Snatch Ransomware Explained - CISA Alert AA23-263A
Simon Monahan | August 04, 2022
The Top 10 MITRE ATT&CK Techniques Used by Adversaries
Despite the widespread awareness of its risks and large investments by organizations in mitigating controls, the ransomware threat continues to rise.
This blog identifies some of the primary reasons that ransomware continues to pose such a major problem and explains how Breach and Attack Simulation can help security teams defend against attacks more successfully.
Ask any security professional about what keeps them awake at night and many will answer, ‘being hit by ransomware.’ Yet, despite both the prevalence of the issue and billions of dollars being invested in mitigating controls, incidents continue to rise year-on-year. Why is this and what needs to change to finally break this trend?
Almost every day, The Picus team talks with security professionals about some of the major issues they face in defending against ransomware. Five of the challenges that we hear most often include:
As the findings of The Picus Red Report demonstrate, threat actors regularly change the tactics and techniques that they use. Staying up to date with daily changes to the threat landscape is a significant undertaking and many security teams struggle to find the time required to monitor, analyze and action threat intelligence.
Ransomware actors move quickly to weaponize new vulnerabilities. An inability to respond quickly enough to take prioritized defensive actions can leave organizations exposed.
Despite investing in behavior-based security technologies to detect ransomware and other threats, many organizations still rely too heavily on static indicators of compromise (IOCs). Indicators such as hash values, IP addresses and domain names are easier to identify but cause adversaries less pain.
SIEM, XDR and EDR solutions use behavioral analytics to detect evasive threats like polymorphic malware. However, these solutions do not work out of the box and must be tuned regularly to ensure they are capable of identifying the latest adversary tactics, techniques and procedures (TTPs).
On average, it takes seven hours to write and implement a single detection rule to alert on a specific behavior. However, stretched security teams can lack time to perform such tasks regularly. For this same reason, basic hygiene tasks required to keep existing rules working optimally are also neglected.
It’s not just evolving threats that create problems for security teams. Frequent changes within organizations’ own internal networks and lack of visibility of them are also major reasons why ransomware attacks continue to be so successful.
Business growth and digital transformation, including rising cloud adoption, create an increased surface for security teams to protect. Given the enormous volume of data, systems, applications and other assets that must be managed and monitored daily, misconfigurations are not uncommon. Unfortunately, gaps are often only identified once breaches have occurred.
Security controls are fundamental to defend against ransomware but in many cases, organizations are unaware if their investments provide the protection they expect. Without the means to validate the effectiveness of existing investments, security teams must assume (or hope) that their defenses are effective. As a result, they run the risk of only discovering gaps once it’s too late.
Penetration testing is widely commissioned by organizations for assurance and compliance purposes. However, the nature of these assessments means they are vulnerability-focused, slow to perform and only provide visibility at specific moments. A lack of continuous insights holds organizations back from being as proactive as they would like to be.
Feelings of stress and exhaustion are widely experienced by professionals in the cyber security industry. From identifying and remediating vulnerabilities to detecting threats and responding to incidents, the sheer number of tasks that must be performed daily means that most teams suffer from overload and don’t always know where to focus their attention.
In most security operations centers, alert fatigue is common. On average, the typical enterprise has between 30-70 security controls to manage and amongst all the noise, important events can too easily get missed or overlooked.
For most organizations, overcoming the security challenges identified above to improve ransomware resilience is not easy. Ransomware is a complex issue without a simple solution. What’s clear, however, is that current approaches are failing and that changes are needed if we are to stem the continued rise in attacks.
At Picus Security, we believe that organizations must become more threat-centric to reduce the risks of ransomware more effectively. Rather than blindly procuring new technology in the hope that it will provide protection, our belief is that organizations must put threats front and center of their cyber security strategy. It is only by improving their understanding of the threats they face and measuring the effectiveness of controls and processes to defend against them that organizations can make better security and investment decisions, and avoid assumptions.
Conducting vulnerability scanning and occasional penetration testing is not enough to obtain a holistic view or the full range of offensive security insights necessary to better understand and strengthen an organization’s security posture.
Breach and Attack Simulation (BAS) is a rapidly growing area of cyber security that exists to enable organizations to become threat-centric by overcoming the challenges of traditional approaches to obtaining adversarial insights.
By simulating real-world threats such as the latest types of malware and ransomware, BAS solutions help security teams continuously validate and enhance the effectiveness of security controls to prevent and detect attacks.
With a specialist BAS solution for security control validation, organizations can measure the effectiveness of firewalls, email gateways and other prevention tools to block common ransomware attack vectors. In addition, they can also validate that detection controls such as SIEM and EDR solutions are configured optimally to alert on malicious behaviors.
The Picus Complete Security Control Validation Platform is an award-winning BAS solution that not only simulates threats but also supplies actionable recommendations, including vendor-specific signatures and detection rules, to help security teams optimize their security controls to mitigate them.
The Picus Platform’s Threat Library, which is updated on a daily basis, includes over 3,500 threats and 18,000 actions. These are designed to help organizations test attacks across the cyber kill chain, from network and email infiltration through to data exfiltration. Among the 200+ types of ransomware The Picus Platform can simulate includes:
For every simulation performed, The Picus Platform generates a security score for prevention and detection controls, both individually and collectively, and maps results to the Cyber Kill Chain and MITRE ATT&CK Framework. Results can be monitored in real-time via custom dashboards and exported as executive reports suitable for sharing with key stakeholders.
By automating otherwise manual assessment and mitigation processes and by operationalizing threat intelligence, The Picus Platform is a force multiplier that helps security teams to achieve great impact for their effort.
If you’re ready to learn how prepared your organization is to defend against the latest ransomware threats, sign up for a free 14-day trial of The Picus Complete Security Control Validation Platform. Alternatively, request a demo and talk to one of our experts to learn more about how our BAS technology can help.