Ransomware - Funkschau

Ransomware: The Pervasive Business Disruptor Analysing the Trends, Impacts, and How Organisations Can Fortify their Cyber Defences A Frost & Sullivan White Paper

Commissioned by Dimension Data and Cisco Systems

Table of Contents UNDERSTANDING RANSOMWARE

04

The genesis of the most popular cyber

04

weapon today Escalation of ransomware attacks in the

06

digital economy To pay or not to pay

07

The secret to ransomware success: Weak

07

security practices and BYOD challenges

IMPACT OF RANSOMWARE ON BUSINESSES AND OUR DAILY LIVES

10

Economic impact

10

Workforce impact

11

Human impact

12

FIGHTING BACK

13

Cyber health checks: Knowing your assets and

13

vulnerabilities Security solutions: Can they really stop

14

an attack? Multi-faceted approach to stop the kill chain

14

Backup and recovery as a strategy

20

Rethinking networking as a policy enforcer,

21

preventing the spread of malware, and assisting in backup

THE LAST WORD

22

04

Ransomware: The Pervasive Business Disruptor

Understanding Ransomware The genesis of the most popular cyber weapon today

Ransomware is a type of malware that encrypts files on a victim’s computer and servers until a ransom is paid to unlock it. In recent years, ransomware attacks exploiting key vulnerabilities in operating systems have been successful where poor cybersecurity practices were not in place to patch and prevent malware from infecting and spreading. Without a backup and recovery system in place, most organisations and individuals have chosen to pay a ransom in order to have their files restored. As a result, ransomware is fast-becoming the most successful, revenue-generating malware for cybercriminals, leading to the proliferation of attacks, potentially infecting more than a million devices at one time1.

1

Figure 1 details the various stages of a ransomware attack, referred to as a kill chain, in relation to network security. A kill chain, a term coined by the military, describes the different stages of an attack, which enables the defender to strategise how to block an attack at any of these specific stages with the appropriate security measures.

Security Week, “3.2 Million Devices Exposed to Ransomware Attacks: Cisco”, April 18, 2016

05


Figure 1: Ransomware Kill Chain

RECON

Attackers research and gather information about their targets

STAGE

Attackers use information gathered to create malvertisements and phishing emails, lures the users into clicking the links

LAUNCH

Users will be redirected from credible-looking sites to sites that launch the exploit kits and other malicious content

EXPLOIT

Attackers scan users' systems for vulnerabilities they can exploit and take control

Ransomware is installed onto user's system INSTALL

CALLBACK

Additional executables may be installed so that other malware can be transferred to the system in the future

Ransomware retrieves encryption keys from the command-and-control server (C2)

Files on the hard drive, mapped network drives, and USB devices are encrypted PERSIST

Attackers demand ransom from users to restore files Exploit kit can spread to other critical systems

Source: Cisco, “Ransomware Defense Validated Design Guide”, Sept 2016


Escalation of ransomware attacks in the digital economy Ransomware is recognised as one of the main threats to the digital business. Globally, 49% of businesses reported at least one cyber ransom attack in 2016, of which 39% was a ransomware attack2. The US alone recorded a 300% rise in ransomware attacks from 2015 to 20163. The high-profile WannaCry and Nyetya ransomware reflect a shift towards causing mass disruption potentially impacting all industries. This trend can also be attributed to the growth of Ransomware-as-a-Service (RaaS) in the first half of 20174, where cybercriminals pay the operators of RaaS platforms to launch the attacks. As such, ransomware is increasingly accessible to cybercriminals, even if one does not have programming skills. Consequently, every enterprise is vulnerable to the threat of business disruption if they do not deploy adequate security measures. The following timeline illustrates the rapid evolution of ransomware variants and their level of sophistication and impact, affecting a range of systems from IT devices to speed cameras and power grids.

