Written by Dan Lattimer, Area VP EMEA West, Semperis
Timing is everything and that’s now proven to be true when it comes to ransomware attacks. Periods when security operations tend to be disrupted, from weekends and holidays to material events such as mergers, initial public offerings (IPOs) and layoffs, are all prime times to launch an attack. For example, the ransomware attack against Transport for London (TfL) took place on a Sunday while the Colonial Pipeline attack in the U.S. coincided with Mothering Sunday.
The recent Ransomware Holiday Risk Report of almost 1,000 IT and security professionals across the US, UK, France and Germany found that 86% were attacked on a weekend or holiday and 63% during corporate events. While 96% of the organisations surveyed said that their Security Operations Centre (SOC) operated on a 24/7/365 basis, 85% admitted to reducing SOC staffing by as much as 50% during weekends and holidays. What’s more, 5% indicated that their SOC isn’t staffed during these periods, particularly in the case of hybrid SOCs that fulfil both cybersecurity and help desk functions.
Biding their time
A common path among ransomware operators is to inject malware into non-sensitive accounts to move laterally (and quietly) across a network. Successful operations rely on access to highly privileged accounts; the more privileges and access a user, account, or process amasses, the greater the potential for abuse, exploit, or error.
Ransomware gangs have been quick to exploit weekends and holidays knowing they are much less likely to come up against active defences. Once they’ve gained access, attackers will move laterally across a network and carry out further reconnaissance.
The attacker’s raison d’etre is to identify and exfiltrate the most sensitive data which is likely to command the highest ransom by breaching the identity and access management (IAM) systems. In fact, 90% of ransomware attacks result in identity system compromise.
Filling the gap
Organisations that improve their operational resilience are likely to be running their SOC at near full capacity during weekends, holidays and corporate material events. In security, there are no days off and no downtime.
In addition, the same report found that 70% of organisations claim to have an identity recovery plan in place, but a fifth do not legislate for cyber-specific use cases. Further, 17% do not test for identity vulnerabilities and 61% do not include AD-specific backup systems which are crucial to a speedy recovery of the identity system.
Essentially, there needs to be a three-step approach to identity threat detection and response (ITDR) with respect to ransomware. Firstly, the C-suite should recognise that identity defence and ransomware defence are fundamentally interconnected. Attackers target identity systems because compromising them grants access to sensitive data and critical systems which can cripple the business. As such, identity security must be treated as a business-critical priority, not just a technical concern.
Automation and audits
Secondly, to fill the void caused by low staffing levels, organisations must deploy dedicated ITDR solutions that feature auditing and alerting based on attack pattern detection. These solutions can automatically roll back or suspend identity systems following any unusual changes without the need for human intervention. AD backups and incident recovery plans should also be routinely tested, ideally more than once a quarter.
Finally, AD security should be a core consideration when undertaking any material event. In the case of a merger or acquisition, for instance, the identity systems of both entities should be audited and undergo a full IT health check as part of financial due diligence. System integration should not proceed until both organisations have satisfied themselves that sufficient controls are in place and risk has been mitigated. Similarly, other disruptive events from changes in leadership to redundancies should also prioritise IAM.
By elevating identity security, automating protection and response, and ensuring that action is taken ahead of major corporate events to minimise the exposure of identity systems, it is possible to significantly reduce the potential for ransomware attacks to exploit these moments in time. In this way, the identities of entities, devices and personnel can continue to be monitored and protected irrespective of whether an attack occurs during a national holiday, a weekend, or a momentous company event.
