Today Ransomware1 is still the most impactful type of attack a business must endure, and

despite businesses continuing to invest in cybersecurity (84% last year2), nearly half felt they

still weren’t prepared for the next attack. One of the dangers is that Ransomware is no longer

just that; we now see attacks leveraging the broadest scope of methods to gain access. Once

achieved, they look to maximise the revenue. The scope now goes beyond a simple smash and

grab to Ransomware attackers that take weeks or months mapping the infrastructure and analysing

data to understand its unique value for release and extortion.

The True Cost of Ransomware2

Can you keep up?

To put it simply, defending against Ransomware is not easy. Typically in Europe, we see attacks

happen around 20:00 Central European Time. This could be down to the timezone gap that the

adversary is based or their realisation that many businesses only have a security team

functioning during the typical 9-5 office hours. The point remains that every business requires

constant monitoring to minimise the impact of attacks considering the use of cloud

infrastructure, collaboration tools and work-from-anywhere notion.

Evolving Your Cybersecurity Strategy

There are various Cybersecurity risk evaluation frameworks available such as Cyber Essentials,

NIST Cybersecurity Framework, ISO 27001(a standard) and CIS Controls. Businesses should

use these to establish a framework that best aligns with their current cybersecurity posture and

work on implementing the procedures to better defend their organisation. Prefer to utilise the

services of specialised organisations to conduct these assessments? Read more on Security

Posture Assessment.

Fortunately, a number of these frameworks have specific guidelines around Ransomware. NIST,

for example, breaks the strategy into seven distinct steps under three areas: protect, response

and recover. cybereason advocates that every business should test their capabilities at least

once a year, and consider the metrics of success behind these.

At Cybereason we provide unique ways to help you deliver top-tier metrics of success against

Ransomware. Our service level objective of 1 minute to find an attack, 5 minutes to triage and

30 minutes to instigate full remediation (1-5-30) and 24x7x365 recovery through our Managed

Detection and Response service.

See how we achieve this and find out what requirements you should consider for your business below.

Watch our video here

Prevention:

Quick detection and protection relies on a layered approach. As Ransomware

evolves, so must cybersecurity. One of the most fundamental steps is checking your endpoint

security is evolving at pace. For example, we encourage you to review industry benchmarking

such as Mitre testing3 on a regular basis.

To give you a benchmark, Cybereason leverages 9 Layers of protection in its endpoint

protection, three of which have been added in the last year as attacks evolve.

1. Behavioural Execution Prevention:” Block living off-the-land techniques

2. Variant Payload Prevention:” Vaccinate against variations of malicious payloads, like

Cobalt Strike, and Emotet” – Monitors the code being loaded into memory and uses

Binary Similarity Analysis (BSA) technology and near-match analysis to identify and

block obfuscated code exhibiting characteristics of a known malicious payload.

3. Predictive Ransomware Protection: “Block encryption and restore files – Although the

previous prevention layers block almost all Ransomware activity, this final layer of

protection ensures more sophisticated Ransomware behaviour is identified and

prevented from inflicting damage.

Response

Arguably the hardest part. What happens when an attacker manages to gain a

foothold in your organisation? As EDR tools often provide very technical insights that require

significant expertise to use, ensure you utilise solutions that allow your team to follow insights

and next course of action provided regarding an attack. Cybereason has a very unique way to

help security staff do this: Malicious Operation (MalOpTM)

The MalOpTM is the realisation of Cybereason’s operation-centric approach which presents the

complete picture of an attack rather than overwhelming analysts with piecemeal alerts. At the

core of the cybereason technology is a highly advanced data analytics platform known as the

Cross-Machine Correlation Engine which analyses massive amounts of data automatically and

rapidly to provide users with a comprehensive view (MalOpTM ). The core benefit of this system is

visibility, which gives you the ability to out-think and respond faster and thereby ensuring the

1-5-30 response objective.

Guided & Automated Response

As most attacks are likely to occur outside business hours, coupled with skill shortages, round

the clock detection and response may be difficult. Because of this, we cover the gap through

Managed Detection and Response (MDR), providing24/7 monitoring, proactive tuning and

hunting, reporting and more security add-ons per use case.

What makes our MDR different? The use of MalOp Severity Score (MOSS) which is an

aggregate of three key components from every MalOpTM, from which a criticality score is

generated to determine what actions are taken next:

● MalOp Behavior: Maps the MalOpTM to the MITRE ATT&CK Framework and assesses

the extent of the attack.

● Expert Analysis: Conducts root cause triage verification, actor attribution, and possible

impact evaluations.

● Customer Criticality: Adjusts the score based on the criticality of assets and their

recoverability.

Where you have staff online, guided remediation allows them to engage with Cybereason

experts to ensure staff are clear on what has happened and why the remediation steps are

suggested to ensure they understand and are comfortable implementing them. Automated

remediation also allows the managed services team with pre-agreed terms to take action on

your behalf when staff aren’t available.

While endpoint monitoring is critical, today’s networks consist of several integrations that

transmit data both ways, thus widening the entry point for malware. The capabilities of MDR can

be extended by utilising eXtended Detection and Response (XDR). XDR works by fusing varied

telemetry sources into visual attack stories ( MalOpTM), ensuring unified visibility, the uncovering

of malicious activity that often gets lost in the noise and the ability to respond to threats in as

little as 30 minutes.

To summarise, building cyber resilience is not easy, however it can be initiated and improved on

by strengthening your preventive controls, enhancing your detection and response and

finally testing your defences using internal or external teams where possible.