Advanced anomaly detection: how to defeat ransomware

Advanced anomaly detection: how the baseline can help defeat ransomware
(Image credit: Altalex)

Ransomware has been pervasive since the mid-2000s. The latest forecast, from Cybersecurity Ventures, estimates that global ransomware damage costs will reach $20 billion by 2021. This is a staggering 57x more than it was in 2015. The threat is, in fact, so prevalent that Bitdefender’s 10 in 10 Report revealed almost half of CIO’s (49%) worry a ransomware attack could wipe out their business in the next 12-18 months if they do not increase their investment in cybersecurity.

About the author

Daniel Clayton, VP, Global Security Services at Bitdefender.

But it’s not just ransomware itself that is cause for concern. It’s that the nature of ransomware has changed. In its original format, bad actors and cybercriminals would encrypt a company’s IT management systems and demand payment for a release code. To counteract the threat, companies began routine back-ups to prevent a crippling loss of information. Over an extended period, we have seen that cyber criminals are paying attention, so it is not surprising that once again, they have evolved their tactics to defeat defenses.

Increased sophistication and attack surface

Malicious actors are increasingly sophisticated when it comes to ransomware attacks, which now include threats to steal, sell-on, or publish sensitive company data - not just block access to it. This tactic of targeting data is unsurprising, as it has become the most valuable commodity in business, in some cases worth up to two to three times more than the value of the company itself. There’s money to be made, and those willing to exploit sensitive customer data, will take advantage.

In addition to the type, and sophistication, of ransomware changing, the attack surface is also increasing. Millions of people started working from home, almost overnight, during the pandemic - providing more opportunities for cybercriminals to seek vulnerabilities outside the office security perimeter. It’s one reason malicious actors use social engineering techniques to gain backdoor entry to work details. Social media channels are a perfect vessel for this type of attack. It doesn’t take much effort to engage an employee via LinkedIn or Twitter, making this an easy access route. In doing so, hackers can quickly gain a back-door link to a company laptop.

Social engineering is a key reason why forming an effective defense against ransomware attacks is proving to be so difficult. Ransomware attacks happen quickly. The response needs to be instantaneous, as any delays to a data breach gives an intruder unfettered access to as much information as they can mine.

Alarmingly the technologies protecting against ransomware don't seem to be advancing at the same pace as the attacker’s methods. According to Bitdefender’s 10 in 10 Report, 43% of infosec professionals, in fact, agreed that they see a resurgence in ransomware attacks, yet the protection against these types of attacks has not evolved much over the last five years. This is advantageous for cybercriminals but less than ideal for businesses trying to protect against an already difficult-to-manage attack vector.

Rethinking threat detection and response

With perimeter defenses increasingly becoming a thing of the past, attack surfaces increasing, and adversaries becoming more capable, a managed threat detection and response (MDR) model has piqued interest in major industries.

A crucial difference between MDR and traditional ransomware defenses, is MDR’s proactive response to threats. MDR is a powerful managed security service that combines threat intelligence, threat hunting, security monitoring, incident analysis, and incident response. It leverages telemetry on endpoints, monitors user behaviors, and helps produce a data-driven baseline of a business’ ‘normal’ activities, whether on premises or in the cloud. Essentially, it couples the best detection technologies and security expertise to seek out and eliminate threats before catastrophic damage occurs.

A baseline to outfox the foxes

Ransomware protection has been critical for businesses, especially during the pandemic. COVID-19 has proven to be a nightmare for assessing what ‘normal’ behavior looks like for organizations. Most companies lacked contingencies for adapting to the pandemic. The sudden shift to permanently working from home, left security teams desperately playing catch up when it came to transformations such as implementing secure cloud computing and created a potential goldmine for ransomware attacks. So much so that the cyber insurance provider Coalition reported that ransomware accounted for 41% of all cyber insurance claims filed in the first half of 2020.

MDR, however, can help businesses adapt at speed thanks to an efficient, automated and data-driven approach to baselining. Traditionally, baselining meant that infosec teams would feed their technology, or their cybersecurity vendors, data – in the hope of generating alerts to potential concerns. With MDR, this approach changes.

MDR takes a threat-first approach. It allows infosec teams to first define the threats they want to detect, understand what they will look like in the context their environment and then build alerting a detection capability focused on those specific threats. In turn, infosec teams can get a clearer picture on what data to use for baselining and get a more accurate outcome as a result. In essence, an MDR approach enables teams to keep focused when fighting against the complex landscape of ransomware.

The cost of doing nothing

Last year, Chainalysis, a blockchain analysis firm, predicted that $350 million was made in ransomware profits in 2020. With such a huge opportunity for ransomware, it’s clear that companies can’t sit back and do nothing. It’s even more apparent when you consider two in five infosec professionals say they believe the main consequences of a ransomware attack would be reputational damage (38%), increased downtime and disruptions to business continuity (36%).

The fall-out from a data breach could take years to resolve. Or, in a worst-case scenario, could finish off a business entirely. If infosec professionals don’t want to get caught out, they must adapt at the same speed as the threats themselves. It’s time to embrace the MDR model so businesses can keep pace with the future landscape of ransomware.

Daniel Clayton is vice president of global services and support at Bitdefender. His responsibilities include managing all aspects of customer security environments from the company's security operation center. Clayton possesses over 30 years of technical operations experience and has lead security teams for the National Security Agency and British intelligence.