Most security teams will agree that having a deep understanding of how attackers gain initial access is the most critical factor in building an effective cybersecurity strategy and stopping ransomware attacks in their tracks. According to federal research by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), attackers infiltrate victim networks using five main methods:
Exploiting Public-Facing Applications
Public-facing (or internet-facing) applications are exposed to hundreds of thousands of users worldwide and are considered low-hanging fruit for fringe groups. To exploit such applications, attackers typically target weaknesses in the system such as bugs, glitches or design flaws. One of the most common vectors used by attackers is SQL injection, a technique whereby malicious code is inserted into vulnerable web applications. Nearly half of web applications are vulnerable to at least one exploitable vulnerability.
Hacking External Remote Services
Remote service software is used by IT teams to monitor, access or repair products remotely. For example, virtual private networks (VPNs) are used to access corporate resources from a third-party location and remote desktop protocol (RDP) allows IT teams to access desktop computers remotely. If attackers somehow get access to valid credentials to these remote services, they can easily gain a foothold. Since credentials are a prerequisite, attackers typically employ phishing attacks to steal credentials or run brute force attacks to test credentials. They can also purchase credentials from the dark web or initial access brokers (IABs). RDP is one of the top two attack methods (the other being phishing) used by cybercriminals to execute ransomware attacks.
Phishing is probably the oldest, most popular and most effective means of gaining initial access. Per Verizon’s 2022 Data Breach Investigation Report (DBIR), more than 60% of all breaches are on account of phishing. Attackers employ a variety of methods to impersonate trusted sources and persuade the victim into completing an action which usually involves opening an attachment, clicking a URL in a text or email, installing an application, etc. Once the victim visits the phony website or opens the attachment, the attacker can steal credentials or install malware.
Leveraging Trusted Relationships
Attackers know that large enterprises have sophisticated security controls in place. That’s why they like to target third-party partners, supply chain relationships, end-users or organizations that have direct access to their intended victims such as managed service providers, software vendors or contractors like HVAC or elevator technicians. Organizations often grant privileged access to these third-party suppliers to allow them to manage their infrastructure and cloud environments.
Compromising Valid Accounts
Compromised credentials and identity fraud are the best way to bypass formal security controls and procedures. Compromised credentials can also grant an adversary elevated permissions to access critical systems or restricted areas of the network. Adversaries can choose to use malware tools in combination with access credentials to persist on the network, execute system processes, or hijack key services. Nearly six billion credentials were stolen in 2021.
How Organizations Can Protect Themselves
While there isn’t a one-size-fits-all approach to cybersecurity, there are common best practices organizations can keep in mind when designing a cybersecurity strategy that can help stop ransomware attacks:
? Stop Defining Cybersecurity Risks as Champagne Bubbles: All cybersecurity risks are not created equal. Social engineering, unpatched software and compromised credentials are responsible for a much larger share of cyberattacks than other means of initial access. Since some bubbles are much larger than others (e.g., phishing), an increased priority and focus must be given to the larger bubbles rather than the smaller ones.
? Train Employees and the Extended Ecosystem: Human error (poor credential hygiene, unsafe online behavior, misconfigured security controls, open ports, lack of software updates, etc.) is responsible for a majority of cybersecurity incidents, not inadequate cybersecurity technology. Train employees and extended ecosystem (channel partners, contractors, suppliers) to practice good cybersecurity hygiene, adhere to policies and procedures and report anything suspicious.
? Adopt a Zero-Trust Model: Zero-trust technology limits network, data and resources access to employees and devices. This significantly reduces the attack surface and the extent of damage an attack can inflict. Implement role-based access control and privileged access management and ensure access to data and services is tailored to each user. Use phishing-resistant multifactor authentication (MFA) as it can provide an additional layer of security and protect credentials from being used in case they are breached or stolen.
? Review and Harden Access: Review and fine-tune how users connect to the network and cloud services. Put a special emphasis on VPN and RDP as they are extremely vulnerable to attacks. If possible, disable all RDP access except for white-listed sources that are behind a firewall and protected via MFA.
? ProactivelyMonitor Your Threat Surface: Implement security solutions such as endpoint detection and response (EDR) and intrusion detection systems to flag malicious activity. Conduct regular penetration tests and vulnerability scans to identify potential weaknesses. Review security configurations and access permissions regularly, especially for critical infrastructure and resources. Implement log management and monitor alerts for suspicious activity.
Ransomware is not the only problem, by far, but it is a major symptom. How ransomware got in—that’s the real problem. Organizations must address the core issues of initial access first, only then will they truly embark on the journey to becoming cyber resilient.