52% of organizations believe that security operations are more difficult today than they were two years ago.
How Ransomware Works: The Five Questions You Need to KnowTake on the guise of the adversary to learn how ransomware works. By: Nate Drier, Secureworks Adversary Group
As a tech lead for the Secureworks Adversary Group, I work with a team that emulates the behavior of human threat actors who deploy and exploit ransomware. We do this with goal-based pentesting (penetration testing), combined with Red Team tactics, to ensure our actions closely mimic the reality of how ransomware works.
We also collaborate closely with the Secureworks Incident Response team to help our customers evict active ransomware, recover post-attack, and perform perimeter testing to ensure they’re no longer an easy target for threat actors.
I’ve spent countless hours attacking organizations like yours with ransomware. And based on that experience as a ransomware attacker, I’ve come up with five questions you need to ask yourself as if you were a bad guy.
Question #1: Can I breach your perimeter?
There are countless ways for me to breach a perimeter. My choice of tactics will obviously depend on the particular makeup of your organization’s perimeter.
I can look for an opportunity for SQL injection in one of your web applications. I can try to guess credentials for your VPN. Or I can look for an error in your firewall configuration that grants me access to a sensitive service or application.
Nowadays as an attacker, I’m less likely to target your company, scan your perimeter for issues, and then try to exploit one to get inside. Instead, my modus operandi is more likely to treat the entire internet as my target. It’s much easier to scan the entire internet for one specific vulnerability I’m really into, find 100 systems that have that vulnerability, and then investigate the companies that own those 100 systems.
In other words, I’m not necessarily going to target you as an organization. I’m going to seek out an opportunity and then target you as the owner of a vulnerable system.
Perimeter defense best practices are thus the answer to remediate Question #1. You’re most likely familiar with those best practices: multi-factor authentication everywhere, rigorous attention to firewall rules so that access is strictly limited to necessary services, diligent detection and patching of known vulnerabilities, etc. But even though you understand these basics, you still have to make sure that you’re executing them. If you don’t, you’ll quickly become a target of opportunity for me.
Question #2: Can I phish any of your users?
Sure, you’ve probably implemented defenses that make it more difficult and more time-consuming to successfully phish your users. But domains are cheap and emails are free, so I’m still going to try. Plus, phishing is a game with unlimited retries—and I only have to get one user to click once, while you need your users to not click every time.
If at first I don’t succeed, I can just keep trying different iterations on my pretext/payload or move on to another target. On the other hand, if I get that one mistaken click, it’s game on. Just like regular fishing.
Here again, you probably know what kinds of defenses to put in place. You need strong endpoint controls—including EDR and appropriately restricted permissions. You need email filtering that checks message attributes such as the age and reputation of the source domain. And, of course, you need to properly train all your users—from your top executives down to your brand-new hires—to ensure they understand how to practice good email hygiene.
Question #3: Are my target’s critical backups viable and well-protected?
Compromised backup infrastructure is the kiss of death in a ransomware attack. If I can get to your critical backups and eliminate them (by either deleting or encrypting your backup files), you will lose the only option you have to restore your business. That loss of backup will dramatically increase the likelihood of a big payday for yours truly.
If you want to maintain a failover option in the event I get past your perimeter and start monkeying around in your environment, you must protect your backup infrastructure. Multi-factor authentication is an important element in that protection. So is segmentation. Your backup servers should be on a separate domain and should not be accessible over the network by every user in your organization. Also, it is essential that your backup infrastructure does not share credentials with any of your other production systems.
One more caveat. Your backup systems have to actually work. So make sure whoever is responsible for executing and testing your backup systems does so regularly. You don’t want to find out that there’s a glitch in your recoverability when you’re smack dab in the middle of a ransomware attack.
Question #4: How long can I remain undetected?
Here’s one of the most important lessons I’ve learned from my time as a pretend ransomware attacker: the more time I have to explore and probe your environment, the greater my chances of success.
This lesson surfaces in our testing over and over again. If our client can detect and evict us within an hour or so after we gain a foothold, we usually don’t get much of a chance to pull off a successful attack. But if we get several days to move laterally and compromise additional systems, we almost always reach the point where we can do something very harmful to their business.
Fast, accurate threat detection is thus critical to your anti-ransomware efforts, which means you need a lot of telemetry from across your endpoints, network, and cloud implementations. And you need to be able to make sense of that telemetry, without getting overwhelmed by alert fatigue. Finally, you need to be able to translate your discovery and identification of any active threat into immediate, decisive action that neutralizes it.
Question #5: Is my target flying solo?
As an attacker, I can’t directly or empirically determine whether a target I’m attacking has had outside help or not. But, quite frankly, if it’s just me and my team against the typical understaffed SOC, we almost always win. That’s no insult to our customers’ SOCs. It’s just a numbers game. There are more of us than there are of them.
In stark contrast, customers who have already been through our pentesting and Red Team adversarial tactics are demonstrably tougher to crack. That’s mainly because they’ve already let us take a crack or three at them—so we’ve already discovered where they’re vulnerable and helped them remediate those vulnerabilities.
The same is true of virtually any other attacker. They may not know you’ve specifically engaged with the Secureworks Adversary Group, but they’ll quickly discover that you know how ransomware works, and that you’re not the easiest target in the world. And so, like most attackers, they’ll gladly move on to a more vulnerable environment.
If you’d like us to test your environment for vulnerabilities and harden your ransomware defenses, check out our Ransomware Attack Simulation service. And take a good, close look at Taegis™ XDR. Both solutions can help you get the right answers to all five of the above questions, significantly reducing your organization’s exposure to the ever-escalating threat of ransomware.