Knowing your attacks and your defence

Ransomware attacks continue to adapt and evolve over time, but the best defence is always knowing what you want to protect

Damien Mallon, senior systems engineer at Datapac: ‘You can break things in the attack chain if you double down on basic hygiene’

“The sophistication of attacks is growing,” said Damien Mallon, senior systems engineer at Datapac. “You have to double down on what you can do and get the basics right. You can close off a lot of attacks; you can break things in the attack chain if you double down on basic hygiene.”

In security, threats may evolve, but they mostly stay the same. Ransomware has been around since the late 1980s, yet is still a significant threat.

A recent report from ENISA found that ten terabytes of data were stolen each month by ransomware; 58.2 per cent of that data included employees’ personal data. The attacks we know are only the tip of the iceberg and they’re growing in sophistication, not just in how they’re delivered, but how they’re carried out.

Mallon mentioned one example from Datapac’s partner Sophos which saw a company attacked and compromised by two different organisations.

The first carried out the attack, and the second covered their tracks by wiping logs and other traces of the attack. While this has raised eyebrows, those defending have one advantage over the attackers: their expertise in artificial intelligence (AI) and machine learning.

This is one way that its partner Sophos can dynamically respond to threats in real time and keeps them ahead of the attackers. “Where the defenders have one advantage is they have expertise over the attackers in AI and machine learning, and dynamically respond.”

While having those products is good, it’s folly to assume that these tools alone will solve the problem.

Mallon says security has to be taken seriously at all levels and be a business-driven choice. The bigger problem is that if you go to any organisation, many of them won’t know what their software or hardware assets are, and you can’t protect what you don’t know.

“Installing a security product here and there is not going to do that because you’ll have blind spots,” he said. “Also, your data, where it is and what you’re trying to protect. Are you protecting personally identifiable information? Is it confidential information? Those are the questions you need to ask.”

“Once you get an idea of that, you can layer your defences based on that. We see major mistakes are made where a customer might have a blind spot as the product is in one place, but the data is sitting somewhere else.

“Even though they’re ticking boxes, they’re not properly protecting their data, so it’s understanding the organisation and implementing the layered security approach to defend you the way you can.”

There are reasons why such tools are helpful but not a silver bullet. A major development in the attack sector is ransomware-as-a-service (RaaS) which takes out the ability to identify the threat actor.

Before, you could identify them via the fingerprints they give away – tactics, techniques and the procedures in how they deliver and execute ransomware – and do active threat-hunting.

RaaS has taken that away because when the attack is carried out, it’s harder to determine who the attacker is.

“The ransomware is written by an organisation and then the criminal group use it to deliver their attacks,” Mallon said.

“It’s much like a generic attack, so it’s much harder for incident responders to identify who’s attacking or what group it could be. It’s another problem for defenders so it just highlights how complicated and complex the direction attacks are heading.”

Amid all these conversations, the issue of cost will always come up. There is a temptation not to prioritise security over other elements of a business or overlap the IT budget with the security budget when they address different parts of the company.

They can be difficult conversations to have, but the reality is that an uncomfortable moment is preferable to an attack.

“When you approach the sensitive subject of saying what’s your annual turnover, the potential of a devastating ransomware attack could wipe that out,” Mallon said. “Your IT security budget is the same as any security budget for your building; it must be in relation to the asset you’re protecting.”

“If you’re compromised, this amount of revenue could be eaten alive, so you really need to think about investing sensibly in your IT security.”

This is even more important when attackers take advantage of personal vulnerabilities and fears like the cost-of-living crisis. Attacks usually try to use behaviours and psychology against the user by taking advantage of their tiredness or causing them to panic, and the current landscape gives no shortage of opportunities.

“It really has to hit home that actually in a time of crisis like Covid, like the cost-of-living crisis, the attacks from threat actors are going up,” Mallon explained.

“We’re seeing it already, we’ve seen evidence this week of your energy bill revised, we’ve seen them come in and play on the current crisis, and people are in a state of panic and they click, so we just have to keep driving the message home.”

“The IT security has to be seen as how much value it can deliver and protect the overall revenue of the organisation.”