Figure 2: Timeline of Ransomware Attacks

2017 WANNACRY 2016 LOCKY 2015 TESLACRYPT 2014 CRYPTOWALL

Sophistication and Impact

06

2013 CRYPTOLOCKER

2012 REVETON

1989 AIDS TROJAN

Spread via phishing emails. Capable of encrypting files in shared network drives, hard drives

2016 SAMSAM

2017 NYETYA A “wiper”, which is a destructive malware with no decryption key disguised as a ransomware

Targeted the healthcare industry via vulnerabilities in the enterprise

2016 RANSCAM A destructive ransomware that deletes users’ information despite ransom demand

First ransomware variant spread via floppy disks

1989 Cisco, “2017 Mid-Year Cybersecurity Report” The United States Department of Justice,” How to protect your networks from ransomware” 4 Cisco, “2017 Mid-Year Cybersecurity Report”

First mass ransomware attack. Malware was launched when users visited an infected website. Demanded a ransom by impersonating the FBI

Spread through exploit kits and spam campaigns

Spread via email and websites. Was also able to encrypt computer game files

Spread through phishing emails and able to encrypt data on mapped and unmapped network shares

Exploitation of the Eternal Blue vulnerability with worm-like propagation

2012

2013

2014

2015

2016

2017

2 3

Sources: US-CERT, Cisco Talos

08


The growing interconnectedness of the world is increasing the intensity and frequency of ransomware attacks, allowing cybercriminals to carry out attacks on a much larger scale. In comparison to the AIDS Trojan in 1989, ransomware attacks are now more sophisticated. The WannaCry attacks made use of a malware worm to independently infect all computers connected to the same network, impacting more than 150 countries and numerous key verticals such as government agencies, manufacturing plants, and transportation systems5. The emergence of the cryptocurrency, Bitcoin, is also becoming a common avenue for ransom payments providing anonymity for attackers and allowing cybercriminal activities to evade detection and prosecution by the authorities.

encouraging cybercriminals to use the same attack vector to exploit more victims. In fact, ransomware has been cited as the most lucrative malware, bringing in an estimated US$1 billion in profit in 2016, according to the FBI7. It was also researched that in 2016, over 40% of victims paid the ransom8. Attackers are taking advantage of the massive profitability of ransomware, spurring an increase in other ransomware variants.

The secret to ransomware success: Weak security practices and BYOD challenges

To pay or not to pay Ransomware typically exploits people’s fear of losing vital files prompting victims to consider paying up as a quick resolution. Often, the ransom demanded by attackers is usually deemed as being affordable to enterprises. As such, in weighing the cost of the ransom demand against the potential revenue loss due to business disruption, enterprises consider paying up as the more cost-effective approach6,

Many widely-adopted security practices fall short of meeting the ever-evolving demands of computing, with some organisations lacking a fundamental understanding of the latest vulnerabilities and the importance of patch management tools. This situation is further exacerbated when employees work remotely and/or on their personal devices. It is part of an increasingly popular workplace trend known as Bring Your Own Device (BYOD), with

The Verge, “The WannaCry ransomware attack has spread to 150 countries”, May 14 2017 SC Media, “Your money or your files: Why do ransomware victims pay up?”, May 25 2017 7 CNN, “Cyber-extortion losses skyrocket, says FBI”, April 15 2016 8 Security Magazine, “40 Percent of Enterprises Hit by Ransomware in the Last Year”, Aug 4 2016 5 6

09


more than 80% of organisations reportedly adopting the approach. While BYOD enables organisations to save costs while allowing employees the convenience to work remotely9, it also introduces potential data security challenges and exposes corporate networks to cyber-attacks. Organisations need to ensure that devices are managed well with adequate security controls and timely patching, across all possible operating systems used on laptops and mobile devices.

9

The WannaCry ransomware was able to spread rapidly because endpoints were not patched, although Microsoft had released the patch as soon as the vulnerability was discovered10.

Forbes, “Has Bring Your Own Device to work become inevitable?”, Aug 14 2015 CNBC, “The WannaCry ransomware attack could have been prevented. Here’s what businesses need to know”, May 17 2017

10

10


IMPACT OF RANSOMWARE ON BUSINESSES AND OUR DAILY LIVES The highly lucrative ransomware business model continues to motivate cybercriminals to develop a vast array of evolving attack techniques, fully monetising valuable information from compromised systems.

“The breadth and depth of recent ransomware attacks alone demonstrate how adept adversaries are at exploiting security gaps and vulnerabilities across devices and networks for maximum impact.”

