Good backups are not the solution to ransomware. Backups take time – time when your business is in complete limbo because it chose to completely shut down business operations out of “an abundance of caution.” (An abundance of caution that is too little too late in many cases.) Backups usually have a recovery interval which means some amount of lost transactions. Backups are also at risk of being encrypted, leaving valuable data unrecoverable. Good backups provide no protection at all against double-extortion schemes when the attacker threatens to leak your data if you don’t pay. Backups need to be considered a last resort.
Paying the ransom isn’t a solution either because all that data usually needs to be decrypted. This takes time and may not fully recover all of the data or doesn’t work at all. In the case of the Colonial Pipeline, decryption took so long, they decided to restore data from their backups even after paying the ransom.
Really the only true defense against ransomware is prevention combined with early detection and response capabilities. Beyond that, you need a well-honed and fast-as-possible, complete-as-possible recovery procedure which means automatic and secure. Fast recovery is a topic for another day. And for many organizations prevention requires redesign of network and re-thinking of security priorities – lots of rip and repair costs and support from management that has yet to materialize at most organizations I talk to. So, for now, how do you know where to spend your limited resources to detect ransomware early enough to prevent Impact (MITRE ATT&CK Tactic TA0040).
In this real training for free session, we’ll use MITRE ATT&CK as a guide for answering that question. We’ll look at the tactics an attacker must complete prior to triggering the ransom note (post Impact). Then we’ll explore key techniques associated with each of those tactics. The prerequisite tactics include:
- Reconnaissance
- Resource Development
- Initial Access
- Execution
- Persistence
- Privilege Escalation
- Defense Evasion
- Credential Access
- Discovery
- Lateral Movement
- Collection
- Command and Control
- Exfiltration
Attackers don’t necessarily have to employ each of these tactics before they can get to Impact but they always use some of them and each tactic provides detection opportunities. They can’t accomplish any of these tactics without making some noise. But are you listening?
Mike McGinnis, Senior Sales Engineer at LogRhythm will show you how they make Network Threat Hunting Made Easy with the MistNet NDR MITRE ATT&CK™ Engine.
Please join us for this real training for free session.