Ransomware attacks aren’t just increasing — they’re undergoing an exponential rise as the shift to remote and hybrid work expands attack surfaces and offers new opportunities for compromise. Recent data makes this uptick clear: Attack volumes rose 93% in the first quarter of 2021 compared to the same period last year.
What does this mean for your organization? It’s only a matter of time before ransomware comes your way. While you may have flown under attacker radar for years, fundamental shifts in work and the structure of IT access have put companies of all shapes and sizes in the spotlight.
This evolving state of security begs the question: How prepared is your organization for an attack?
Understanding Common Attack Vectors
The underlying concept of ransomware is relatively straightforward: Malicious actors compromise key systems, install software designed to encrypt critical data, and then demand payment for its release.
Attacker approaches, however, can vary significantly depending on your existing IT infrastructure and current security posture. The top attacker entry points or “vectors” are web applications, email, and remote access gateways, respectively.
For example, one common attack vector starts with business account compromise (BEC) through methods such as phishing and social engineering. Cybercriminals collect social and corporate data about staff members and then send legitimate-looking emails that ask for login and password information. Once inside accounts, attackers can move freely to install malware and start encrypting data.
Ransomware may also be deployed via third-party services or connections. These include point-of-sale (POS) systems, cloud providers, software-as-a-service (SaaS) vendors or even network service providers. If attackers can compromise these services and move laterally into your network, security controls may not flag them as initially suspicious. Ransomware has also evolved to include data exfiltration and extortion to not release potentially sensitive data on the Internet.
Evolving global conditions have also set the stage for COVID-themed phishing emails that convince users to share key data or click through to supposedly authentic sites — which are in fact infected with malware and are designed to scrape user credentials and cookies to gain access.
The Role of Ransomware Readiness
For organizations, the evolving impact of ransomware speaks to the need for readiness. It’s not enough to simply respond when attacks occur. Instead, businesses must deploy tactics and tools that help them detect potential ransomware attacks before they compromise critical data.
In practice, readiness requires three key components:
- Visibility: Without the ability to see what’s happening on your networks, attackers effectively have free rein to install ransomware across your IT environment. By the time you see what’s happening, it may be too late.
- Flexibility: Every ransomware attack is different. It may have a different compromise point, code structure or encryption algorithm, meaning you need a unique strategy to protect your data. As a result, flexibility is key for protective success.
- Accountability: Security is a shared responsibility. To reduce the risk of successful ransomware attacks across your organization, it’s critical to create a culture of accountability that includes C-suite members, managers and front-line staff.
The Ransomware Readiness Assessment
How can you prepare for a ransomware attack? Consider all the components involved to protect your data.
- Identify key assets: Before you can effectively protect against ransomware attacks, you need to identify common targets. While all data offers some value to bad actors, their best bet to get paid is by restricting access to information your business needs for day-to-day operations. Therefore, it’s critical to find this data and shift it into highly secure storage and compute environments.
- Pinpoint potential vulnerabilities: Where are you most vulnerable? This is often a tough question to answer for in-house IT, whose familiarity with systems can contribute to assumptions of protection where potential holes exist. To help pinpoint potential vulnerabilities, it’s worth working with an outside consultant to find these problems first and identify areas where security may not meet current compliance standards.
- Deploy defensive services: Next are defensive services capable of reducing the risk and impact of malware. This starts with robust spam email controls to limit the risk of phishing, combined with strong identity and access management (IAM) to help ensure the right people have access to the right data.
- Educate all staff: While some attacks are purely outside-in, many have an insider component. Although most are accidental — staff may unwittingly provide access data or click through to a legitimate-looking site — the outcome is the same: encrypted and ransomed data. Regular staff education is a key component in getting ransomware-ready.
- Monitor for malicious activity: Ongoing monitoring and management of IT systems is critical to better assure that attackers don’t slip through security cracks. With malicious actors continually exploring new ways to compromise corporate systems, you need 24/7/365 monitoring that helps quickly identify suspicious activity.
- Test, test, test: Last but not least — testing, testing, testing. Even with a robust ransomware response plan in place, you can’t afford to rest on your security laurels. Teams need to regularly test response practices to confirm they’re ready if and when an attack occurs.
FREQUENTLY ASKED QUESTIONS (FAQs)
1. What is a ransomware risk assessment?
A ransomware risk assessment is a cybersecurity evaluation that measures an organization’s vulnerability to ransomware attacks. It examines systems, processes, and user behaviors to identify potential gaps that threat actors can exploit to breach defenses and execute attacks. The scope of the ransomware assessment is conducted and reported on per NIST CSF, NIST RMF, CMMC, and MITRE ATT&CK® matrix standards to make sure your security program is in alignment with your risk exposure.
