Ransomware is a topic that regularly comes up when I speak to CISOs and information security leaders, understandably so as recent reports have highlighted two growing themes. Firstly, Covid-19 has resulted in an uptick in campaigns dropping ransomware and secondly, the direction has shifted to more targeted campaigns against larger organizations (both per the NTT 2020 Global Threat Intelligence Report).
There is no denying the impact a successful ransomware attack can have on an organization, not only in terms of the financial and reputation hit but also the effects of service disruption. If you consider some of the organizations across the globe that have fallen victim to ransomware, it is not difficult to understand the real-world implications a successful ransomware attack can have on customers and citizens.
Increasingly, ransomware is one of a number of modules being dropped by other malware, such as Emotet, which was the most prevalent malware variant of 2019 (per the 2020 Cyber Security Report from Checkpoint Research). However, if it is true for Emotet, it is also true for other malware variants which use similar techniques to progress through the typical attack lifecycle, including execution, discovery, persistence, lateral movement, etc. So once initial access is gained, it becomes a question of how robust your internal security controls are against the techniques employed throughout that attack lifecycle.
How susceptible is your organization to a Ransomware attack?
The secret is to be able to test your systems for their resiliency to that family of threats and their delivery vehicles on an ongoing basis. A new Automated Penetration Testing platform, named PenTera enables just that. It uses those same emotet-like techniques in its tests and singles out controls that need configuring and vulnerabilities that need patching to stop these kinds of attacks from happening. If and when PenTera is able to reach an achievement using the non-malicious techniques, you may conclude that Emotet will also be able to reach the same achievement using malicious techniques. An example being brute forcing the local admin password (MITRE ID T1078) and using the credentials to move laterally using the Admin$ share (MITRE ID T1077).
By working through the concise and focused remediation activities you can then re-run PenTera and validate that the achievements are no longer possible. If a given technique can no longer be executed successfully using PenTera, that technique will likely no longer be available for Emotet to successfully execute, thereby pre-empting the ransomware drop.
So even if it is possible for malware to enter your network, by using PenTera to identify those techniques used by the trojan to download and execute ransomware malware, you can dramatically reduce the probability of a successful attack.
That in itself may allow you to sleep somewhat sounder than before.
Why Gartner is Calling External Attack Surface Management (EASM) a Critical Functionality
External Attack Surface Management (EASM) tools are not new, but only this year has Gartner named this category as a top trend to keep an eye on in 2022. So, why does the top research & consulting firm think its time has come? The main reason is the relentless expansion of the digital footprint of...
The Good, Bad and Compromisable Aspects of Linux eBPF
2022 discoveries of new privilege escalation techniques Reading this blog will allow you to understand the eBPF mechanism and how a fairly small bug can lead to the compromise of the entire system. Executive summary Modern hacking techniques often use legitimate operating system tools for bad purposes. Such is the potential case with the common...
CVE-2022-22948: Sensitive Information Disclosure in VMware vCenter
New zero-day vulnerability joins a chain of recently discovered vulnerabilities capable of operating an end-to-end attack on ESXi. Organizations should evaluate risk and apply vCenter client patches immediately. Executive Summary Pentera Labs’ Senior Security Researcher, Yuval Lazar, discovered an Information Disclosure vulnerability impacting more than 500,000 appliances running default vCenter Server deployments. This finding is...