The rise of 13% in ransomware attacks over the last two years has been greater than the previous 5 years combined. According to Statista 71% of global businesses felt the impact of ransomware trends and total of62.9% of the ransomware victims paid the ransom. Especially small to middle-sized businesses are vulnerable. A study reported by UpCity says only half of U.S. small businesses have a cybersecurity plan.
But it’s not just businesses that are being targeted by cybercriminals. The Security Cybersecurityand Infrastructure Agency reported ransomware attacks against 14 of the 16U.S. critical infrastructure sectors, including the food and agriculture, emergency services and government facilities.
All while we see some industries investing more and more to keep their data secure, one of them being banks. IBM reports that the financial industry spends an average of $5.12 million to fight off data breaches, while Bank of America spends over $1 billion annually on cybersecurity.
Consider the MITRE ATT&CK Framework as the ultimate blueprint for network intrusions. This open-source handbook meticulously outlines the trajectory of an attack—from the initial entry to the final act of data exfiltration. ATT&CK is an acronym that stands for Adversarial Tactics, Techniques & Common Knowledge. Now, let's delve into the various stages.
Infiltration Tactics: Initial Access
Cybercriminals are sly as foxes—they need to slip through the cracks in an organization’s network security undetected. They may send deceptive phishing mails, take advantage of your public-facing applications, or even smuggle in rogue hardware. With an estimated 3.4 billion spam mails being sent on a daily base, your best defense is education. Equip your team with cybersecurity know-how and combine it with diligent patch management and regular audits of public applications, and your organization is off to a great start.
Malicious Moves: Execution
Once inside, attackers are waiting for the right moment to set their plan in motion. Awareness and education are the key here. Your team should practice safe browsing habits and avoid downloads from untrusted sources. Additionally, a robust anti-virus program and firewall solution should be part of an organization’s standard first line of defense.
Stick Around: Persistence
Once attacker shave passed the firewall and anti-virus software, they love to overstay their welcome. They will try to maintain their presence even after system restarts or user logouts. Regular system updates and patches can be great preventive actions. However keeping a close eye on all your network activity is crucial to identify any suspicious behavior.
Climbing the Ladder: Privilege Escalation
Cybercriminals will aim for an upgrade in the network to gain more access and more control. Protect against this power grab with stringent access control measures. Embrace the principle of least privilege (PoLP) and assign access based on necessity.
Shadows and Misdirection: Defense Evasion
Attackers have the capability to modify malware functionalities using a variety of ready-to-use plug-ins, allowing them to remain hidden within the organizational infrastructure unnoticed. Modern and advanced ransomware can have adaptive abilities, autonomously modifying their operations in accordance with the ambient environment, and seamlessly blending with routine activities even when they are not connected with their command and control server. Such autonomous ransomware variants present significant challenges for conventional defense mechanisms that primarily focus on thwarting threats based solely on their malicious external connections.
Cracking the Vault: Credential Access
At this stage, cybercriminals have their crosshairs set on valuable data such as account names, passwords, and other crucial credentials. Nowadays ransomware is armed with built-in capabilities that enable it to autonomously search for saved passwords and spread through the network. Advanced ransomware strains are engineered to morph their structure in diverse environments, thereby constantly altering their signature and making detection considerably more challenging. Implementing robust password management, adopting multi-factor authentication, and maintaining a close watch on login attempts are effective counter measures against these advanced cyberthreats.
Spelunking in Your Network: Discovery
The Discovery phase consists of techniques that cybercriminals use to scan an organization’s ICS environment and gain knowledge about the internal network, control system devices, and how their processes interact.
Navigating the Labyrinth: Lateral Movement
Subsequently, the attacker initiates lateral movement. They infiltrate additional devices while trying to amplify their privileges—for example, by procuring administrative credentials—thereby increasing their control over the network environment. Upon successfully establishing authority and a sustainable presence within the network, they will move to the concluding phase of the attack.
Data Harvest: Collection
The adversary is compiling valuable data and expert knowledge about your Industrial Control System (ICS) landscape that aligns with their malicious aims. This tactic is often performed as part of Discovery, to compile data on control systems and targets of interest that may be used to follow through on the adversary’s objective. The techniques being used are diverse, ranging from monitoring operational states, capturing screenshots, identifying unique device roles, to gathering intricate systems and diagrammatic schematics.
Exit Strategy: Exfiltration
With current ransomware attacks, as organizations become increasingly vigilant about data backups to safeguard against malicious encryption, threat actors have pivoted towards a 'double extortion' approach. They exfiltrate essential data and delete backups before initiating the encryption process. The stolen data is often used as a blackmail tool, with attackers posing threats to disclose sensitive data on the internet or sell it to the victim's competitors if their ransom demands are not met.
Modern ransomware strains also scan for cloud-based file storage repositories, including popular services like Box, Dropbox, and others. When customer data is compromised, organizations are legally obligated to announce the breach, bearing the additional weight of compliance files - a situation that has been escalating in recent years. Additionally, they face the reputational fallout associated with notifying customers about a data breach.
Behind the Curtain: Command and Control
The Command and Control phase entails the techniques utilized by adversaries to establish communication with the systems they've compromised within a victim's network. Often, they strive to camouflage their activities as normal, expected traffic to evade detection. The methods an adversary employs to set up command and control can exhibit varying levels of stealth, depending on the structure and defense mechanisms of the victim's network.
For instance, Domain Generating Algorithms are being used by cybercriminals to prevent their servers from being blacklisted or taken down. The algorithm produces random looking domain names. The idea is that two machines using the same algorithm will contact the same domain at a given time, so they will be able to exchange information or fetch instructions. This makes it harder for defenders to block command and control communications. Alternatively, they may use social media platforms or cloud storage services as a seemingly benign communication channel.
The need for network-level security solutions isn’t going away. On the contrary the need for a more advanced network security has never been higher. As data show, a company’s network is the most convenient means for launching cyberattacks, and cyberthreat actors are constantly innovating to develop new techniques.
Muninn AI Detect uses Artificial Intelligence alongside signature and script models to identify and respond to novel as well as known common threats. Our Machine Learning involves training algorithms using network data, allowing Muninn AI Detect to learn and improve over time without being explicitly programmed. Muninn is able to monitor a large amount of network data and recognize network patterns 24/7. As soon as suspicious behavior is identified, Muninn AI Prevent instantly mount the most effective response to the cyberthreat and bey doing so, prevents an escalation of the MITRE ATT&CK Framework.
Subscribe to our newsletter to receive new posts straight to your inbox