Editor's note: The following is a guest article from Chris Silva, research VP at Gartner.
This summer, security leaders around the country were in for a late start to their Fourth of July weekend when hundreds of managed service providers (MSPs) and their customers became victims of a ransomware attack that affected a client management tool from Kaseya.
The attack was perpetrated by the REvil group, which exploited a zero-day vulnerability in Kaseya's virtual system administrator (VSA) server software. The perpetrators targeted system vulnerabilities and managed to use Kaseya infrastructure to deploy a compromised version of a Microsoft Defender executable that provided shell-level access to Kaseya production servers. This caused ransomware to rapidly spread to many of Kaseya's customers.
This scenario seemed to echo other attacks on critical IT infrastructure that have become increasingly visible as of late, such as 2020's massive SolarWinds attack or the Microsoft Exchange email attack earlier this year. Because they can serve as highly effective vectors for widespread propagation of malware, software offerings that are a central element of the internal IT supply chain and which require deep access to servers and devices, are an attractive target for compromise.
Security leaders must employ a combination of tools and techniques to protect their organizations against ransomware attacks of this nature. Here are best practices that CISOs and their teams can adopt as similar attacks become increasingly prevalent:
Invest in detection-based security tooling
Standard antivirus and even the most rigorous patching routines lack the behavioral analysis capabilities to detect advanced threats, leaving organizations exposed. Gaining the ability to detect and correlate user, app, device and network behavioral patterns is critical, but it will require new security investment for many organizations.
Endpoint detection and response (EDR) and network detection and response (NDR) tools improve security operations teams' visibility into fileless and zero-day attacks.
Organizations should update security infrastructure across all PCs from signature-based antivirus — which is ineffective in REvil-style attacks where the executable hash matches that of a legitimate executable — to tools that can detect fileless malware and analyze behavioral patterns to thwart attacks.
Additionally, equip server infrastructure with EDR tools that can sense abnormal application and process behaviors as well as file-level integrity changes. EDR tools should also have other methods to detect behaviors and processes that indicate a compromised system or the presence of a bad actor.
Organizations lacking sufficient IT security talent to manage EDR solutions should consider outsourced managed detection and response (MDR) offerings. MDR services can augment existing IT staff to ensure proper configuration and proactive monitoring of the EDR console, help address unknown or unfamiliar threats, and provide on-demand threat intelligence.
Adopt modern management
Having a single, central point for all OS and app updates creates less complexity for IT. However, it also creates an attractive target for attackers seeking to exploit a larger number of systems.
Security leaders should consider adopting decentralized, modern management models, which provide the following benefits:
- Reduced attack vector/surface. Modern management diversifies the channels through which operating system and app updates are delivered, removing the highly attractive target posed by a single source for all endpoint updates and patches.
- More rapid resolution of potential security issues through automated, detection-triggered push of relevant updates to endpoints in real-time. Staying "in patch" will not require users being on-network to receive critical updates, easing delivery.
- Faster remediation. Integrated workflows are required to respond rapidly to newly discovered vulnerabilities and to take actions to reduce or eliminate the threat of spread. With proper management and security tool integration, rule thresholds are established and vulnerabilities that meet or exceed a certain threat level can be acted upon automatically.
- Greater access controls. The ability to gather more granular contextual data about a user, app or device is a benefit of embracing modern management. However, it must be accompanied by a strategy to enable zero-trust network access (ZTNA), as reuse of compromised credentials may evade network- and endpoint-based detection tools. More intensive user and device posturing for access is a critical area of investment for rounding out modern management deployments.
Retain incident response services
Historically used during an emergency such as a breach or outage, incident response (IR) services traditionally required experts to be deployed into a customer's site. These offerings have expanded to include proactive and reactive services, and they can now be delivered remotely.
An analysis of the market shows that a minority of organizations have active IR retainers in place. All organizations should assess the value of an IR retainer, whether they are using MDR services or not. IR retainers will cover a scope of services well beyond operation and configuration of security tools such as EDR and NDR, and they eliminate the time lost to vendor negotiations and paperwork when facing an incident, allowing an increased focus on response actions.
When reviewing IR offerings, be cautious about IR providers actively promoting the concept of "no upfront cost" or "zero-dollar" incident retainer programs. While the prospect of a low-cost entry point might appear appealing, this often comes with limitations.
Carefully review response time service-level agreements (SLAs) and those governing the completeness of remediation or recovery efforts. Make a note of the prerequisites required to have the vendor uphold these SLAs.
There is no way to fully protect against advanced attacks such as zero-day vulnerabilities or nation-state threats. Therefore, responding quickly is critical to minimizing damage. Taken together, these strategies and investments can help organizations ensure they are in the best position to quickly detect, respond and minimize the impact of a REvil-style attack.