Success in stopping ransomware still seems out of our reach. Can AI and automation, a ‘zero trust’ approach, or a hybrid SOC help us deal more effectively with this fast-growing threat?

Despite widespread awareness and education, one of the fastest-growing threats that businesses face today is ransomware. This insidious form of malware holds systems and files hostage until financial bounties are paid, costing businesses millions of dollars in damage. 

While ransomware attacks are not new, they are becoming more frequent, sophisticated, and far-reaching. Today’s cybercriminals know no boundaries, and they have started to move from simply attacking systems and data, to attacking your everyday person.

Research from Sophos has now found that there are at least 10 different types of pressure tactics that are commonly used against victims today. 

What do we need, beyond just having an effective response team? Is smarter technology available to help us see clearer and be able to identify patterns indicative of potential breaches and intrusions?

CybersecAsia discussed these questions with Chester Wisniewski, Principal Research Scientist, Sophos, to gain insights and advise on how organizations should be dealing with ransomware today.

Research from Sophos has found that there are at least 10 different types of pressure tactics that are commonly used against ransomware victims today. Which of these, in your opinion, are the most difficult for organizations Asia Pacific to handle?

Chester Wisniewski (CW): I think the two most difficult to address in the region are recruiting insiders and phishing attacks. Insiders often have too much privilege and in a good-sized company there will always be someone who may be tempted by an outside “bonus” to settle an inside grievance.

Your best defense is to ensure you follow a least-trust or need-to-know permission model to limit the damages from any one rogue staff member. This strategy also helps with phishing, as we are all susceptible to falling for a good phish occasionally.

If you can contain the damage though, you are in a good position to keep the incident cost low. If you take this to its logical extreme you’ve got a ‘zero trust’ approach to security. 

Chester Wisniewski, Principal Research Scientist, Sophos

Humans are usually the weakest link in cybersecurity. What should organizations have in place – in terms of corporate culture, mindset, training and awareness, and processes – to help mitigate against most of these ransomware tactics?

CW: Training can help with prevention, but nothing is 100%. Alerting staff on a regular basis to what types of phishes and social engineering attacks are common can raise awareness as well as ensuring staff feel welcome to call/text/instant message the security team if they have any questions or see something suspicious.

In certain departments, it can be helpful to change processes around things – like wire transfers in Finance or how to safely open CVs in Human Resources. Making policies clear that “if you think you made a mistake and you ask for help, you won’t be in trouble” can help limit damages when mistakes occur.

The sooner you can investigate, contain and clean up a threat, the less damage will have been inflicted.  

Would AI and automation help in this fight against ransomware? In what ways?

CW: The best application of AI and automation at the moment is in the Security Operations Center (SOC). Being able to spot the right alerts that indicate the initial access of a criminal to the network makes all the difference in your ability to contain an incident before data is stolen or ransomware unleashed.

AI can help sort through and score alerts as to the likeliness they are dangerous allowing humans to spend more time on alerts that could indicate a more severe incident. Automation is critical to free up the time necessary for these humans to investigate these alerts and hunt down any threats that may have bypassed your protective layers.

Most ransomware incidents take more than 14 days from start to finish, so if you can stay on top of the right alerts, you have good odds to stop the criminals in their tracks. 

With a huge talent gap for cybersecurity professionals, besides deploying technology, what are some other key considerations for defending against ransomware?

CW: I think we are headed toward a future that has more of a hybrid-SOC approach to defense. Internal security teams know your network best, but vendors like Sophos who monitor hundreds of thousands of networks know the threat patterns best.

We must work to combine these skills in a hybrid fashion where the internal security team recognizes things that are out of the ordinary for their network and then escalate the issue to a managed security service who knows what to look for, what tactics, techniques, and procedures (TTPs) a threat group typically employs and provides the guidance necessary to evict the threat actor from your network.

Service providers assist with many ransomware incidents every month and know the “playbook” of the attackers, whereas internal security teams are unlikely to have experience with any given attacker. Together they are much stronger than either one alone.