If 2021 has taught the security industry anything, it’s that we’re still a long way from reducing the impact of ransomware. Initial access points pervade the internet, and threat actors exploit them using three main techniques. Firstly, through email-based attacks, with phishing being the prime example. Secondly, through password-based attacks, where weak or guessable passwords that are often shared between assets are exploited. Finally, by exploiting vulnerabilities, where outdated and vulnerable assets are found, targeted, and then exploited. And, while these might seem to be stand-alone techniques, we are increasingly seeing more sophisticated attackers using a combination of all three of these attack vectors, which is a very worrying prospect indeed.
Moreover, we are still seeing weaknesses within infrastructure itself. Indeed, Trustwave has a 100% success rate of gaining domain authority during our security testing engagements. Admittedly, this isn’t always the best metric for measuring security across organisations, however it does demonstrate that, should ransomware gain initial access to a network via an aforementioned route, then its ability to move laterally and escalate privilege is very likely.
Mitigating risk and working towards cyber maturity
Clearly then, combative security measures are vital when it comes to protection from ransomware. And, as we head into a new year, the first step in our goal towards cyber maturity needs to be asset management, because how can you protect something if you don’t even know it exists? A comprehensive audit will provide the necessary stock of the entire IT state, and this must focus on identifying more than just physical devices, because software, systems, and user permissions, as well as weak access policies all represent a major threat.
Continuing with the importance of tightening security foundations, it is no secret that threat actors take advantage of the often-overlooked security basics. So, in the new year we must also make patching, strong passwords, and a detailed security policy across the enterprise a top priority. Carrying out regular pen testing can help to ensure that the basics are being followed across large, complex environments. Staff education then becomes critical; regular training on how to spot a phishing email, as well as what constitutes a robust password should be compulsory, and all staff should be made aware of the security policies an organisation has in place, and how they are best adhered to.
The future of ransomware
Ultimately, while we cannot predict the future perfectly, with all the success cyber criminals have had with ransomware attacks over the past year, I’m confident they are not going away anytime soon. Similarly, I’m quite sure that threat actors will continue to leverage the same classes of vulnerabilities for the foreseeable future.
So, when it comes to preventing your organisation from becoming the next ransomware headline, basic cyber hygiene must be everyone’s focus moving into 2022. With proper planning and upkeep, organisations can continue to expand their infrastructure and take on new technology without increasing their chances of making the headlines as the next big ransomware victim.