Today Ransomware1 is still the most impactful type of attack a business must endure, and
despite businesses continuing to invest in cybersecurity (84% last year2), nearly half felt they
still weren’t prepared for the next attack. One of the dangers is that Ransomware is no longer
just that; we now see attacks leveraging the broadest scope of methods to gain access. Once
achieved, they look to maximise the revenue. The scope now goes beyond a simple smash and
grab to Ransomware attackers that take weeks or months mapping the infrastructure and analysing
data to understand its unique value for release and extortion.
Can you keep up?
To put it simply, defending against Ransomware is not easy. Typically in Europe, we see attacks
happen around 20:00 Central European Time. This could be down to the timezone gap that the
adversary is based or their realisation that many businesses only have a security team
functioning during the typical 9-5 office hours. The point remains that every business requires
constant monitoring to minimise the impact of attacks considering the use of cloud
infrastructure, collaboration tools and work-from-anywhere notion.
Evolving Your Cybersecurity Strategy
There are various Cybersecurity risk evaluation frameworks available such as Cyber Essentials,
NIST Cybersecurity Framework, ISO 27001(a standard) and CIS Controls. Businesses should
use these to establish a framework that best aligns with their current cybersecurity posture and
work on implementing the procedures to better defend their organisation. Prefer to utilise the
services of specialised organisations to conduct these assessments? Read more on Security
Fortunately, a number of these frameworks have specific guidelines around Ransomware. NIST,
for example, breaks the strategy into seven distinct steps under three areas: protect, response
and recover. cybereason advocates that every business should test their capabilities at least
once a year, and consider the metrics of success behind these.
At Cybereason we provide unique ways to help you deliver top-tier metrics of success against
Ransomware. Our service level objective of 1 minute to find an attack, 5 minutes to triage and
30 minutes to instigate full remediation (1-5-30) and 24x7x365 recovery through our Managed
Detection and Response service.
See how we achieve this and find out what requirements you should consider for your business below.
Watch our video here
Prevention:
Quick detection and protection relies on a layered approach. As Ransomware
evolves, so must cybersecurity. One of the most fundamental steps is checking your endpoint
security is evolving at pace. For example, we encourage you to review industry benchmarking
such as Mitre testing3 on a regular basis.
To give you a benchmark, Cybereason leverages 9 Layers of protection in its endpoint
protection, three of which have been added in the last year as attacks evolve.
1. Behavioural Execution Prevention:” Block living off-the-land techniques“
2. Variant Payload Prevention:” Vaccinate against variations of malicious payloads, like
Cobalt Strike, and Emotet” – Monitors the code being loaded into memory and uses
Binary Similarity Analysis (BSA) technology and near-match analysis to identify and
block obfuscated code exhibiting characteristics of a known malicious payload.
3. Predictive Ransomware Protection: “Block encryption and restore files“ – Although the
previous prevention layers block almost all Ransomware activity, this final layer of
protection ensures more sophisticated Ransomware behaviour is identified and
prevented from inflicting damage.
Response
Arguably the hardest part. What happens when an attacker manages to gain a
foothold in your organisation? As EDR tools often provide very technical insights that require
significant expertise to use, ensure you utilise solutions that allow your team to follow insights
and next course of action provided regarding an attack. Cybereason has a very unique way to
help security staff do this: Malicious Operation (MalOpTM)
The MalOpTM is the realisation of Cybereason’s operation-centric approach which presents the
complete picture of an attack rather than overwhelming analysts with piecemeal alerts. At the
core of the cybereason technology is a highly advanced data analytics platform known as the
Cross-Machine Correlation Engine which analyses massive amounts of data automatically and
rapidly to provide users with a comprehensive view (MalOpTM ). The core benefit of this system is
visibility, which gives you the ability to out-think and respond faster and thereby ensuring the
1-5-30 response objective.
Guided & Automated Response
As most attacks are likely to occur outside business hours, coupled with skill shortages, round
the clock detection and response may be difficult. Because of this, we cover the gap through
Managed Detection and Response (MDR), providing24/7 monitoring, proactive tuning and
hunting, reporting and more security add-ons per use case.
What makes our MDR different? The use of MalOp Severity Score (MOSS) which is an
aggregate of three key components from every MalOpTM, from which a criticality score is
generated to determine what actions are taken next:
● MalOp Behavior: Maps the MalOpTM to the MITRE ATT&CK Framework and assesses
the extent of the attack.
● Expert Analysis: Conducts root cause triage verification, actor attribution, and possible
impact evaluations.
● Customer Criticality: Adjusts the score based on the criticality of assets and their
recoverability.
Where you have staff online, guided remediation allows them to engage with Cybereason
experts to ensure staff are clear on what has happened and why the remediation steps are
suggested to ensure they understand and are comfortable implementing them. Automated
remediation also allows the managed services team with pre-agreed terms to take action on
your behalf when staff aren’t available.
While endpoint monitoring is critical, today’s networks consist of several integrations that
transmit data both ways, thus widening the entry point for malware. The capabilities of MDR can
be extended by utilising eXtended Detection and Response (XDR). XDR works by fusing varied
telemetry sources into visual attack stories ( MalOpTM), ensuring unified visibility, the uncovering
of malicious activity that often gets lost in the noise and the ability to respond to threats in as
little as 30 minutes.
To summarise, building cyber resilience is not easy, however it can be initiated and improved on
by strengthening your preventive controls, enhancing your detection and response and
finally testing your defences using internal or external teams where possible.