Ransomware Prevention: DEF CON 29 Takeaways
ProCircular’s Aaron Heikkila is an Incident Response (IR) Specialist with broad experience across the many domains of IT. His years of hands-on work in the field inform his approach to IR investigations. To Heikkila, recovery is more important than attribution. While fear and panic push us to place blame, he prioritizes identifying, containing, and remediating malicious activity over determining culpability.
DEF CON 29
I’ve attended DEF CON almost every year since 2014. Although I enjoyed the socialization and after-hours aspect of the conference, I made the trip because continuously learning about the industry is the only way to keep pace with attackers. I’m a firm believer that knowledge is power, and sharing information with other industry professionals is critical to contending in the ever-changing and sometimes turbulent cybersecurity landscape. During my visit, I focused primarily on defensive security topics, especially IR and Ransomware panels.
Normally, what happens in Vegas stays in Vegas, but I’m happy to bring these main takeaways to ProCircular and our community. For more detailed information on these topics, visit the DEF CON official YouTube page to watch the recorded presentations.
Ransomware is an extortion technique that is becoming more prevalent among online attackers. During a ransomware attack, the malicious actor would find a path into the network and use that access to steal or encrypt critical business information. After that, the attacker will contact the victim organization and demand payment in exchange for the encryption key to unlock their own data.
These interactions are riskier than other cyberattacks because there is no guarantee that the malicious party will cooperate. There is also no cap on the amount they can demand, so ransom payments have been steadily increasing to an average of $570K in the first half of 2021, an 82% increase from 2020. Additionally, experts expect the total amount paid to these attackers to rise 200-300% every year. As ransoms grow, finding a solution to ransomware attacks becomes more pertinent. The experts are somewhat divided, presenting several varied perspectives on how to deal with the increasing threat.
No Justice Abroad
As covert as these criminal organizations are, you might be surprised by the amount of information we have on them. The FBI knows of several operations that run out of foreign countries. Russia, for example, will not give out any information or let the United States get involved in criminal investigations. This interference has made Russia a roadblock to combating organized cyberattacks on a global scale. Since we are limited in our ability to stop attacks at the source, industry professionals are turning their attention to hardening cybersecurity in the USA.
Hardening at Home
Not only do we know who is orchestrating these attacks, but we also know how they are getting into the networks. The majority of today’s attacks are relatively simple and opportunistic. Professional ransomware attackers have the capacity to search the internet expansively and identify low-hanging fruit. We have easy and well-known preventative solutions to these vulnerabilities, like removing users’ local administrator privileges or implementing multi-factor authentication (MFA). To combat the increasing financial loss, some cybersecurity insurance companies are requiring their clients to enforce these protections in order to maintain their coverage. Still, not all companies comply with basic security requirements, and they put themselves at risk of attack. Performing an annual penetration test or cybersecurity risk assessment can help identify and close those vulnerabilities before they are found by the bad guys.
Information is Power
As I mentioned before, knowledge is power. All the ransomware panelists agreed that the industry's turbulence today is due in part to a failure of information sharing. In an actual breach scenario, several areas of the organization must be involved, and occasionally, the information is never consolidated after the fact. In some cases, lawyers keep incident details close to the chest to protect liability, or executives brush details under the rug. However, these practices leave us unprepared for the almost inevitable next attack. There’s a missed opportunity to come up with lessons learned and fortify defenses before the next attack. Technical resources need to have a full picture of security posture and risks to work effectively. More sharing is always good and helps empower security engineers to defend their network.
Tomorrow Started Yesterday
The path to recovery starts with prevention. As hard as it is to believe, implementing basic cyber hygiene practices could save businesses billions and billions of dollars every year. There is no one size fits all model for securing a network, but enforcing recommended Standards of Care is a great place to start. Additionally, practice makes perfect, and rehearsing a mock incident scenario could help your team be more prepared in an emergency situation. Mock incidents can focus on administrative recovery efforts (tabletop exercise) or the technical side of recovery (simulation tools like Racketeer).
Contact ProCircular to start hardening your cybersecurity posture and preparing for cyber incidents. Penetration Tests, Cybersecurity Risk Assessments, and Incident Response Tabletop Exercises can help you gather information about your organization’s weaknesses and start hardening them.