Emerging risks in the advent of hybrid/remote work, the proliferation of ransomware-as-a-service (RaaS) and talent shortages in every area of IT are testing the limitations of CISOs (chief information security officers) and CROs (chief risk officers) as never before. Having a frequently monitored and updated security checklist can be a commonsense approach that breaks a complicated problem down into easier-to-manage departmental tasks.
Kaspersky’s threat intelligence team has conducted analysis into eight of the most prolific ransomware groups, such as Conti and Lockbit2.0, during their attacks. The data reveals many similarities in attack execution, how ransomware groups operate and how to defend against their attacks.
Freezing your network and holding your data hostage is as easy as embedding ransomware in a document macro attached in a phishing email. This can happen even with heightened cybersecurity measures such as zero-tolerance policies and strict password protocols.
There are myriad ways that malware can access your network. Most are discussed in “The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs,” available for download.
“In recent years, ransomware has become a top concern for the cybersecurity industry, with constant developments and improvements being made by ransomware operators,” comments Nikita Nazarov, team lead for the threat intelligence group at Kaspersky. “It is time consuming and often challenging for cybersecurity specialists to study every single ransomware group and follow each one’s activities and developments in order to win the race between attackers and defenders.”
“We have been tracking the activity of various ransomware groups for a long time, and this report represents the results of a huge piece of analytical work,” Nazarov said. “Its purpose is to serve as a guide for cybersecurity professionals working in all kinds of organizations, making their jobs easier.”
Know your enemy
In military theory, warfare can be summed up into tactics, strategy and operations. Similarly, in cybersecurity, experts often discuss the common tactics, techniques and procedures (TTPs) used by cybercriminals.
The data in the Kaspersky study of modern ransomware has revealed that the groups of attackers are quite predictable, with ransomware attacks following a pattern that includes the following:
“Ransomware-as-a service” (RaaS) is where the ransomware groups don’t deliver malware themselves, but provide instead the data encryption services for affiliate distribution – making it even easier to deliver the malware.
Since both the makers of the ransomware and their affiliates who deliver the malicious files (in exchange for an 80% commission after successful infiltration and collection of ransom) want to simplify their lives, they use template delivery methods or automation tools to gain access to their victim’s network.
Reusing common TTPs makes hacking easier. With easy access to the dark web and the proliferation of hacking software, ransomware attacks are becoming more similar.
While it’s possible to detect such techniques, it’s much harder to do so preventively, across all possible threat vectors. Successful breaches of the victim’s network are often due to slow installation of updates and patches.
The cyber kill chain framework
First published as “Intelligence-Driven Computer Network Defense,” by Eric Hitchins, Micheal Coppert and Rohan Amin, an analogy for offensive cybersecurity was developed based on the example of a military kill chain.
There are many varieties to this modeling, and this is not a comprehensive list by any means. Just as a military response must evolve in response to an attack, so must cybersecurity.
For instance, one military kill chain model is “F2T2EA:” Find, Fix, Track, Target, Engage, Assess. The “Four Fs,” is a kill chain model popular during WWII that was designed to be easy to remember: Find, Fix, Fight, Finish. A quick web search will find a dozen more.
The cyber kill chain was adapted from the military model, and broken into seven steps:
There are disagreements amongst CISAs about the order of events, and concerns have been voiced that stopping threats at points of entry should be high on the list.
The Kaspersky report suggests the following version of a modern cyber kill chain:
Overall, the cyber kill chain itself remains mostly the same because the attackers still have to carry out all steps of the attack to achieve their goals. What changes is the way these steps are executed. Cybersecurity professionals should rely on threat intelligence resources in order to have up-to-date information about attackers’ TTPs and how they’re evolving.
Mitigation techniques
Having a frequently updated cybersecurity emergency response, or kill chain, in the event of a cyberattack is vital to successfully thwarting bad actors and keeping your network and systems safe.
To protect against ransomware attacks, consider the following:
There’s been a trend to outsource cybersecurity to IT subcontractors that can provide a wider scope of services, with access to more skill sets via their specialized teams. This might be a good option for your business. Whether you’re back to working at the company office, or if you’re working remotely at home, your network should be equally secure.