Ransomware: A Report from the Frontlines
Ransomware: A Report from the Frontlines
Phishing is the number one delivery vehicle for ransomware.
The motive behind this is that phishing emails are easy to send and lead to a faster return on investment (ROI). Phishing, as part of social engineering schemes, lures victims into executing actions without realizing the malicious drive. The less aware the targeted user is, the more fruitful the attack. Likewise, in case of targeted attacks, phishing emails are created to look like they come from a trustworthy sender, but link to or contain malicious content that executes as soon as users click it, encrypting their data and asking for the ransom.
Sophisticated phishing attacks are harder to detect by nature and sometimes even careful users can still fall into the trap.
Recent Examples from the Frontlines
1) Client A:
a. Client A has eighty-seven employees, all employees received an email stating that their Outlook mailbox was full. This was a fake Phishing email designed to capture user’s login information. The malformed URL (firstname.lastname@example.org) the email originated from should have been a huge red flag. Unfortunately, their employees were not well informed about Phishing attacks. Of the eighty-seven employees twenty-seven clicked the email and their login information was compromised.
We had to take the following mitigation steps and more:
b. Recreate twenty-seven user accounts on Office 365.
c. Increase password length from nine characters to 15-character Passphrases for all employees.
d. Increase privileged accounts password length to at least 27 characters.
e. Cybersecurity awareness training for all employees.
f. Recommend Data Loss Prevention and Privileged Account Management software and strategy.
2) Client B
a. Client B has over four hundred employees, their Accounts Payable department received an email with an invoice for $3,999.00 form a supposed IT vendor. To make a long story short, 4 months and $16,000.00 later they realized their error. This was not just a Phishing problem but also an organizational process issue.
b. Mitigation efforts were two-fold including Business Process modeling and implementing some immediate cybersecurity migration practices.
c. Cybersecurity awareness training for all employees.
3) At a Former Employer
where I was EVP of Information Security and CIO, I was constantly championing for employee training. Not just for cybersecurity awareness training but also basic Windows and Microsoft Office training. My reasoning was two-fold. We had a department that was overwhelming my help desk team with considerable basic issues. For instance, one of the most frequent help tickets was “My Outlook disappeared”. We pinned Outlook to the task bar to all new employee’s PCs. Some would accidently unpin it from the task bar and then were unable to find Outlook and pin it to the task bar. I believe basic windows and Office skills make cybersecurity awareness training more effective. I would get constant pushback from other Executives and Human Resources stating that it would reduce our applicant pool. I would explain to them this is not a punitive measure but a skill assessment measure. I believe everyone deserves opportunity; some will just need a little extra training. I was able to successfully implement a full-blown cybersecurity awareness training program. Alas, there is still no basic Windows and Office training in place.
Mitigation Best Practices
If you cannot see it, you cannot protect it.
For security teams operating in today’s environment, visibility and speed are critical for blocking attackers that have the capability and intent to steal data and disrupt operations. Security teams must understand that it is their responsibility to secure their cloud environments, just as they would on-premises systems. They must establish consistent visibility for all environments and proactively address potential vulnerabilities before attackers can leverage them.
Protect identities and access.
Organizations must consider multifactor authentication (MFA) on all public-facing employee services and portals as mandatory. In addition to MFA, a robust privilege access management process will limit the damage adversaries can do if they get in and reduce the likelihood of lateral movement.
Finally, Zero Trust solutions should be implemented to compartmentalize and restrict data access, thus reducing the potential damages from unauthorized access to sensitive information.
Invest in expert threat hunting.
Interactive attacks use stealthy or novel techniques designed to bypass automated monitoring and detection. Continuous threat hunting is the best way to detect and prevent sophisticated or persistent attacks.
Get ahead of attackers with threat intelligence.
There is a human being behind every attack. Threat intelligence helps you understand an attacker's motivation, skills, and tradecraft so you can use this knowledge to your advantage to prevent, and even predict, future attacks.
Make sure you have a current cybersecurity policy that accounts for remote workers.
Security policies need to include access management for remote workers, the use of personal devices, and updated data privacy considerations for employee access to documents and other information.
Create a culture of cybersecurity.
While technology is clearly critical in the fight to detect and stop intrusions, the end user remains a crucial link in the chain to stop breaches. User awareness programs should be initiated to combat the continued threat of phishing and related social engineering techniques.
Strive to make your “Human Firewall” and effective and integral part of your organization’s overall cybersecurity efforts.
Cybersecurity is also Human security. There is an old saying “There is nothing wrong with being Paranoid, if your right about it”.