HALOCK’s ransomware assessments and readiness reviews measure your organization’s preparedness for ransomware, enabling you to understand your current exposure, prioritize remediation, and close security gaps that attackers are most likely to target. The ransomware risk-based assessments are based on an organization’s critical assets and support security teams in understanding and aligning incident detection, protection, and response strategies based on frameworks and standards, including NIST CSF, NIST RMF, CMMC, and MITRE ATT&CK®.
2. How does a risk-based threat assessment work?
A risk-based threat assessment measures the potential risk a specific threat poses to an organization based on its likelihood to occur and the business impact of the threat. It then applies this analysis to security controls and countermeasures to create actionable risk-reduction plans.
HALOCK uses the MITRE ATT&CK® framework to map real-world adversary behaviors, techniques, and processes to your network environment and accounts so that your organization can understand which paths are most relevant to its environment. With this knowledge, security investments and security controls can be applied where the risk is the highest.
3. Why use the MITRE ATT&CK® framework for cybersecurity assessments?
MITRE ATT&CK® is a globally accessible knowledge base of tactics and techniques that adversaries use in their attacks. It is a valuable tool for security teams to identify, understand, and prevent future attacks.
HALOCK includes ATT&CK® in our ransomware and risk-based threat assessments to help organizations create more complete and robust visibility into potential attack vectors to avoid and prioritize defenses that best reduce risk.
4. How can HALOCK help prevent ransomware attacks?
HALOCK can help your organization prevent ransomware attacks by first identifying potential weak points with our compromise assessments, ransomware readiness reviews, and penetration testing.
HALOCK cybersecurity experts then work with your business to develop a risk-based security plan for attack path prevention that applies the MITRE ATT&CK® framework so that all attack paths and known tactics used by adversaries can be prioritized and defended, including your organization’s critical assets and incident response capabilities.
5. What are the benefits of a ransomware readiness assessment?
A ransomware readiness assessment identifies gaps in detection, response, and recovery processes BEFORE an attack occurs so an organization can significantly reduce downtime and have a documented, practiced, and tested incident response plan in place when attacks occur. This helps your business maintain “reasonable and appropriate safeguards” against ever-changing ransomware threats, per cybersecurity and data protection compliance standards and legal guidelines for HIPAA, PCI DSS, NIST CSF, FedRAMP, GDPR, and CMMC.
6. How often should businesses conduct threat assessments?
Businesses should conduct risk-based threat assessments at least annually or whenever their cyber infrastructure or environment has significant changes, such as cloud migration projects, mergers and acquisitions, or extensive software and hardware updates, to ensure defenses remain effective against ever-evolving tactics posted to the MITRE ATT&CK® database.
7. What industries benefit most from ransomware and risk-based threat assessments?
Healthcare, financial services, education, legal, and manufacturing industries can benefit greatly from these assessments due to high data sensitivity and stringent compliance requirements, but every organization should have a ransomware readiness strategy and assessment built into their overall cybersecurity program.
HALOCK tailors ransomware and risk-based threat assessments to each industry’s cybersecurity risk profile, applicable regulations, and inherent legal obligations to third-party customers.
8. What makes HALOCK’s ransomware assessment different?
HALOCK ransomware assessment is unique in that it goes beyond vulnerability scanning to determine whether technical controls are in place to support cybersecurity resilience. We also uniquely apply Duty of Care Risk Analysis (DoCRA) and ATT&CK® mapping to our ransomware and risk-based assessments, ensuring not only the effectiveness of cybersecurity and IT controls, but that those controls are reasonable and appropriate under current cyber regulatory and compliance guidance and legal standards. This can ensure your organization is making reasonable and appropriate efforts to protect customers and suppliers — essential for demonstrating defensible due care.
9. What is the relationship between risk assessments and incident readiness?
Risk assessments focus on identifying and prioritizing potential threats and vulnerabilities that may impact an organization. Incident readiness, on the other hand, is the ability of an organization to quickly and effectively detect, respond to, and recover from a security incident. In short, an incident response plan (IRP) is a vital component of risk management as it outlines the steps an organization should take in the event of a security incident.
HALOCK provides both cybersecurity risk and ransomware assessments and incident readiness as combined services to help clients better prepare for and respond to not only ransomware attacks but also insider threats and APTs.
10. How can I start a ransomware or threat assessment with HALOCK?
Schedule a ransomware or risk-based threat assessment for your business.
Our experts will help you to scope the work and define a roadmap for risk-reduction aligned to standards, including NIST, CMMC, and MITRE ATT&CK®.
Cybersecurity & Risk News, Updates, Resources
Cybersecurity Awareness Posters
External Attack Surface Management (EASM) service provides continuous discovery, exploit validation, and risk-based prioritization to keep you ahead of threats. With an evolving attack surface, get the visibility and insight to prioritize your security controls.
Review Your Security and Risk Profile
When it comes to getting ransomware ready, there’s no time to waste. Discover how HALOCK can help.
