Ransomware Detection and Mitigation in 2017
With near unanimous agreement between InfoSec authors of 2017 security predictions, ransomware will continue to grow as the number-one cyber threat that businesses will encounter and be forced to respond to this year. As predictions go, the Oracle of Delphi of legend would likely summarize it as “ditto”.
Technologically speaking, the ransomware threat is already a solved problem. Yet the threat and its impact on business is predicted to grow. How so?
The primary (and overlapping) detection and mitigation technologies for successfully combatting ransomware include:
Host-based behavioral threat detection
Host-based application whitelisting
Network-based behavioral threat detection
Network-based dynamic malware analysis
Network-based anomaly detection systems
ACL and NAC enforcement
Automated file backup and recovery systems
Automated host reimaging and data recovery processes
Canary host, share, and file detection systems (see a previous post – “Canary in the ransomware mine”)
Each of these detection and/or mitigation approaches bring to the table certain pros and cons to handling ransomware – ranging from preventing ransomware being installed on a vulnerable host, through to detecting and blocking the erroneous network traffic associated with the ransomware, and on to automatic remediation (without the need to pay a ransom).
Unfortunately no single stand-alone approach covers the breadth of threat that businesses need to mitigate. Host-based behavioral threat detection tooling will prevent a corporate managed laptop or host from being infected with ransomware – but will do nothing to prevent open shares within the corporate network being encrypted by an unmanaged visitor’s laptop or BYOD. Likewise, network-based anomaly detection systems (using full packet inspection and machine learning) can identify hosts that are compromised and trying to find networks shares for encryption – but do nothing to prevent the host from being compromised.
The reason for ransomware continuing to be a threat in 2017 has little to do with advancements made by the cyber criminals behind the attacks and much more to do with the complexities of simultaneous coverage of all intrusion and propagation scenarios within an enterprise network. Today’s threat detection and mitigation technologies are designed to operate independently as “sole contributors” to the overall health and wellbeing of the network.
Sadly, the tooling necessary to bring all these detection and mitigation pieces together are (generally) poor, complex to configure, and resource intensive to maintain. The marketing material from vendors may describe in flourishes how effortless integration can be – with feeds, API’s, and alerting coming together like Lego. The realty for most organizations however is more akin to trying to get Lego, Duplo, Meccano, and wooden blocks to stick together long enough to construct a bridge that’ll carry the weight of a toddler across a carpeted floor.
The solution to successfully combating ransomware within the enterprise in 2017 is little different to what it was last year. However, incremental advances in machine learning and incorporation in to threat aggregation “glue” technologies (e.g. SIEM’s, Managed Security Service Providers (MSSP), automated analyst expert systems, etc.) will see several of the gaps between detection and mitigation tooling close a little further - but the impact will be meaningful.
Organizations that have traditionally farmed-out the daily management, monitoring, and first-line alert response of the security devices that constitute their layer defenses to external MSSP operators, will likely reap the earliest benefit from these newer machine learning advancements. Because ransomware attacks can be detected and contained using only a subset of traditionally deployed security technologies, MSSP’s are in a prime position to efficiently bring those pieces together using their own in-house glue.
In many ways 2017 could be the year that redefines the MSSP industry. With the ransomware threat front-of-mind for many business executives and company board members, MSSP’s that manage to couple together the appropriate layers of customer defenses and automatically mitigate the propagating threat will quickly validate the value they bring.
Hearts and minds will be further won with the inclusion of warrantees that back their anti-ransomware capabilities.
-- Gunter Ollmann, Founder/Principal, Ablative Security