The Current Ransomware Threat Landscape
2021 was a poster year for ransomware threats, as threat actors continued to leverage this attack vector to wreak havoc on individuals and organizations. While ransomware threats have been around for several years, the last few years have seen a dramatic rise in ransomware attacks, prompting the federal government to begin issuing advisories on how to combat this serious threat vector. 2021 saw the emergence of several new ransomware trends, including supply-chain attacks, double extortion, and ransomware-as-a-service (RaaS), to name a few. It is expected that ransomware tactics, techniques, and procedures (TTPs) will continue to evolve and be leveraged to target unpatched vulnerabilities to gain access to organizational networks and inflict maximum damage.
To combat these advanced threats and ensure an adequate level of preparedness, organizations employ multiple defensive processes, including manual and traditional testing activities such as vulnerability scanning and penetration testing. While these activities can provide point-in-time assessments, they cannot provide insights into an organization’s overall risk against ransomware threats, nor can they quantify the potential business impact of such threats or identify drift in security control configuration over time.
Using Breach & Attack Simulation to Prepare Against Ransomware Threats
Maximizing protection against advanced threats starts with continuous testing to ensure security controls are performing as intended and security gaps, if any, are quickly identified and remediated. Breach and Attack Simulation (BAS) tools can help security teams constantly improve their readiness against advanced threats and TTPs by safely executing full attack kill-chain simulations in the production environment. As risk tolerance varies by organization/vertical, security teams should plan the assessment appropriately, giving due consideration to the threats relevant to their organization/vertical, its impact on their environment, and which simulations would help them achieve their planned objectives. The steps outlined below will help security teams achieve maximum success with a BAS implementation:
Step 1 – Planning Phase
To begin, security teams should leverage threat intelligence to identify threats with the highest potential to significantly impact the organization’s security posture and risk tolerance. Additionally, it is important to correctly identify the organizational crown jewels (in the cloud, network, or on endpoints) to ensure appropriate simulator deployments. This planned approach allows security teams to test the impact of specific threats and attack TTPs on critical assets across the organization and validate the security control configuration in the most effective manner.
Step 2 – Simulation Phase
After the BAS simulators and management console have been provisioned to focus on the most relevant threats, the BAS tool can safely execute full kill-chain ransomware attacks in production (or sandbox) environments. This provides visibility into the performance of various security controls in their environment (network, endpoint, or cloud) when faced with ransomware-specific threats, and identifies where potential configuration improvement or remediation is needed. It is important to note that BAS tools execute full kill-chain ransomware attacks by breaking them into smaller steps in a closed-loop environment to ensure safe execution. Executing attacks in this manner enables security teams to enhance their situational awareness of control effectiveness across each part of the ransomware kill chain, without introducing risk to critical systems or actual production data. This also allows security teams to revalidate security control configuration changes after remedial changes have been implemented.
Step 3 – Reporting, Analysis, and Remediation Phase
BAS tools enable security teams to visualize and correlate simulation results to gain a better understanding of their security gaps in near real-time, allowing them to initiate remediation before an attacker can exploit these gaps. Even more crucially, security executives and other key stakeholders can gain a clear understanding of the key threats facing the organization, the performance of existing security controls, and the overall impact and change to the organizational security posture. This allows everyone in the security organization to agree on the overall goal and establish key performance indicators (KPIs) against ransomware threats. Additionally, accurate analysis of the actionable results can help prioritize and address security gaps, based on the risk profile of an organization. This can often lead to recommendations for new security controls or for improvements to existing control configurations. Security teams should also re-run the BAS simulations after configuration updates, to validate that remediation activities were completed successfully.
Conclusion
Only relying on point-in-time, paper-based cyber security assessments is inherently dangerous, as these are subjective and lack technical depth. Breach and Attack Simulation (BAS) tools can help companies monitor and enhance their situational awareness and constantly improve their readiness against advanced ransomware attacks. By safely executing full attack kill-chain simulations in the production environment, BAS tools allow organizations to gain clear visibility into their security control performance against advanced, evolving ransomware threats. As a result, security teams can use a data-driven approach to prioritize remediation activities, generate consensus on KPIs and other long-term security improvements, and minimize overall business risk against ransomware. BAS tools can complement traditional human-centric, point-in-time activities (vulnerability scanning, penetration testing) by providing a continuous threat-based view of an organization’s potential risk across its enterprise environment.