Ransomware is a topic that regularly comes up when I speak to CISOs and information security leaders, understandably so as recent reports have highlighted two growing themes. Firstly, Covid-19 has resulted in an uptick in campaigns dropping ransomware and secondly, the direction has shifted to more targeted campaigns against larger organizations (both per the NTT 2020 Global Threat Intelligence Report).
There is no denying the impact a successful ransomware attack can have on an organization, not only in terms of the financial and reputation hit but also the effects of service disruption. If you consider some of the organizations across the globe that have fallen victim to ransomware, it is not difficult to understand the real-world implications a successful ransomware attack can have on customers and citizens.
Increasingly, ransomware is one of a number of modules being dropped by other malware, such as Emotet, which was the most prevalent malware variant of 2019 (per the 2020 Cyber Security Report from Checkpoint Research). However, if it is true for Emotet, it is also true for other malware variants which use similar techniques to progress through the typical attack lifecycle, including execution, discovery, persistence, lateral movement, etc. So once initial access is gained, it becomes a question of how robust your internal security controls are against the techniques employed throughout that attack lifecycle.
How susceptible is your organization to a Ransomware attack?
The secret is to be able to test your systems for their resiliency to that family of threats and their delivery vehicles on an ongoing basis. A new Automated Penetration Testing platform, named PenTera enables just that. It uses those same emotet-like techniques in its tests and singles out controls that need configuring and vulnerabilities that need patching to stop these kinds of attacks from happening. If and when PenTera is able to reach an achievement using the non-malicious techniques, you may conclude that Emotet will also be able to reach the same achievement using malicious techniques. An example being brute forcing the local admin password (MITRE ID T1078) and using the credentials to move laterally using the Admin$ share (MITRE ID T1077).
By working through the concise and focused remediation activities you can then re-run PenTera and validate that the achievements are no longer possible. If a given technique can no longer be executed successfully using PenTera, that technique will likely no longer be available for Emotet to successfully execute, thereby pre-empting the ransomware drop.
So even if it is possible for malware to enter your network, by using PenTera to identify those techniques used by the trojan to download and execute ransomware malware, you can dramatically reduce the probability of a successful attack.
That in itself may allow you to sleep somewhat sounder than before.
Every company has some level of tech debt. Unless you’re a brand new start-up, you most likely have a patchwork of solutions that have been implemented throughout the years, often under various leadership teams with different priorities and goals. As those technologies age, they can leave your organization vulnerable to cyber threats. While replacing legacy...
LOLBAS (Living Off the Land Binaries And Scripts) is an attack method that uses binaries and scripts that are already part of the system for malicious purposes. This makes it hard for security teams to distinguish between legitimate and malicious activities, since they are all performed by trusted system utilities. Since LOLBAS are one of...
The rapid pace of technological advancements constantly create new attack vectors and attack surfaces. Consequently, it is critical to constantly stay up-to-date on new changes, in addition to revisiting older technologies and previously identified attack surfaces to ensure that proper security protocols were put in place. As part of Pentera Labs’ mission, we aim to...