Cybersecurity professionals once imagined that their adversaries were criminal gangs who operated within a shadowy underworld, trading secrets and malicious code on clandestine hacker forums. But in fact, today's ransomware operators act more like the savvy executive leaders of a fast-growing Silicon Valley startup. These criminals are highly professionalized, leveraging expert third-party partnerships, an internal division of labor that mirrors the way legitimate businesses are organized, and economies of scale to grow their margins.
And just as leading software companies are taking advantage of DevOps practices to release features faster than ever, ransomware operators are building malware in a modular fashion that enables them to be agile and rapidly adapt. This way, they can create new exploits that take advantage of the most recently discovered vulnerabilities at lightning speed.
In the face of the current ransomware threat landscape, cybersecurity teams are left feeling like they're constantly setting up roadblocks in the dark, while their adversaries have night vision and the ability to circumvent nearly any obstacle.
Given the extent and scope of the challenges they face, today's defenders need a ransomware prevention strategy that's truly effective. To achieve this aim, they'll need to leverage offensive security capabilities so that they can learn to think like attackers, giving them an understanding of what to prioritize and where to invest their time and attention. Only with this kind of "insider knowledge" can defenders hope to succeed in the midst of a complex and ever-changing threat landscape.
Going beyond malware: today's ransomware infections result from an intricate process
According to the Cybersecurity and Infrastructure Security Agency (CISA), ransomware is "an ever-evolving form of malware designed to encrypt files on a device, rendering those files and any systems that rely on them unusable." Once this malware has been disseminated widely through an organization's computing environment, criminals will demand a ransom payment in exchange for decrypting the files. The key stage in any ransomware attack sequence is the part where the malware gets disseminated widely: if all the files on only one computer were encrypted, ransomware attacks wouldn't be able to bring business to a screeching halt in some of the world's largest enterprises, and the damage resulting from an attack would be simple to contain.
Increasingly, in today's ransomware attack sequences, there's a separation between gaining initial access to the environment and moving laterally in order to spread the malware. Multiple different criminal groups, with expertise in diverse disciplines within the attack chain, are typically involved in different stages of the process. They use tools and techniques borrowed from legitimate penetration testers to gain long-lasting and far-reaching access.
"Ransomware is not new," said Naveen Sunkavally, Chief Architect at Horizon3.ai. "What's changed over the last couple of years to make ransomware more dangerous involves two things. One is on the ransomware operator side. They've become a lot more effective and better organized, and they've figured out how to scale so that their operations are more lucrative. The second change is in how the technology they're using has evolved. It's no longer "smash and grab, encrypt what you can and get out." Instead, today's attackers are dwelling in the network for long periods, escalating privileges, trying to take over an entire domain, and only then, as a final step, springing into action."
Defense-in-depth means accepting that you're a target and preparing accordingly
Today's ransomware operators invest time and extensive research effort into scoping out their targets. They're agile, fast-moving and extremely opportunistic. They'll leave no stone unturned when it comes to finding the weakest link in your security ecosystem. It could be an insecure virtual private network (VPN) that's exposed on the open internet. Or a single weak password protecting an account with administrative privileges. Like big game hunters, ransomware operators won't rest until they've found the vulnerability that will give them access to their target's environment — and weaponized it.
"There's just so much chaos that ensues when you have a shifting threat landscape and an attack surface that's constantly changing," said Anthony Pillitiere, Chief Technology Officer at Horizon3.ai. "Every organization is susceptible to the temptation to cut corners when it comes to cybersecurity because we're all dealing with resource constraints. Attackers maintain a relentless focus on finding their way around your defenses."
How to find and fix attack vectors before your adversaries discover them
If defenders became able to see their environment through the eyes of an attacker, their perspective would instantly shift. They'd know exactly which vulnerabilities to patch, which security initiatives to prioritize, and which weak administrative credentials posed the greatest risk to their organization. And, even more importantly for resource-constrained teams, they'll know what not to do. They'll be able to avoid chasing shiny objects or deploying tools just for the sake of having more tools. Instead, they'll be able to make the most effective interventions.
Manual penetration testing can begin to provide this information, but it has limitations. A pentest offers only a single point-in-time snapshot of your defenses' strengths and weaknesses. This model doesn't address the constant evolution of the threat landscape — or the ever-changing nature of your attack surface. Traditional pentesting is inconsistent, too: different consultants will obtain different results. Often, the engagement will conclude with no instructions for remediating the problem, and certainly without validating that you've done so.
An emerging technology, autonomous penetration testing, can vault past all of these limitations. Using a sophisticated reinforcement learning-guided decisioning process, this solution can identify the actions that attackers are most likely to take, given currently available threat intelligence and their capabilities. It can rapidly identify the attack vectors that are most likely to be exploited, as well as those that are most likely to result in devastating outcomes. Using graph theory and analytics, autonomous penetration testing can identify the weakest points in your cyber terrain map. With that information in hand, you'll know exactly where to focus first. And you can evaluate – and validate – your security posture on a continuous, ongoing basis.
Ultimately, taking advantage of offensive capabilities to inform defensive strategies can enable any organization to dramatically improve its security effectiveness. In today's world, very few defenders spend time and effort researching offensive tools, tactics, techniques and procedures, while almost everyone on the offensive side invests heavily in learning how defenders operate.
It's time to shift that balance: if you're interested in learning more about the benefits of investing in offensive security capabilities, schedule a free demonstration of Horizon3's autonomous pentesting solution today.