Ransomware Planning Without Advanced Security is Just Wishful Thinking

By David Finger | November 05, 2021

For a CISO, all the planning and preparation in the world is not enough to protect your organization from ransomware if you don’t have the right tools to do the job. According to Fortinet’s State of Ransomware survey, 95% of respondents feel concerned about being the target of a ransomware attack, with 76% indicating they are extremely concerned. This is for a good reason. Over two-thirds of respondents indicated that they have already been the target of at least one ransomware attack, with nearly half having been the victim of two and one in six experiencing three or more attacks. 

Ransomware is top of mind, even the US Department of Justice (DOJ) has taken action by charging a NetWalker affiliate. This action was one of the first times that law enforcement went after such a business partner. Despite the amount of attention that some operations have gotten effectively scaring a few ransomware operators to announce that they were ceasing operations altogether, ransomware is not on the decline.

Despite the responses above, a surprising number (96%) indicate that they are at least moderately prepared for an attack, with 64% saying they are very or extremely prepared. And 84% indicate they have an incident response plan in place, including employee cyber training, risk assessment, offline backups, cyber insurance, business continuity measures, and a remediation plan.

The Disconnect Between Plans and Tools

That said, there is an apparent disconnect between this feeling of preparation by IT and security leaders and the security tools they have in place (or planned) to address an attack. When asked to identify essential tools for defending against a ransomware attack, numerous security technologies that address the most common methods of entry reported later we towards the bottom of their list of essential tools. 

For example, respondents indicated that phishing was the top method used by ransomware perpetrators to gain access, yet secure email gateways (33%), UEBA (user and entity behavior analytics) (30%), and sandboxing (7%) were towards the bottom of their list of essential technologies. In our experience, strong email security- which includes sandbox analysis, content disarm and reconstruction, time of click protection and even remote browser isolation- can greatly reduce an organization’s exposure to ransomware and directly address the initial phishing component reported by respondents.

As another example, while secure web gateways and VPN top the list, next generation firewall was lower down the list (43%), despite combining many SWG features with its traditional capabilities (of firewall and intrusion prevention for example), which can close off the open ports and shield the vulnerabilities which were also reported as top access methods. 

Finally, newer technologies designed to protect that attack vector were also less valued, including endpoint detection and response (EDR) (42%), which is exceptionally odd given that regardless of entry method, the ultimate aim of attackers is to impact the endpoints.

While training users to detect common attack methods, such as phishing and social engineering, is essential and near universal (91%), it cannot compensate for failure to arm their organizations with security technologies designed to protect them from increasingly sophisticated ransomware attacks.

Ransomware Planning Involves the Right Tools for the Job

To do this, however, IT and security teams need to understand how ransomware attacks occur and where they can place tools within the attack chain to detect and disrupt an attack. The two most common attack vectors are web-based and email-based. These two techniques are often combined, with an infected email containing links to compromised or malicious websites or attachments connecting to URLs that launch malicious payloads.

Ransomware almost always relies on someone opening a file or clicking on a link to start an attack. It’s why cyber training is so high on everyone’s list. And it’s also why cybercriminals have gotten so good at luring victims into doing the exact thing they have been repeatedly warned not to do. But the best defense is to prevent that temptation from happening in the first place. Secure web gateway (SWG) and secure email gateway (SEG) tools can identify and block or disarm malicious links and attachments before they ever reach the end-user. 

SWGs stand between the user and their destination to block access to compromised sites, identify and disable malicious links, and disarm infected web page elements that can launch drive-by infections. By adding in the additional network-based controls of an NGFW that includes SWG features, organizations also harden their attack surface.

Modern email gateways are similarly effective. They contain advanced detection and antivirus tools to identify malicious emails, sandboxing to identify unknown threats, and content disarm and reconstruction (CDR) technology to strip out malware before delivering it to the end-user. The biggest challenge many organizations face is that they use email services to process and deliver their mail, and many mistakenly believe that these services also include advanced security. While many more popular services do include some protections, they do not provide the advanced services today’s users require. Every organization concerned with ransomware needs to add a proven email security tool to its security arsenal.

Organizations need to pick up the pace on cyber hygiene and consider modern endpoint security that include newer approaches to endpoint prevention, detection and response.

This is in complement to containment strategies like network segmentation with zero trust network access.

Feeling Prepared isn’t Good Enough When it Comes to Ransomware Planning

In today’s high-risk digital marketplace, feeling prepared is fine, and having a plan in place to respond to a ransomware attack is critical for CISOs. But the foundation of any plan or preparation must be the security technologies and teams in place. They need to be designed and trained to address the ways ransomware operates, protect all (or at least the top) attack vectors, enable broad visibility and detection, automate containment in real-time, and coordinate an effective response at every edge.