BlackBerry’s guide for fighting ransomware has five actions. Leading the list is one infosec CISOs ought to be on top of, but aren’t: Vulnerability management.
“The first mitigation in the ransomware playbook is probably as old as the first computer bug,” Tony Lee, the company’s vice-president of global technical operations services, which includes the incident response and red teams, told a session of the BlackBerry Security Summit 2021 on Wednesday. “But time and time again this is probably overlooked by some of the largest and experienced organizations.”
These days threat actors are “frontloading” their attacks, he said, by not waiting for an exploit of a vulnerability to be published. Instead, after choosing a victim, they install a backdoor and wait for a hacker to figure out and sell (or give away) an exploit.
The attacker usually doesn’t have to wait long.
“Many honeypot operators show active exploitation less than three days after a vendor has disclosed a vulnerability,” Lee said.
While some experts offer a spread out time-frame for installing security updates, Lee warned against following them closely. “Some organizations still operate on the assumption they are safe until an exploit has been publicly released or systems are exploited in the wild,” he said.
But being slow on the draw can get you shot. He pointed out that a study showed 20 per cent of organizations hadn’t patched the critical Citrix vulnerability CVE-2019-19781 nearly six weeks after the fix was released.
“Patching time frame is drastically reduced due to threat actors sprinting to create these workable exploits and drop the back doors en mass,” Lee warned. “The risk of a reduced time frame should be considered [in a patching priority strategy] especially if the vulnerability is considered easily exploitable.”
So the rule should be to patch as soon as possible, based on the risk to the organization.
He offered these tips for creating an effective vulnerability management program:
–ensure the program has executive support to help resolve issues. “Believe me,” Lee added, the vulnerability management program “will not be popular with everybody and will from time to time need support from top management.”;
–assign an owner to the program who bears responsibility for it;
–track the latest vulnerabilities, patches and exploit releases;
–scan, scan and scan again;
–patching progress should be shared with the organization’s stakeholders, who will appreciate the risk reduction;
Remember, he added, threat actors may have already penetrated the network. Don’t let patching give you a false sense of security unless you have the visibility to do threat hunting.
The other ransomware defence playbook strategies are:
Network segmentation not only slows down advanced threat actors, it also limits the damage from worms and fast-spreading ransomware.
Segmentation is defined as the separation of hosts into various zones, usually by function or business criticality. It should not be confused with segregation, Lee said, which are the controls and rules about how network segments are permitted to communicate with one another.
Some organizations assume that a so-called demilitarized zone (DMZ) is adequate for segmentation, Lee added. But networks that have sensitive and high-risk information (relating to, for example, health or personal information) need to be segmented.
Tips for creating effective network segmentation include
–have a DMZ separating the internet from your internal network;
–evaluate the firewall rules between your existing segments;
–consider geographic boundaries as potentially different trust levels.
CISOs should be familiar with the concept of the cybersecurity kill chain – most attacks follow the same predictable steps. So, Lee said, the earlier an attack is caught the better.
This gives rise to the protection versus prevention debate. Prevention can work with the right tools, processes and procedures, Lee maintains, so organizations have to strive for both prevention and protection. Remember, Lee said, some groups exfiltrate data before launching ransomware. “Proactive monitoring is a must for early detection and also to minimize the damage of the attack.
Tips for effective proactive monitoring include
–decide which log data you need, then centralize log collection;
–prioritize data feeds;
–correlate logs for end-to-end visibility and investigation;
–build panels and dashboards that will help analysts’ with their workflow;
–augment logs with threat intelligence for easy wins;
–automate the mundane (“It will make your employees happier”);
–if necessary, retain a managed security service provider to provide round-the-clock coverage.
Continuous threat hunting
Consider this as proactive monitoring taken to the next level, Lee said. Threat hunting is designed to shorten the time to detection. It also transforms the organization from being reactive to being proactive in detection. Organizations that can’t afford a threat hunting team should consider outsourcing to a managed security service provider.
Leverage AI/ML in defences
Choose products that offer artificial intelligence or machine learning for faster detection.