Stop following the herd and start fighting ransomware

While the rise of ransomware and data breaches is damaging confidence in security technologies, the harsh reality is that organizations cannot rely on isolated data recovery and disaster recovery strategies to keep criminals out.

Ransomware and extortion incidents grew 67% last year, according to NTT Security Holdings’ 2024 Global Threat Intelligence Report. These are record times for security software companies, and yet the threats aren’t going away. Unsurprisingly, Evanta research shows that cybersecurity continues to dominate CIO priorities, despite significant investment in cybersecurity strategies and technologies.

Most enterprises have a data resilience strategy. Traditionally, this has taken the form of Business Continuity (BC) and Disaster Recovery (DR). However, the technology and processes designed for data resilience do not provide the capabilities needed to achieve cyber resilience in the age of destructive cyberattacks like wipers and ransomware. It’s clear. Something is not working, and organizations need a shift in tactics to protect their data and infrastructure.

Nearly all new cybersecurity frameworks and regulations, such as NIST Cybersecurity Framework 2.0 and regulations such as EU Network and Information Security (NIS2) Directive 2.0 or EU Digital Operational Resiliency Act (DORA), focus on building resilience: not only the ability to prevent and detect cyberattacks, but also to resist them through response and recovery. These are two functions that have traditionally been underinvested in.

According to Deloitte, the average enterprise has more than 130 different cybersecurity tools in place, the vast majority of which are not sufficiently integrated and operational to prevent organizations from falling victim to a cyberattack. Any continued investment in prevention and detection is likely to deliver only a fraction of the remaining cyber risk, while creating more friction with users, less agility for the organization, more alert fatigue, higher licensing costs, and even more security infrastructure to manage.

James Blake

Global Head of Cyber ​​Resiliency Strategy at Cohesity.

Cyber ​​Resilience and Stopping ‘Double-Tap’ Attacks

Spending on response and recovery (as opposed to detection and prevention) delivers the cyber resilience that these latest frameworks and regulations require to withstand modern cyberattacks with minimal impact. The challenge is how to achieve cyber resilience in a world where so much has already been invested in cybersecurity tools?

To move to a cyber resilience posture, two things must be established as a foundation. First, the ability to recover must be placed beyond the reach of adversaries. Second, response planning must include provisions for the rapid recovery of not only production systems, but also the security, authentication, and communications platforms needed to respond effectively and efficiently to the incident.

This is a key difference between the more traditional approach to data resilience and that of cyber resilience. While data resilience focuses on a small number of root causes that have been the basis of business continuity and disaster recovery scenarios for decades, including flood, fire, power outage, equipment failure, and misconfiguration; to achieve cyber resilience, we must deal with an adversary that actively seeks to disrupt our response and recovery efforts and continually adapts its behavior.

It is important to recognize here that the response needs of the security operations team are just as important as the recovery needs of the IT operations team to reduce the impact of an attack. Approaches that rush to restore systems without understanding the nature of the attack will not close the gaps in controls that did not prevent or detect the attack.

As a result, ongoing attacks will re-infect recovered systems within minutes. Ransomware gangs are increasingly using ‘double-tap’ attacks, where they go back and re-attack organizations that they previously hit but refused to pay the ransom. These attackers will take advantage of the same vulnerabilities they used to gain access the first time, if they are not closed down. Organizations can also be targeted by other gangs using the same Ransomware-as-a-Service platform.

Cyber ​​resilience is key

That’s why the cyber resilience approach is so important. Because destructive cyberattacks target an organization’s ability to respond and recover, it makes sense to give organizations the ability to do so safely and quickly. That means recognizing how an attack can compromise existing systems and even security functionality. Traditional security tools that sit on endpoints struggle to function when an organization has isolated systems in response to ransomware and wipers. Recovering without patching these vulnerabilities and hardening gaps in controls will expose an organization to the exact same attack again in the future. And overreliance on security tools that may not actually work or be trusted, even if they do, only exacerbates the problem.

In short, there are a number of key reasons why most organizations fail in this area. The first is that disaster recovery and business continuity approaches are often not well-suited to dealing with cyberattacks. Organizations that incur the highest costs from a destructive cyberattack are those where backups are rendered unusable by the adversary or where attacked systems are restored without proper remediation to remove threats and vulnerabilities.

The second reason is that IT and security operations teams don’t often work together. Investigating an attack doesn’t determine mitigation, meaning security teams often don’t know the best steps to take to prevent re-infection. A third reason is that security controls may not be available after an attack.

BC/DR priorities often focus on critical business applications first, as they are established by the IT Operations team working with the business units in security isolation. But it is critical to re-establish a trusted Minimum Viable Response Capability (MiViRC) so that IT and Security Operations can collaborate with their internal and external stakeholders, using trusted tooling where an adversary cannot observe to disrupt response and recovery operations, to manage the incident.

While many data management vendors tend to offer isolated environments focused on the recovery needs of the IT Operations team, they often forget the intrinsic relationship between response and recovery that is needed to deliver cyber resilience. This should be a key focus if we are to compete with the growing threat of ransomware. Organizations need to rethink their security strategies, not follow the herd, but look at a more collaborative, platform approach to resilience. It really is the only way to prevent ransomware from winning.

We list the best cloud antiviruses.

This article was produced as part of Ny BreakingPro’s Expert Insights channel, where we showcase the best and brightest minds in the technology sector today. The views expressed here are those of the author and do not necessarily represent those of Ny BreakingPro or Future plc. If you’re interested in contributing, you can read more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

Related Post