As the pandemic hit, the number of remote workers doubled between mid-March and mid-April, and three-year plans for cloud adoption were compressed into three weeks. To say Covid-19 accelerated the world’s digital transformation is a massive understatement. We’ve grown more reliant on the internet, the cloud and digital collaboration in a single year than anyone predicted we would in five. People we used to see in person — doctors, teachers and co-workers — we now see on screen.
We are now totally distributed and totally connected at the same time. Our consumption of digital content and services is constant; laptop fans are our noisy co-workers that never seem to quiet down. Any disruption is costly and potentially dangerous — sometimes deadly.
Hacking groups are having a field day. They know how dependent businesses are, and they’re taking full advantage. They take control of data and infrastructure your organization depends on and force you to pay to get it back with a ransomware attack. Faced with uncertain or lengthy recovery, many organizations choose to pay a lot of money to get back up and running.
To say most businesses are unprepared for today’s ransomware is also a massive understatement. According to a recent report by a cyber insurance and security provider, cyberattacks are now more successful than ever, and when something works well, others learn to do it, too. The report also reveals that ransomware is now the most commonly reported cyber incident, leading funds transfer and email compromise.
Early ransomware primarily threatened availability by encrypting files and systems. Availability is critical; however, newer ransomware also threatens confidentiality. Ransomware groups aren’t just encrypting files; they’re also stealing and threatening to leak them, and asking for hundreds of thousands or millions of dollars.
You’d think by now spotting unusual digital transactions would be as routine as spotting unusual financial transactions, but the success of ransomware groups proves otherwise. Ransomware groups are taking tens and hundreds of thousands of files before anyone notices. In one famous case, insider Greg Chung took decades to steal 300,000 paper files. Today’s hacking groups can get a haul like this in days or weeks.
And it’s not just files. Remember that by the time organized hacking groups start accessing or encrypting data, they’ve usually taken over critical accounts and systems and created backdoors so they can keep control. These stages of attack are also too often missed.
The Attacker’s Playbook
One thing that’s important to understand is that attackers access data pretty much the same way you do: with an account that can log into your systems. If your data is in the cloud, they use an account that they’ve managed to take over with phishing or by stealing your password. If your data is in your data center (“on-prem”), it’s the same, but they must get past your firewall first — unless they’re an employee or contractor already on your network.
In my experience, ransomware groups almost always go after multiple user accounts and target accounts that have access to lots of data and systems, like administrator accounts. The ratio of accounts to files, however, is still very small. Even if they distributed the heist evenly over all the user accounts (which they generally don’t), the number of files they access in a short amount of time is far outside of what’s normal. Too many files can be accessed before anyone notices.
What can you do to keep your organization safe?
First, understand your risks. If your organization fell victim to ransomware over the years, you were probably surprised at how many files a single infected user or machine could encrypt. Even older, indiscriminate ransomware can be devastating, because, as I’ve written before, employees have access to far more files than they need to do their jobs. The attack surface for data is too broad.
In addition to a broad attack surface, there’s usually nothing tracking or analyzing which files or systems each user touches. That’s why attackers can take and encrypt so many before anyone or anything notices. One of our customers, a chief security officer at a U.S. county, recently said that during a ransomware attack, an organization has less than five minutes to respond before its entire environment is at risk.
A porous attack surface that’s not being watched isn’t defensible. Consider doing an assessment of who has access to your critical data stores and the controls around them. How often is access reviewed? What’s watching for unusual behavior?
If you want to get started informally, you and your security team can pick a user at random and run a test script that simply opens and closes every file the user can access. Look at your file activity logs — that’s your ransomware attack surface for that user.
Is anything examining those logs, like a fraud prevention system examining credit card transactions, to see if anything is amiss? Does it see subtle or blatant changes in behavior?
Second, your data is your new perimeter. If you rightsize what employees can access, you reduce your attack surface. If you can spot unusual activity, you’ll be able to shut down suspicious sessions before they do catastrophic damage.
Third, remember that attackers almost always access corporate data using an account, and these accounts are almost always centrally managed and stored in directory services. If data is your new perimeter, your directory service is the demilitarized zone. You have to watch the accounts in it and eliminate any weak spots.
Last, correlate unusual activity at your new core and in your new demilitarized zone with signals from the perimeter, such as from the DNS, VPN and web proxy. The earlier you’re able to pick up clear signs of intrusion, the better.
This is security from the inside out, or data-centric security. Not only does this approach help combat organized hacking groups and ransomware; it’s the only realistic defense against insiders.