Ransomware is still a major threat. In fact, the Tactics, Techniques and Procedures (TTP's) of ransomware gangs have evolved so much that it has created new business models within the darknet where premium services such as Ransomware as a Service (RaaS) are offered. The reality is that this isn't going away - it's only going to get worse. The question is - what can we do about it?
Well, this starts with shifting our perspectives about the realities of our threat landscape and modern business practices such as a remote workforce and cloud focussed IT. Operating from that new perspective we can modify our understanding of risk exposure in our new business reality.
While ransomware attacks vectors come from numerous sources, overall they can mostly be broken down into three categories:
- Attacks leveraging your people
- Attacks leveraging your infrastructure
- Attacks leveraging your trusted vendors and their solutions
Attacks targeting people can vary from malicious media dropper attacks (the old USB drive in a parking lot trick) to advanced social engineering exploits. We’ve even seen approaches as bold as simply emailing users and offering a slice of the paid ransom for initial access. All of this can be done without initially touching your infrastructure. Though many organizations run simulated phishing campaigns, the truth is that most people don't know how to construct social engineering attacks in the way that attackers do, often striving just to adhere to compliance baselines.
Attacks leveraging infrastructure are real, and are leveraged to both gain entry and to gain a foothold into an organization by ransomware gangs. From poorly managed internet facing systems with disclosed default passwords (over 30K system as I write), to internet exposed remote desktop and SSH (nearly 5M and 21M internet facing systems respectively) services which attackers love to target with credential stuffing and brute force attacks, to a plethora of internet exposed vulnerable web applications and API services that can be leveraged to breach organizations. Because most organizations are unaware of many online assets that expose them to risk there is a strong chance that your organization is exposed in a way that you're not expecting.
Attacks leveraging trusted vendors and vendor solutions are on the rise, exposing attacks once reserved for state sponsored entities, are now fair game for the average threat actor. In fact, these are starting to become more common as the investment into such attacks becomes worth the potential payout. The reality is that new operational business models have increased risk in ways that we were warned about, but did not address, leading to access vectors that grow beyond the traditional security models we've so heavily relied upon.
For instance, take the REvil ransomware gang that leveraged 0days in their Kaseya Software Supply Chain Attack. This involved a ransomware attack leveraging a trusted vendor to gain unauthorized access to numerous organizations, including organizations with mature security programs. During the attack, the vendor claimed that it had impacted a small number of clients, however we now know that the impact was much larger than that, involving over 1500 businesses worldwide; some of which were also third party service providers with administrative access to other victims, further extending the attack to thousands of organizations worldwide. The ransom demand of this attack? $70M! All from leveraging a trusted partner that when breached, was leveraged to breach others.
To combat this, we have to grow beyond the model of protecting a defined security perimeter, or relying on a set of security controls promised by a vendor who may in the end very well be leveraged against us. As our business models change in ways that cause us to inherit the risks of our vendors, our remote workforce and cloud based service delivery, assessment models must change to provide valid insight into what can come as a result of these attacks once access is achieved. Most people in our industry will tell you that this is best done in one of three models:
- Penetration testing to simulate attacks
- Social engineering test to train the organization
- Red teaming to test controls and response mechanisms
The problem with these approaches is they often fail to provide real value as they consist of the following:
- Penetration testing often conducted in a way that doesn't combat penetration testing tunnel vision, leading to inaccurate perspectives of potential risk exposure
- Social engineering engagements fail to miss the mark after only measuring 'compliance baseline' metrics that won't provide the real picture of potential impact
- Red teaming controls are rarely done right and can be rather expensive, and it only involves the response mechanism of a potentially known attack vector - it doesn't help flesh out potential initial footholds that are easily leveraged by attackers, sometimes without even touching your infrastructure
The best approach
Truvantis is taking a new approach to combating these problems through what we call comprehensive penetration testing. No, this isn't your standard penetration test - it is a service that has grown to reflect the realities of modern day attacks. We start with an attack surface analysis that consists of the kind of open-source intelligence (OSINT) driven exercises that are actually leveraged by attackers, and provide real valuable feedback about real world risk exposure that can and will be used against you if not managed properly. Only when we have looked at your organization through the same lens as the attackers do we agree scope with you and start on the traditional penetration testing phase.
If you want real insight into what might be lurking out there that may be leveraged to breach or gain a foothold within your organization and understand how ransomware attacks may breach and propagate within your organization, reach out to a Truvantis consultant today and we'll help you understand what sets us apart from the rest of our industry and helps our partners succeed in this complicated risky world.