As ransomware proliferates and targets IT environments from the data center to the edge to the cloud, organizations need to step up their game. Specifically, they need to do more than simply react to problems as they occur or determine after a data lockup if a ransom should be paid. Effective security teams will use a combination of world-class technology enriched with elite human threat hunting driven by up-to-the-minute threat intelligence to combat today’s ransomware threat.
Ransomware is one of the most problematic and potentially disruptive cyber threats facing organizations around the world, in both the public and private sectors. Research [techtarget.com] from the 2021 Verizon Data Breach Investigations Report indicates that ransomware now makes up 10% of all security breaches — double the level from just the previous year. And according to our 2021 CrowdStrike Global Security Attitude Survey, 66% of respondents’ organizations suffered at least one ransomware attack in the past 12 months.
In a very real way, ransomware adversaries are hunting “big game.” They may start out with small, low-hanging fruit, but their intentions are to go after bigger and more lucrative targets. Organizations need to think of themselves not only as defenders, but as hunters — threat hunters, specifically.
Prioritizing Threat Hunting
Adversaries must be hunted down and stopped before they can do their dirty work. Threat hunting is the practice of proactively searching for cyber threats that are lurking undetected in a network. It digs deep to find bad actors who have evaded the first line of endpoint security. Proactive threat hunting requires real-world experience in the form of smart, seasoned professionals who know what — and who — to look for. These threat hunters search continuously for ransomware threats, armed with broad and deep telemetry, as well as tools to do fast queries that efficiently find faint signals of malevolent activity.
Threat hunters must ask themselves, and their entire organization, three essential questions:
- Do we understand our digital footprint and the potential attack surface? In order to mount an effective defense, organizations must understand what they’re defending. Threat hunters need a full understanding of the organizational footprint, and an awareness of what is normal behavior and what is an anomaly.
- What adversaries are most likely to target our organization with ransomware? An intelligence-led threat hunting program is built on an understanding of threat actors, and the tactics and techniques they are known to employ. This requires threat intelligence services that help threat hunters focus on looking for adversaries’ tactics and techniques.
- If an adversary were in our environment, how could we find it? Threat hunting requires an analyst to think like an attacker. They must visualize how a sophisticated, determined foe might remain hidden, so the analyst can then design and execute queries to uncover them.
CrowdStrike’s Elite Threat Hunting Team
The cybersecurity skills gap and fast-changing nature of ransomware operators prevent many organizations from setting up a systematic threat hunting program using their existing legacy detection tools.
For organizations challenged to staff their own threat hunting, CrowdStrike’s Falcon OverWatch™ team provides threat hunting as a managed service. It is built on the cloud-native CrowdStrike Falcon® platform and provides deep and continuous human intelligence around the clock.
OverWatch comprises a global team of experts leveraging the deep data and analytics of the Falcon platform. Massive threat telemetry and a sophisticated global threat intelligence team help threat hunters track the actions and behavior of more than 160 known adversarial groups, including over 23 big game hunters, so they can stay ahead of existing and evolving attack tactics.
The OverWatch team hunts relentlessly to see and stop the stealthiest, most sophisticated threats, armed with the enterprise-wide visibility provided by the Falcon platform. By combining the proven skills of expert professionals with highly intelligent, adaptive and scalable technology, organizations can greatly reduce their risk of experiencing a ransomware attack.