According to multinational cybersecurity and anti-virus provider Kaspersky Lab, it detected over 120 000 ransomware attacks in SA in 2019, writes Lukas van der Merwe, Specialist Sales Executive: Security, T-Systems South Africa. The figure for the first two months of 2020 is only 4 000, but researchers attribute this decrease to malefactors focusing on quality instead of quantity.
Since ‘lockdown’, Kaspersky reported a spike in network attacks in South Africa from the 15 – 21 of March, making this even more of an imperative for local companies and their employees working remotely. With the ever-changing variants of ransomware, it is difficult for endpoint protection software to protect against new ransomware variants immediately when released in the wild.
The only thing that organisations can do to guard against ransomware attacks is to make sure that their software operating systems are updated and patched to the latest levels. This will guard against older vulnerabilities, but only limits the risk, as there is no defence against zero-day attacks.
For organisations to become cyber resilient, they need to focus more on the detection and response elements of cybersecurity. They need to be able to detect and respond much faster and more accurately once they have identified a new version of malware in their environments.
Delaying the response
There are two distinct layers that form an organisation’s response to a malware attack – the technical-level and business-level layers. With ransomware, there is another layer that is critically important – the management layer incident response. This can delay the response if there is any manual intervention required where a business stakeholder must approve any remedial actions recommended by technology team.
Various other factors can also affect the speed of a response to a ransomware attack, including whether a company has a clear and well-defined policy for dealing with such attacks. Furthermore, there are factors that are critical from a management point of view, such as whether a specific response will compromise production, how it would impact customers and suppliers and whether it would give rise to legal or other regulatory issues.
If these factors have not been discussed, formulated and included in the management level incident response plan, the delay in response to an attack would be significant and the extent of damage much worse.
Part of the initial response to an attack is about making the call on whether to “pull the plug” or not. However, this can become contentious. If security providers had their way, and wanted to leverage the advanced software they deployed, this would almost be done in an automated way. There would be no hesitation about isolating the infected machine and making sure the threat is understood and appropriate remedial action put in place to avoid the infection from spreading.
Balancing act
Pulling the plug-in certain environments is contentious, such as in manufacturing where switching off a particular host could disable the production line. This is where fast interaction with the business is required to make a rapid decision about the impact of pulling the plug, or not. That’s a difficult balancing act to maintain.
The best way enterprises can protect themselves from ransomware attacks is to prevent them before they happen. Companies that have appropriate monitoring capability in place should start looking beyond endpoint protection and start performing advanced threat hunting by monitoring patterns of behaviour on their network. This will allow them to identify anomalous behaviour on a particular host much faster.
By adding technology such as Security Orchestration Automation Response and Artificial Intelligence, one would be able to rapidly identify a potential ransomware threat and use automation to quarantine a particular machine and kickstart a series of workflow activities. In an ideal situation, this could become a non-event.
There is no solution in isolation that can protect an organisation against a ransomware attack. It’s a combination of all the protective measures, in conjunction with processes and policies, that creates protection and resilience.