CS Oct 2021

ansomware
these would be more valuable. There should
be a strong encouragement not to pay
ransoms, but, in parallel, investment needs to
be made in stopping the attack in the first
place. Prevention is far better than cure."
PREVENTION FIRST APPROACH
Any intelligence that can be gathered post
breach helps understanding for the future.
"But what's even better is a 'prevention first'
approach that features a multi-layered
defence system, with more than one swing at
the ball to stop an attack. We need to spend
more time on stopping these attacks preexecution
before the damage is done. Many
technologies need an attack to execute and
run before they are picked up and checked to
see if they are malicious, sometimes taking as
long as 60 seconds or more. When dealing
with an unknown threat, 60 seconds is too
long to wait for an analysis."
In order to ensure business continuity,
organisations need to invest in solutions that
use technology such as deep learning, "which
can deliver a sub-20 millisecond response
time in stopping a ransomware attack, preexecution,
before it can take hold, actually
predicting the ransomware attack and
therefore protecting the organisation,"
Wallace states. "Using this type of technology
means organisations no longer need to worry
about whether or not to pay a ransom, as
there is a solution that prevents the attack
altogether.
"Furthermore, investing in a solution that
offers a 'ransomware warranty', whereby the
organisation receives a certain amount if they
experience a ransomware attack, using that
provider's technology is beneficial. Warranties
ensure an extra level of protection, should a
ransomware attack occur, and allow for some
alleviation, in terms of how much it will cost
the organisation to recover after the attack."
BACKED INTO A CORNER
Callum Roxan, head of Threat Intelligence
at F-Secure, accepts that the payment of
ransoms to cyber criminals is not a "socially
optimum outcome, but in the moment,
faced with the loss of income, data and
reputation, many organisations will feel
backed into a corner where they will 'have to'
pay. "Ever-evolving extortion models and
technological advances ensure organisations
need to continually invest to keep up to
speed with the latest threats posed by the
sprawling ransomware ecosystem. In purely
financial terms, the judgment is often made
that accepting the risk of ransomware is
more palatable than investing heavily into
cybersecurity to mitigate the risk."
The continued payment of ransom demands
funds additional advancements, continued
operation and acts as an incentive to
attract new actors to conduct ransomware
attacks. "Breaking this cycle is something
governments and the cyber security industry
need to fix, shifting the balance of incentives
to not paying ransoms and making securing
your organisation against these threats less
costly and more effective."
WHERE DID IT ALL GO WRONG?
All too often, organisations put too much
focus on the detection and response of a
ransomware attack, instead of looking at the
steps that has allowed an attacker to get to
the point of demanding ransom, argues Mike
Fleck, VP marketing at Cyren. "The ransom of
an attack is so far along the attack chain
that, by the time the 'ransomware' attack has
already been deployed, it's too little, too late."
He divides ransomware attacks into two
categories: a 'drive-by attack', which tricks
users into installing malware onto their
devices, whether that be a PC at home or
a healthcare kiosk in an emergency room.
While these attacks directly affect those users,
they are random as to whom they affect. "The
more serious attacks are the ones that target
a specific organisation. The attackers look
for the most impactful way to infect an
organisation through the vulnerabilities they
find and then launch a ransomware attack.
In order to get to that point, the attackers
would have had to identify the organisation,
find the vulnerabilities within that organisation,
launch the malware and then deploy
the ransomware attack."
Often the cause of a ransomware attack
and the attacker's access point into an
organisation, adds Fleck, is through a
phishing email where an unsuspecting user
has clicked on a link, which then deploys a
backdoor on the device, allowing the attacker
to gain access into the organisation's network
and find its vulnerabilities. "Organisations
need to look at the precursors to ransomware
attacks and the steps that get the attacker to
where they need to be before they launch the
malware itself."
Phishing attacks will always enter your
network and breach your organisation, he
points out. "Therefore, the focus needs to
be on the antecedents to the attack and
understanding what they are, in order for the
organisation to deal with the attack better.
Only then will organisations be able to
remediate properly, rather than focus on
detection of, and response to, the final step
in the attacker's plan. At present, email
security is overly focused on prevention,
which demonstrates diminishing returns for
each new layer of detection. By adding a realtime
detection and automated remediation
capability to identify and eliminate phishing
threats rapidly, we can minimise the impact
of when a phishing email makes it through
our defences."?
At Bitdefender, while the company expects
to see ransomware operators continuing to
offer new and more dangerous versions of
ransomware, the company's director of
Threat Research and Reporting, Bogdan
Botezatu, states that it will maintain its
commitment to helping users regain control
of their digital lives and denying profits to
attackers. "Collaboration between major
cyber-security solution providers and law
enforcement agencies allows us to combat
www.computingsecurity.co.uk @CSMagAndAwards October 2021 computing security
29