Underestimating the Why of Ransomware

Organized ransomware isn’t slowing down – in fact, a group just discovered a month ago is already responsible for dozens of attacks – and they are experts at discovering weaknesses we miss. With so many sophisticated new security tools and so much stack investment, how do we continue to play catch-up to roving ransomware groups?

Because the reality is, we’re all prone to making mistakes.

The 2023 Verizon Data Breach Investigations Report (DBIR) confirms that 74% of all breaches are attributable to human error. From non-technical employees to system administrators, every member of an organization is capable of unintentionally assisting attackers. Security misconfigurations abound, vulnerabilities go unchecked and unpatched, and ransomware happens.

What organizations need to complete their security strategy – often replete with advanced architecture and savvy experts – is a simple, elementary-school trick:

Check your work.

Errors are common the first time through, especially when your SOC is stretched, resources are limited, and millions of alerts compete for your time. But offensive security measures are one way to make sure that when mistakes do occur, you’ll be the one to catch them.

And you won’t catch them too late.

Vulnerability Scans

The first thing you’ll want to do is vet out the low-hanging fruit: vulnerabilities. There are thousands of them out there, many of which are easily exploited, providing attackers with a way to gain initial access, escalate privileges, pivot throughout the environment, and more.  Exploiting vulnerabilities is such a common ransomware tactic that CISA began the Ransomware Vulnerability Warning Pilot, a proactive CISA initiative that uses public and commercial data resources to identify systems that contain security vulnerabilities commonly associated with ransomware attacks and notifies those that may be at risk.

Often resulting from a flaw within or misconfiguration of an asset, vulnerabilities might as well be front doors for attackers. However, Vulnerability Management tools can identify these weaknesses so they can be easily patched. You just need to know where – and what – they are. Vulnerability scanning is now considered so vital to cybersecurity that it is required for many different compliance regulations, including PCI DSS, HIPAA, and SOX.

Pen Tests: Social Engineering Tests

Pen testing leverages the same tools, tricks, and techniques at threat actors to exploit vulnerabilities and determine how much damage such an attack could inflict. As you might have guessed, one of the most common and effective tactics attackers use to deploy ransomware is to go phishing.

Who hasn’t fallen for a fake “WebEx” email or “UPS” asking for a quick confirmation of your account information? These tried-and-true social engineering ploys brilliantly skirts around our sophisticated security defenses and hits us where it hurts: human judgement. While always fallible, even this can be improved.

Social engineering tests can identify who is susceptible by imitating a real phishing campaign and tracking who and what they’re clicking on. Some employees may be more susceptible to emails that are trying to get malicious code past the perimeter through an email attachment, while others may be more likely to share their credentials by clicking an email link that takes them to a spoofed version of a website they commonly use.

Letting staff know you’re running regular social engineering tests can help train them to always be vigilant with communications they receive. Additionally, tailored Security Awareness Training (SAT) can shore up security awareness for employees who need it, and results can be improved. One global manufacturer saw phishing click-through rates plummet from nearly 40% to under 15% after company-wide training.

Red Team Engagements: Testing All Angles

Security teams are the first responders to a ransomware attack. As such, they need to be prepared.

Red teaming tests the readiness of your SOC as much as it tests malicious post-exploit possibilities. In essence, a red team engagement is a test of an organization’s total operational mettle. While pen tests tend to focus on a more finite scope, red teaming is more goal oriented, focusing on an objective like gaining root access or stealing sensitive data.

Red teaming is also a real fire drill for the security team, which can serve as an excellent training exercise. Vulnerability scans and pen tests, while necessary, do not replicate the real-time drama, creativity, or extent of a genuine attack. Running a full ransomware testing scenario gives security teams not only the awareness of how they do respond in the moment, but the experience to know how they should respond when the real one hits.

Offensive Security with Fortra

Consistency is key for cybersecurity to work as advertised. The problem isn’t the tools, the time, or the talent – although they do contribute. As the most recent Verizon DBIR reiterates, most of the problems occur between the chair and the keyboard. And it’s only human.

However, so is preparation and improvement. Offensive security habits are a necessary part of any security strategy and they need to be ongoing. Every change is an opportunity to create a new attack vector, whether it’s onboarding a new employee, introducing new tools, or adding additional hardware. Everything and everyone needs to be checked, early and often.

And regularly running assessments not only helps to determine the state of security, but also puts the human element to the test. Fortra’s range of offensive security solutions - from vulnerability management to pen testing to red teaming– provides the preparation organizations need to make sure their technology and teams are ready for a real-world attack.