Alex - stock.adobe.com
Ransomware remains top of mind and a major priority for both CISOs and boardrooms. According to "The Long Road Ahead to Ransomware Preparedness," a survey from Enterprise Strategy Group (ESG), a division of TechTarget, 79% of organizations suffered a ransomware attack in 2021.
Given the profitability of ransomware, attackers are unsurprisingly relentless. Thirteen percent of respondents said they experience daily attacks.
Ransomware attackers traditionally would infiltrate an organization's environment with the goal of encrypting most or all of the organization's sensitive data. Once done, attackers demanded a ransom for the decryption keys. Organizations have since adopted techniques to recover from ransomware, such as using air-gapped or immutable backups and deploying machine learning to detect and prevent mass data encryption.
Sophisticated attackers have adapted to these defenses, however, and expanded their attempts at financial gain through extortion. Before encryption, attackers can exfiltrate and threaten to publicize the organization's sensitive data. The organization must therefore pay twice: an extortion fee to keep its data private and a ransom to decrypt its data.
Ransomware is the last phase of a breach
By the time organizations detect mass encryption, it's often too late. Attackers are already well positioned for extortion even if the company can prevent or recover from mass encryption.
In fact, encryption and ransom are the last phases of a breach. The Mitre ATT&CK framework, a knowledge base of attacker tactics, techniques and procedures (TTPs), maps the following 11 attack phases for ransomware prior to encryption:
- initial access
- privilege escalation
- defense evasion
- credential access
- lateral movement
- command and control
- impact (encryption)
These TTPs are known as the ransomware kill chain. Stopping the attacker at any one of these phases prior to exfiltration can kill the attack and limit the damage. Data security can be used to stop the attacker from exfiltrating sensitive data.
Data security as a defense for ransomware
Data security encompasses the principles and practice of ensuring legitimate access and preventing unauthorized access to data to preserve the cybersecurity triad. Also known as the CIA triad, the cybersecurity triad is a set of three goals:
- Confidentiality: Resources and data can only be accessed by authorized parties.
- Integrity: Data can only be added, deleted or modified by authorized parties.
- Availability: Data and systems are available to authorized parties when requested.
Discovery is the initial step in data security; you can't protect data if you don't know it exists. In today's hybrid multi-cloud world, organizations face the two following challenges:
- Shadow IT, or the use of IT services without the knowledge or approval of IT or cybersecurity organizations.
- Shadow data, or the unauthorized, unknown or forgotten copies of data sets made for testing, data transfers, backups, etc.
Given enough time in your environment, a ransomware attacker can discover and exfiltrate unknown -- and thus unprotected -- data stores.
The next step is classifying data to understand what type of data exists. This enables you to focus resources on protecting sensitive data. In addition, you may be subject to standards and regulations such as GDPR, HIPAA, Sarbanes-Oxley and PCI DSS, which require specific protections for certain types of data.
To comply with these regulations, fine-grained data classification is needed to identify the plethora of data types, such as personally identifiable information, credit card numbers, phone numbers or government IDs. Data classification must be able to analyze structured data in databases, XML files and so forth, as well as unstructured data, including text files, documents, image files and more.
Data masking or tokenization can be employed to protect the privacy of sensitive information from authorized users. For example, using masking to display only the last four digits of a credit card number on a receipt while still maintaining the full number to able to process a transaction.
While masking and tokenization protect privacy, they don't protect the underlying data if the attacker gets direct access to the data store. Organizations can use encryption to render the data useless in case of unauthorized access and exfiltration.
A data security platform that offers discovery, classification and data protection can stop a ransomware attacker from data exfiltration and limit exposure to extortion.
Defense in depth
Much of cybersecurity is focused on the initial stages of the kill chain. The earlier you stop an attacker, the more you limit their damage. Limiting their knowledge of your environment will make it harder for them to attack you in the future.
Unfortunately, attackers must be successful only once, while defenders must be successful every time. It's clear that attackers are winning, according to the ESG survey, which found that 41% of respondents were the victim of a successful ransomware attack, and 32% were victims of multiple successful attacks in 2021.
Organizations are now employing the military strategy of defense in depth which, rather than defeating an attack with one strong line of defense, seeks to delay the advance of an attack with multiple layers of defense. When adapted for cybersecurity, defense in depth uses multiple, often redundant or overlapping, defensive measures to detect and stop the attacker at multiple phases in the kill chain.
Data security should be a significant part of a defense-in-depth strategy, focused on protecting all sensitive data and preventing ransomware and other attackers from accessing, exfiltrating and holding data hostage. In the worst-case scenario, you've encrypted your data, rendering any exfiltrated data valueless as an object for extortion.