Ransomware is rampant. On any given day you can visit your “go to” cybersecurity news source and read about another successful attack or a new malware variant. In fact, research by Proofpoint (PDF) finds that 76% of organizations experienced an attempted ransomware attack in 2022 and 64% were compromised. As a result, ransomware has become top mind for security and IT teams as they manage their threat intelligence strategies.
But how do you go from strategy to execution, from thinking “we need to use threat intelligence to help us thwart ransomware attacks” to making that happen?
As enterprises realize that compromises are inevitable, security operations centers (SOCs) are transforming into detection and response organizations. The end game now is to mitigate risk, and the sooner and better we understand threat actors – their motivations, targets and methods – the more effective we can be at reducing exposure. However, when only 35% of respondents to Mandiant’s Global Perspectives on Threat Intelligence report (PDF) say they have a comprehensive level of understanding about different threat groups and their tools, techniques and procedures (TTPs), we have a problem.
When it comes to dealing with ransomware, the key is to detect activity before the payload has run. Because after that, it may be too late. This is why threat intelligence has become so important; so, a company can understand what is happening externally to better anticipate and protect internally. Companies need to analyze the right data to anticipate these types of attacks and, if an attack is in progress, act on that intelligence to proactively stop threat actors before they execute the payload. Let’s take a closer look.
Anticipating a ransomware attack: Here, you’re enhancing your view of the threat landscape to identify critical trends in ransomware by bringing various sources of external threat data into a central repository so you can pinpoint the data that’s relevant within the context of your environment. There’s generic threat data that includes the signature updates we get from the defenses we use every day — our firewalls, intrusion detection and prevention tools, anti-virus, web and email gateways, and endpoint detection and response solutions – as well as Open Source Intelligence (OSINT) sources.
But to really understand threat actors that may be targeting your organization with ransomware, you also need to look at sources for more personalized data. A good place to start is with geographic and industry-specific data provided by national/governmental Computer Emergency Response Teams (CERTs) and Information Sharing and Analysis Centers (ISACs) organized by industry. Additionally, commercially available threat feeds and tools and frameworks like MITRE ATT&CK provide more details on adversaries, their targets and their TTPs. And with the rise of supply chain attacks, it’s also important to include threat data based on third parties in your ecosystem that adversaries may be actively targeting and can potentially use as pathways into your organization.
With all that data aggregated in a central repository you can then prioritize it automatically using parameters you set based on your risk profile, security infrastructure and operational environment. Now you’re able to utilize threat intelligence from a proactive standpoint to anticipate attacks and mitigate risk with steps such as prioritizing a specific patch, introducing a compensating control, updating certain configurations and conducting security awareness training. As new data and learnings are added to the repository, you can reprioritize patching and update settings and policies.
Getting ahead of the payload: If a ransomware campaign is already in progress, you may still have an opportunity to get ahead of it before data is exfiltrated and systems are locked up. However, you need to be able to act quickly, correlating external intelligence with internal threat and event data from your security infrastructure to understand if an attack is in progress, and where within the kill chain the threat actor is currently operating and what’s next.
Say you start to see indicators like unusual activity from a user account or an IP address from a country you don’t usually do business with. To get a more complete picture of what is going on, you can look at external threat intelligence to confirm or disprove malicious activity. You may see that the IP address that triggered suspicion is associated with a specific ransomware campaign. Digging deeper into additional threat intelligence sources you can learn more about that adversary, the campaign and the tactics used. As you observe what is happening across your environment, correlating internal and external data to get a complete picture of what is going on, you can quickly determine if the activity is part of a ransomware campaign and how that campaign will unfold. With a platform that is integrated with multiple systems across your security infrastructure you can respond before the payload is executed and it’s too late.
Given the crippling effects ransomware has had over the last few years and indications that these types of attacks aren’t slowing down, it makes sense to look to threat intelligence to help. Valuable external and internal data is readily available. And when combined with capabilities to accelerate analysis and action, organizations are able to move from intention to action fast.