Cisco, 2017 Midyear Cybersecurity Report

Economic impacts According to threat researchers, the top four industries reporting ransomware are business and professional services (28 %), government (19 %), healthcare (15 %), and retail (15 %)11. The impact of a ransomware attack on these critical industries could have serious, even fatal consequences. As ransomware attacks can have dire direct consequences at a higher or lower degree across all businesses, no industry is safe.

11

The main reason behind the success of ransomware is that organisations are largely unprepared for an attack. The WannaCry ransomware outbreak was able to spread fast with its wormable self-propagation capabilities by leveraging the largely outdated and unsupported hardware or software of many organisations’ network infrastructure that did not have adequate countermeasures and updates in place. The financial setback from an attack can be high from the cost of system outage and potentially leave long-lasting reputational damage and loss of

NTT Security, “The 2017 NTT Security Global Threat Intelligence Report”

11


public confidence in the compromised companies. Business recovery activity that requires more manpower and time could also adversely impact productivity. Organisations also need to absorb additional costs to repair the affected systems, networks or devices as well as upgrade their whole network security system to enhance cyber resilience.

Workforce impacts Fast-evolving ransomware variants continue to disrupt businesses worldwide and exploit vulnerable systems. One ransomware variant, Petya, targeting mostly critical infrastructure and the industrial sector, surfaced in June 2017. Petya malware works by spreading through the victim’s industrial control systems leading to disruption in business production or service interruption. In August 2015, a ransomware attack hit a furniture factory in Goiás, Brazil, causing the loss of customer and supplier information. The victim was forced offline for 15 days, losing US$100,000 in production revenue due to the outage12. To date, the largest business impact from a ransomware attack has been an estimated US$200 million to US$300 million in losses for an international shipping firm which could not move cargo for two days at affected terminals and took two weeks to recover13. As many manufacturers still use older platforms to support their operations, a ransomware attack can directly harm the internal operations

12 13

of the affected organisations. With the rising connectivity between machines and factories, an attack may not only impact manufacturers’ revenues, but also pose a danger to workers if the infected systems are related to safety as well. The following list highlights other workforce impacts as observed in recent ransomware attacks:

Halting of production line in manufacturing, resulting in delay of goods delivery and high operating losses Workers paid to perform tasks in production, however, could not resulting in lost man-hours Computer-based point of sale (POS) systems could not process payment transactions, resulting in customer dissatisfaction and revenue loss for retailers Hospitals had to redirect patients to other hospitals, including critical cases at the accident and emergency department as their computer systems were inoperable

The impact of a ransomware attack on an industry could be more serious, where temporary or permanent loss of confidential data and intellectual property could have irreversible repercussions on the business.

Dark reading, “Ransomware Rising On The Plant Floor”, 11 Jan 2017 Log Angeles Times, “Cyberattack cost Maersk as much as $300 million and disrupted operations for 2 weeks”, 17 August 2017

12


The human impact To an individual, a ransomware attack could be a devastating experience. Other than the financial loss incurred by the victims, the emotional trauma they suffer could leave a long-lasting effect. A perfect example is the Jigsaw ransomware that uses horror movie images and references to distress and pressure the victim into paying the ransom. The destructive process has been known to threaten victims to make ransom payment of US$150, or else the malware will delete a portion of encrypted files every 60 minutes or each time the infection is restarted14.

Other psychological tactics adopted by ransomware attackers include threatening to publicly reveal the captured sensitive data, make encrypted files unrecoverable after a given amount of time or render all computers or machines unbootable. Armed with these strategies, the hackers aim to make the attacks more profitable and increase the likelihood of getting the ransom payment. Victims are also reported to become more depressed and traumatised in cases where the data, files or devices remain inaccessible even after the ransom is paid.

“Cyber is not a victimless crime. It can be moderately distressing at the very least, and severely distressing to others, and it’s important to understand that people do feel victimised.”

Terri Howard, FEI Behavioral Health

14

Bleeping Computer, “Jigsaw Ransomware Decrypted: Will delete your files until you pay the Ransom”, 11 April 2016

13


FIGHTING BACK Ransomware attacks undoubtedly signal a critical need for improvements to cybersecurity irrespective of industry or organisation size.

The key goal here is to disrupt the ransomware kill chain or any variant of malware attempt from being successful, before it becomes your organisation’s business disruptor.

