Finding signs of an ongoing attack or backdoor deployments is nearly impossible for digital laggards.
"Folks underestimate cyberthreats on a regular basis," said Adam Kujawa, security evangelist director at Malwarebytes Labs. IT and security departments are always on the defense, but "cybercriminals know that uneducated users are the best method of breaking into a network," he said.
When people fail, technology is meant to be a safety net … unless the technology fails too.
In the event of a cyberattack, IT and security teams move directly to neutralizing infected endpoints or systems. However, if an organization has a faulty understanding of its control and visibility technologies, timely response will suffer.
"Given the relative immaturity of these disciplines in many organizations, teams are still going to be operating from a reactive perspective," said Mark Bagley, VP of product at AttackIQ. The reactive nature of security teams is feeding attacks.
Building evidence into control and visibility solutions, as Target does using its threat matrix, could prevent devastating attacks.
One of the first steps in responding to a ransomware attack is to determine if the attack is still in progress. Initial invasions work with commodity tools, like banking trojans, that are often blocked by antivirus software, according to Microsoft. Sophisticated attacks — those operated by humans — hide in seemingly inconsequential alerts.
When malware was all automated and a patch was missed, "you probably learned how it got on your computer, you went and closed that hole. And then it would never come back," said Chester Wisniewski, principal research scientist at Sophos. But now, if companies are using tools even five years old, "it's really, really hard to know for sure whether they're there or not."
Threat actors can sit in systems for days or weeks before executing malware and finding all the areas they touch depends on what's known about the threat itself.
"Chasing unique vulnerabilities is a less effective approach to security program management than optimizing a program based on evidence of control function" because ransomware campaigns are known for tapping similar TTPs or old variants that still work, said Bagley.
Questions technology should answer
Upgrading security technologies is part of the recovery process if a company becomes a cyberattack victim. With humans behind the mechanics of an infection, there's a chance they had time to scope out other forgotten vulnerabilities ripe for a secondary or prolonged invasion.
During a response to a Conti ransomware attack, Sophos researchers found the intruders made a map of the compromised network and kept text file lists of its endpoints and servers. The operators tested a server with a Cobalt Strike beacon before deploying it to about 300 endpoints.
"Imagine endpoint users not as termites, chewing through the network security fence, but rather think of them as the fence posts, the first line of defense."
Security evangelist director at Malwarebytes Labs
Conti is deployed on any online server or endpoint, according to Sophos. If a server is encrypted but not the endpoints, that was a decision made by the attackers in the moment.
Companies without the manpower to stay on top of unusual network behavior can miss the opportunity to prevent an anomaly from escalating.
"I recommend those who are looking to protect their networks be creative and make sure all your resources are working to help secure your environment," said Kujawa. "Imagine endpoint users not as termites, chewing through the network security fence, but rather think of them as the fence posts, the first line of defense."
Without updated endpoint and detection solutions to perform audits searching for abnormal activity, there's no trail to refer back to. Companies should be able to answer basic questions, including:
- When did the malicious actor break in?
- How did they gain access?
- What TTPs were leveraged?
- Were all infected systems remedied?
"If you have those kinds of tools in place, even if they failed at stopping the attacker, they've created an audit trail," said Wisniewski.
Sophos aided a customer after a ransomware attack, where the perpetrators took advantage of 20-year-old security solutions. There were no tools to accurately assess whether or not the attacker was still present. Recovery cost more because the organization paid for traditional recovery-related expenses and had to update its technologies.
"The only way we could get rid of them there was to rebuild every system from scratch; just shut everything off, and start to build each server one by one by one brand new, it's the only way you can be sure that nobody's there," said Wisniewski.