Ransomware continues to evolve in new and dangerous ways. The latest twist in ransomware negotiating tactics is based on whether or not knowledge of an organization’s cyber insurance was known, according to a recent news report.
As ransomware has emerged, entirely new cottage industries are being created to support the execution and defense of such attacks. One of the most interesting things about the ransomware trend is that we’re seeing capitalist-style innovations applied by adversaries. This creates added complexity for the many organizations that are already treading water in regulatory compliance, defending against cybersecurity scenarios they know about, digital transformations, and more.
Market Evolutions in Ransomware
There have been several organizational evolutions under the broad umbrella of adversary activity typically referred to as ransomware. They include:
- Development of “as a service” delivery models for ransomware tooling in use to lower the barrier to entry
- Evolution of negotiation tactics based on insurance dynamics to optimize on potential payouts
- Packaging of phishing-as-a-service payload delivery models in use to orchestrate and scale attacks
- Selling of stolen or scraped data to inform targeted interactions with potential victims
Each of these tactics has a parallel in business today, which organizations use to deliver value, drive down cost, and innovate faster. For example, we have “X as a service” business models, outsourced customer support operations, and consumer data platforms (CDPs) to drive targeted customer interactions.
When we use such business and technology processes for good, it’s celebrated. But when they’re used against us, it’s alarming.
Defender Opportunity
Integration and Orchestration
As adversaries continue to embrace innovations of all sorts to advance their craft and objectives, defense-oriented innovation needs to keep up. One area of significant opportunity is actively integrating solutions together. For example:
- Deception platforms used to create active defense decoys used in common ransomware or endpoint exploitation scenarios.
- Integration with endpoint detection and response (EDR) solutions to ensure that ransomware is blocked or sandboxed for analysis if a decoy is triggered. Context can be shared across these solutions.
- Pass along context to initiate scans across a monitoring environment for any signs consistent with the system or email metadata where a decoy was triggered. Wherever patterns are found, instrument the appropriate EDR solution to take a blocking or quarantine action.
- Instrument email and firewall rules to quarantine any inbound or existing emails from the source of the ransomware payload to minimize potential spread to other users.
- Gather metrics across environment to determine the possible impact to inform executive-level reporting.
More and more cybersecurity vendors are building their products with a complete REST API in mind and moving away from one-size-fits-all solutions. A useful model to start looking across your particular ecosystem for integration opportunities is the Cyber Defense Matrix.
Sharing at the Speed of APIs
As we have seen, solutions are often integrated with one another across an organization’s IT environment. Threat intelligence sharing can embrace the same model, scaling across boundaries such as business units, organizations within a sector, or across the entire cybersecurity discipline. Intelligence sharing has historically leaned heavily on relatively slow form sharing formats such as ISACs (Intelligence Sharing and Analysis Centers), where qualitative intelligence is shared across critical sectors. A few products have begun to build the capability to capture telemetry from one organization’s deployment to benefit other deployments, creating a directed network effect.
Organizations leaning into this trend without relying on specific vendor products represents an opportunity to proactively respond to threats before they can spread. And it increases the amount of work needed by the adversary to do large-scale damage.
A Broader Approach for Better Defense
Ransomware has highlighted the fact that adversarial innovation occurs in many places beyond technology itself, much like the innovations and disruptions we see in business markets. Therefore, defense cannot be limited to investments in technology alone. We must balance our focus on other strategic areas of opportunity such as people, partnerships, the creative use and integration of technology, and resource organization.