Cyber health checks: Knowing your assets and vulnerabilities

corporate network also introduce another vulnerable attack point, as they may not be adhering to the organisation’s security standards. Regular vulnerability scans should be considered with penetration tests to determine if an organisation has the right cybersecurity posture to defend itself from ransomware or other advanced malware and cyber-attacks (i.e., intrusion attacks, denial-of-service attacks). The domains of process, people, and technology should also be evaluated and continuously improved to ensure resilience in a cyber-attack.

The success of ransomware attacks has largely been due to poor patching practices or devices running on operating systems that have reached their end-of-life and support. The use of outdated devices is common in healthcare, manufacturing, and utilities industries. Employees bringing in personal devices to use on the

14


Security solutions: Can they really stop an attack? Enterprises build up new security solutions over time to protect their infrastructure, where many adopt a “set and forget” policy instead of routinely looking at adjustments to mitigate a new threat. For example, the SMB protocol was exploited during the WannaCry ransomware campaign; as the default setting for most firewalls is to leave this protocol open, leaving it to propagate and infect more machines within the same network. Security tools may not have the right configurations or features to mitigate the latest threats. Infiltration techniques are also increasing in sophistication, where ransomware is able to evade several security tools as it is crafted based on zero-day exploitation codes that could appear benign to outdated security tools. In light of this, sandboxing will be a key feature organisations need in network security controls to first determine if the file is a known bad or good file, and detonate the suspected file in a safe environment virtually before the file is sent to the user. Such technologies were made initially for businesses to adopt as a niche, advanced security product. However, the technology is now available mainstream through cloud-based services on firewalls and endpoints, and enhanced to prevent highly advanced techniques that circumvent the sandboxing technology from successful attempts. Security managers may not be well-versed in the latest security measures,

requiring the skills of experts or partners who keep constantly up-to-date on the latest attack techniques to regularly assess security controls and implement solutions as needed.

Multi-faceted approach to stop the kill chain The principle of defence-in-depth across the end-to-end enterprise infrastructure should involve a multi-layered approach entailing awareness of what attackers are working on in the dark web to training end users on how to watch out for phishing attacks. Where and how to build the defence will be critical considerations to effectively reduce risks and mitigate vulnerabilities. Security technologies alongside qualified professionals to monitor threats in real-time and manage security tools are essential to constantly harden the security of the organisation’s infrastructure. In the event of a successful cyber-attack, dynamic networking is also crucial to isolating the infection and restoring the files with a clean backup to ensure continuity of business operations and reduce the impact of the breach.

15


Frost & Sullivan recommends that organisations consider the following framework as part of their defence strategy against ransomware:

Figure 3: Framework for Ransomware Defence

PROTECT

PREDICT

RECOVER

Predict Gain greater visibility of cyber threats and dark web activity to proactively identify vulnerabilities before they become new exploits that target the industry or company and stay informed before an attack occurs. Deception tools, such as honeypots, can be used to observe the attack sequence or behaviour. Threat intelligence feeds that monitor

DETECT

RESPOND

attacks occurring elsewhere are also essential to alert organisations on the emerging threats before they hit the corporate network. Threat intelligence providers continuously analyse intelligence feeds from multiple sources, filtering insights to produce actionable outcomes and hardening security control systems against vulnerabilities.

16


Simply certifying that an organisation’s firewall, anti-malware, and similar protective measures are up to date is not always enough to protect it from today’s malicious threats. Threat intelligence services help to even the playing field against such exploits by enabling organisations to stay updated on threats to their IT infrastructure, allowing security professionals to proactively block security holes and take action to prevent data loss or system failures.

Applying web and DNS security can effectively prevent the download of ransomware payloads after clicking on a malicious link.

Protect

In case a malware has infiltrated the endpoints or network, technologies should be in place to detect anomalies in the enterprise infrastructure. Security analysts should closely monitor the network around the clock to check for indicators of compromise, and evaluate threats using security incident and events management (SIEM) tools. Turning on AI-enabled malicious traffic detection to look out for malicious command and control commands using networking equipment, can help automate detection swiftly before an attack worsens.

