Most organizations know they need to defend their information technology and business assets from ransomware. It’s figuring out the how and where that so often trips them up.
To that end, a new blog from threat intelligence company Red Canary lays out five of the most common infection vectors they see when responding to ransomware incidents.
Email attachments remains the largest attack surface where many organizations are compromised. Often, attackers use Javascript or ZIP files that when opened are capable of doing a lot of damage, very quickly.
“Many of the IR engagements I have seen started with a simple attachment that successfully executed a piece of code and spread ransomware throughout an entire organization in a matter of minutes,” wrote Eric Groce, an incident responder at Red Canary who authored the blog.
In an interview with SC Media, Groce said that email protection platforms provided by a growing number of antivirus and cybersecurity companies actually do a great job of defanging malware found in email attachments or links, but they remain a successful entry point because many companies have yet to adopt such technologies. Validating your most commonly received email attachments and auto-blocking or filtering everything else can help partially mitigate some of these problems.
The most popular attack technique seen across Red Canary’s customer base was process injection, leveraging banking trojans like Trickbot to inject arbitrary code into a targeted system and take over. Having a tighter policy around granting admin privileges can help, and Groce said implementing Zero Trust principles more broadly can also help – though CISOs must do so holistically.
“It’s a great concept, and a great idea and highly suggest that a company adopt [zero trust principles],” said Groce. “But if it’s just zero trust from the outside to the end point, what about from the endpoint to further resources within the company? I think companies get 50 percent of the way there on the concept, but not completely.”
Not surprisingly, the presence of Shadow IT – unaccounted for devices or apps that connect to your network without your knowledge – are prominent infection vectors for ransomware actors. Both external facing assets and poor inventory asset management are listed in the top five. Whether it’s an employee’s BYOD laptop, a rogue cloud app or a long forgotten Raspberry Pi left by a former IT staffer, these hidden assets are often ticking time bombs that will either be first discovered by the organization or an attacker.
It’s one of the reasons why startups that focus on cloud or machine-learning based asset monitoring and discovery services have begun popping up more frequently, particularly in the wake of the COVID-19 pandemic. Groce said many organizations continually accrue technical debt over time and inevitably lose track of older or forgotten assets as IT staffers leave and replacements are hired. It’s something that can plague large and small businesses alike.
“I think it’s a double-edged sword,” said Groce. “On the small busines side, they tend to have less technical skills and smaller IT security or IT staff. When you move over to larger enterprises, they have more infrastructure to deal with, they have 1,000 employees instead of 100, so there’s a higher risk or higher chance that there could be some kind of loose end that’s externally facing app.”
The main takeaway: most of these weaknesses represent “low hanging fruit” for many security teams. The fifth pitfall is simply “user error,” a catch-all term for a range of mistakes employees make – clicking on a bad link, connecting to company networks with an insecure or untrusted device. The bad news is that cybersecurity literacy will continue to represent the weakest security link for many organizations. The good news is that a well-trained and disciplined workforce dramatically reduce their employer’s vulnerability to most of these weaknesses.
“A lot of security leads back to the human, no matter what technology is in front of them,” said Groce. “In general, if 80 percent of the companies read the blog post and implement a few controls, I think we’d see changes overnight.”
