This post is also available in: 日本語 (Japanese)
Ransomware as a service (RaaS) is a business model designed for criminals, by criminals that lowers the technical barrier for entry into cybercrime. Instead of having to learn the skills needed to code ransomware or access a network, aspiring criminals can buy access and components – sometimes with a monthly subscription comparable to a streaming movie service. While in many ways this makes life easier for cybercriminals, there’s a silver lining for defenders: Less sophisticated cybercriminals can often be stopped by following best practices and consistently introducing basic roadblocks. In the second installment of this two-part series, I cover how reinvesting in the fundamentals and being sure to use a defense in depth strategy can ensure that rookie cybercriminals looking for a quick payout have a very frustrating day when they encounter your network.
In no particular order, I've listed a few areas that I believe are good jumping-off points to start conversations in your organization about defense in-depth strategies.
Keeping attackers out – and limiting what they can do if they do get in – is a great place to start. If we objectively look at how compromises occur most predominantly these days, it's typically through the use of legitimate credentials or tricking users into running malware directly via phishing. Exploitation of vulnerabilities as an initial vector into organizations is usually less than ideal given how easy it is to get access through the human side of things. However, if the attackers do leverage exploits, they find it exponentially more difficult to continue lateral movement and navigate the internals of your network without credentials. This is where we can view every account and authentication point as potential roadblocks to hinder or slow attackers.
While these roadblocks will help, they become even more effective when you combine them with auditing and aggressive monitoring for usage anomalies – but the benefits of proactive security are a separate discussion.
A singular truism exists in every cyberattack, which is that there must be an entry point. Within the context of our digital lives, this entry point is usually accessible through internet-connected systems. As such, building successful roadblocks here will be to know what is actually exposed. What is your digital footprint on the internet, and what types of connectivity does it offer?
Due to the global COVID-19 pandemic, remote work has taken off and companies have rushed to situate themselves in a way that facilitates supporting employees who now unexpectedly find themselves working from home. This has increased the opportunity for threat actors to take shots at VPNs and remote access solutions as a quick way into the internal network. But what about the webserver you migrated from six years ago but never got around to retiring? You don't know what you don't know, so making sure you have a good, frequently updated assessment of your network perimeter is key to reducing the attack surface. Breaking it down into exposed services and remote access opportunities helps prioritize where you can implement more robust controls.
Vulnerabilities are being weaponized at a record pace these days, and the game of whack-a-mole with patches continues unabated. Sometimes even before patches are released, just the announcement of the vulnerability and breadcrumbs on social media are enough to create the exploits. This makes this one of the hardest "back to basics" guidance there is. Still, the bottom line is that attackers have only become more efficient in their rapid exploitation of vulnerabilities, while most organizations continue to stagnate with unpatched environments.
Closing these holes makes the attacker’s life more difficult. It places the onus back on the attackers to be clever and crafty enough to circumvent these roadblocks without the use of vulnerability exploitation, removing a strong tool from their arsenal.
I'm a firm believer in the power of segmentation, both logically and physically, as it creates a distinct boundary for access controls and monitoring. In the context of this article, network segmentation would be barriers between things like end users and data center servers, whereas microsegmentation would be logical barriers between things such as SAN servers and database servers. At its core, this is just another foundational concept – Zero Trust.
By creating roadblocks that restrict the traversal of network traffic from all directions (West to East, North to South) and coupling this with other security controls, you are better positioned to create the roadblocks that severely hamper less technical threat actors.
My hope is that this article serves in some capacity to be a catalyst for taking a step back and trying to identify what proactive roadblocks you can construct when it comes to defending your networks and data. RaaS is here to stay, and the lessons learned through its evolution will be an example to cybercriminals on the commoditization of every aspect of cyberattacks. The silver lining is that we'll likely see the technical sophistication of threat actors decrease while the refocusing of our defensive efforts on core security concepts, such as defense in depth, will provide a higher return on investment in the long run.
Learn more about making a plan for defending against ransomware attacks.
Jeff White is a principal threat researcher for the Unit 42 Threat Intelligence team. This is the second of a two-part series on ransomware as a service.