gathering that includes monitoring of the darkest recesses of the deep web and the dark web lets organizations take the fight directly to the cyber criminals. Standard security protocols and defenses constructed to prevent known attack vectors are no longer sufficient. To deliver effective security requires threat intelligence tools that are truly intelligent.

Troy Wachter, vice president, sales, Americas, Cyberint