At the end of last year, The Guardian posted an article Ransomware attacks in UK have doubled in a year, says GCHQ boss¸ and reported the Head of the UK spy agency, Jeremy Fleming, as saying, “I think that the reason [ransomware] is proliferating – we’ve seen twice as many attacks this year as last year in the UK – is because it works. It just pays. Criminals are making very good money from it and are often feeling that that’s largely uncontested.”
In his whitepaper, paper Human Operated Ransomware (HOR), Bridewell Cyber Defence Technical Lead Gavin Knapp examines the ransomware threat as we move into 2022. HoR, he says, represents a potentially huge threat to businesses of all sizes. But he also writes that it’s not all “doom and gloom” as preventative measures can go a long way to protecting organisations, stopping attacks in the first place, and preventing attackers that do get through from going where they want.
Cyber threat intelligence (CTI) – key to building a proactive threat-led cyber defence capability, CTI can significantly improve your state of readiness to prevent, and if necessary detect and respond to a HoR attack by identifying the most relevant and credible threats to your business.
It’s vital to understand what’s important to your organisation, or you won’t know who’s potentially targeting you, their motivations, or the TTPs they may deploy. If you don’t have a CTI capability you should look to engage with someone to perform a crown jewels assessment – a mission-based critical information technology (IT) asset identification evaluation to identify the cyber assets most critical to your organisation’s business continuity.
The next stage is to use the MITRE ATT&CK framework and work out the potential tactics and techniques ransomware operators are likely to use and align these to your defensive capabilities, identifying any gaps (exposure) and how to address them.
Training – ensure your users are aware of the risks and particularly the entry vectors for ransomware, and implement phishing and other social engineering testing programs. Ensure your analysts receive appropriate on-the-job and professional certification training, that your incident response team is well trained, and emulate a ransomware attack to test incident response plans and associated playbooks.
“Responding to the increasing threat of ransomware requires a combination of modern enterprise configuration, up-to-date security products, and the vigilance of trained security staff to detect and respond to the threats before data is lost.” Microsoft blog, A guide to combatting human-operated ransomware part 1.
Hygiene, patching and secure configs – and which is fundamental to reducing the attack surface. The testing and timely deployment of patches needs to be a priority, especially for internet facing assets and servers or services accessible from end user devices.
Secure configuration of devices can also reduce the attack surface and can slow and frustrate an attacker, and in many cases provide additional opportunities to detect or prevent attacks.
Zero Trust – move towards Zero Trust models for all forms of resource access. This means always authenticating users, devices, and networks, as “Based on the fundamental principle of “never trust, always verify”, Zero Trust moves away from the traditional perimeter-based concept of managing security, to one where trust is established between individual resources and consumers, as and when needed,” (from Deloitte’s whitepaper Zero Trust).
Identity – identity is seen as the new perimeter and so implementing a robust identity and access management strategy that incorporates Zero Trust principles should be on your roadmap. Microsoft has some great architectural resources for identity and zero trust in its cyber security reference architecture. Also look at implementing:
- Strong authentication using MFA, password less, and strong password policies
- Secure privileged access, and leverage LAPS to secure local admin passwords
- Use pins or other methods to protect online backups or use immutable read only copies
- Assess your active directory (AD) with tools like Pingcastle, if you have E5 use MCAS – or get in a trusted partner to help with this work.
Email – ensure email protection policies are implemented, especially regarding safe links, link detonation, reputation, and for sandboxing technologies, and concerning safe attachments, anti-SPAM, antimalware, anti-phishing and spoofing.
VPNs – with VPNs still commonly used to gain initial access, it’s important to ensure that any in use are up to date with patches and configured securely.
Adversary emulation (purple team) – identifying and emulating credible threats is a powerful way to test and validate the effectiveness of your controls.
Lateral movement – prevent lateral movement using host-based firewalls.
Perimeter – make sure you are taking a hard look at your network ingress and egress, and force traffic to come in and out via choke points. Proxies, and default deny are essential along with a strict approve list approach.
Professional services – prevention and detection can be complicated processes, so use professional services where needed.
Bridewell whitepaper - Human Operated Ransomware (HoR)
“Two out of three organizations surveyed by ThycoticCentrify were hit by a ransomware attack over the past 12 months, and more than 80% reportedly opted to pay the ransom,” reported TechRepublic in October last year.
The article, How to proactively detect and prevent ransomware attacks, went on to say, “The key to combating any type of cyberattack is to prevent it before it happens, or at least before it’s able to cause significant damage. That’s especially true with ransomware. Once an attacker gets their hands on your sensitive data, they can prevent you from accessing it and can even leak it publicly. That’s why many organizations hit by ransomware choose to pay the ransom. For that reason, detecting and preventing an attack in the first place should still be your ultimate goal.”
In his paper Human Operated Ransomware (HOR), Bridewell Cyber Defence Technical Lead, Gavin Knapp looks in detail at the ransomware threat as we head into 2022, covering:
- The types of ransomware attack currently prevalent
- The major ransomware players
- An in-depth look at human operated ransomware and its complexity
- How to protect against an attack
- How to detect, respond to, and recover from an attack