Ransomware has been a significant threat to organizations around the world for some time now. However, what was once a relatively straightforward threat is fast becoming more complex.
Traditionally, cyber criminals would force their way through perimeter defenses, drop their malicious payload and demand a ransom to “fix” the situation. This brute-force method of attack was usually remedied by detection, containment and recovery. Essentially, systems would be shut down and backups restored.
Today, however, ransomware is much more sophisticated, targeted and far-reaching. Rather than forcing their way in, cyber criminals will target users looking to compromise their credentials, trick them into making a mistake or convince them to launch a malicious attack against their employer.
To defend against ransomware, cybersecurity teams must now “shift left” earlier in the attack chain, moving away from detection and recovery and focusing instead on preparation and prevention—and people.
Figure 1. Incident response life cycle (detection and analysis).
Defending your data
The detection and response approach to ransomware was understandable when the issue was solely about information protection. However, with fewer organizations caving in to ransom demands, cyber criminals have changed tactics to protect their revenue streams.
Modern ransomware now often carries an extra sting in the tail, whether that’s corporate espionage or data theft, making it very much a data loss prevention (DLP) issue.
That’s why any effective defense against ransomware should place data at its heart. This starts with classification. You need to understand what data is at risk, who needs access to it, who has access to it and how much cyber criminals are likely to prize it.
When making these classifications, go beyond geography and data location. The traditional data in use and data at rest model is no longer fit for purpose. A modern DLP strategy must follow the user wherever they go, for it’s your people who put your data at risk.
The people problem
With over 90% of cyber attacks requiring some form of human interaction, your users are the biggest risk factor your organization faces.
These days, cyber criminals rarely bother to break down the door. Instead, they’re invited in by your people through malice, carelessness or compromise. The more you know about your users, their activity and behavior, the better you can spot the early warning signs of an attack, whatever the driving factor:
Malicious: A malicious user knowingly looks to cause harm to your organization. They may be disgruntled and seeking revenge or being paid by criminal gangs for access to your networks and data.
Vigilance is critical when detecting malicious users. Implement a solution that can spot suspicious behavior, such as out-of-hours logins or unusual access requests, and limit access to sensitive information to only your most privileged employees.
Careless: Careless users let cyber criminals inside your perimeter defenses by mistake, either by not logging out of corporate systems correctly or by using default passwords or failing to apply security patches.
When it comes to spotting carelessness among your teams, keep an eye out for poor security hygiene, such as writing down passwords and installing unauthorized applications.
Compromise: A compromised user is one whose devices or credentials have been commandeered by cyber criminals. Accounts and devices can be compromised by malware, phishing or another form of targeted attack.
Unfortunately, account compromise is notoriously hard to spot. The best defense is to minimize compromise in the first place, through protections such as multifactor authentication and cybersecurity training.
Rooting out ransomware
The ultimate target of ransomware may be your data, networks and systems. But it can only reach that target through your people. Therefore, the most effective way to keep ransomware at bay is to remove the human element entirely.
With a robust email protection and DLP solution in place, you can analyze, filter and block malicious messaging before it reaches the inbox. However, even the best perimeter defenses can be breached.
Email protections should be coupled with deep insight into the telemetry of your access logs and network activity. You need to know who’s accessing your data—how, when and why. The more you know, the faster you can spot anything out of the ordinary.
And then, there’s the last line of your defense: your people. Every user must know exactly what to do when they face a ransomware attack and the consequences of failing to stop one. Most importantly, they must understand how their behavior can put your organization at risk.
This is only possible through ongoing and adaptive security awareness training that goes beyond multiple-choice tests and standard best practices. The ultimate goal of any training program should be creating a security culture where cybersecurity is everyone’s responsibility.
The simple fact is, ransomware is growing increasingly more sophisticated, rendering traditional defenses ineffective. And when the cure no longer works, prevention is the only remedy.
Find out more in this overview to the modern approach to information protection.
Learn more about DLP and insider risk
In a world of increasingly targeted attacks, one thing remains the same: Attackers target people. Their techniques have evolved, making protecting your people, your data and how it’s accessed more critical than ever.
The fourth edition of the Proofpoint magazine, “New Perimeters: Data Doesn’t Lose Itself,” is now available. Download your free copy today to explore why we must change the way we prevent data loss and protect against insider threats in our work-from-anywhere reality.