Identity and Access Management (IAM) tools are essential in identifying the enterprise devices and computing assets, while Network Access Control (NAC) ensures that devices are compliant with the IT security policies before allowing access to the network. These solutions can also determine what patches have been applied and if the user is vulnerable to the latest threats. Together, all endpoints used by the enterprise should have adequate protection with next-generation endpoint security that relies not only on signatures, but also streaming-based techniques to prevent successful exploitation of vulnerabilities across all operating systems (Windows, Android, MacOS, iOS). Implementation of Next-Generation Firewalls (NGFW) can add an additional layer of anti-malware scanning for known bad files, and cloud-based sandboxing for unknown and new malware. Email security solutions can also be used to block these threats and inbound phishing mails from suspicious domains as well as remove spam.

Educating users on how to identify phishing emails and not to click on suspicious links is also vital to reducing the possibility of a successful malware download onto a device.

Detect

There are also active threat hunting activities that can be carried out to detect malware and ransomware that have infiltrated the network and devices. This is especially useful to hunt new ransomware that is propagating, but has yet to encrypt files. The use of breach detection technologies such as deception tools and 24/7 threat monitoring services can be deployed in strategic locations to detect if a ransomware is propagating, and trip the technology sensors when it spreads, providing a form of early warning system similar to smoke alarms for buildings.

17 16


Respond

Recover

First and foremost, an organisation should have a detailed incident response plan which includes ransomware incident scenarios and a dedicated incident response team. Upon detection of ransomware incidents, security analysts should promptly work on blocking malicious communication channels at the firewall or IPS, and quarantine infected machines as soon as possible. Network access control technologies can tag the infected user to quarantine mode and prevent the spread of the malware within the organisation.

Backup is the last bastion for a successful ransomware attack. If the enterprise can recover files from a backup, the ransomware creator will not be paid. Therefore, backup plays a critical role in the strategy for fast recovery. The backup system needs to prevent the replication of files maliciously encrypted by ransomware, which can be achieved with dynamic segmentation and inherent security features. Learning from an attack, building security awareness throughout the organisation, determining areas that require improvement, as well as hardening security technologies to prevent the next possible ransomware occurrence are critical processes that should not be ignored. Information about an attack could contribute to threat intelligence (under Predict) to warn other organisations of a similar ransomware attack.

The use of endpoint security tools to eradicate malware while under quarantine as well as conducting a thorough scan on the rest of the network for traces of the ransomware in other devices is necessary, requiring endpoint forensics tools to provide visibility. Breach detection technology can be quickly deployed in areas after it has been cleaned. These technologies can verify if an area is thoroughly clean of ransomware, and monitor for any new infection. If a new infection occurs, it may indicate the ineffectiveness of the security controls deployed.

The following graphic shows the complete suite of technology solutions and security services that are essential to building an effective defence framework against ransomware:

RANSOMWARE DEFENCE – A MULTI-FACETED APPROACH COMPRISING SECURITY SERVICES AND TECHNOLOGIES

Threat Research and Intelligence

DNS Security protects remote employees from downloading the ransomware payload whenever they click on a malicious link

Ransomware is sent via phishing emails to trick users into executing the file or clicking on a web link that downloads the payload

DNS Security

Advanced Sandboxing performs deep file analysis to determine if the file is malicious and quarantines it before it affects the network

Next Generation Firewalls (NGFW) are able to inspect the traffic at application layer, block known ransomware files through AV signatures, and detonate suspicious files in a cloud-based sandbox

Next-Generation Firewall

Email and Web Security solutions reduce spam email that may contain malware, while real-time URL filtering blocks visits to malicious websites

Dark Web Cybercriminals discuss and exchange codes of new exploitable techniques in the dark web, plans to launch the ransomware attack after successful trials.

SECURITY OPERATIONS CENTRE (SOC) Staffed by trained and qualified security analysts, the SOC provides a variety of services that enable an organisation to achieve the right resilience towards ransomware attacks:

Endpoint gets infected; ransomware encrypts files and starts worming its way into the network to infect other devices

Secure Networking with Identity Access Management + Network Access Control

Secure Routers and Switches with IAM and NAC ensure that the infected user gets tagged and quarantined, preventing the spread of malware

Next-Generation Endpoint Security

PROACTIVE 24/7 MONITORING AND DETECTION Real time monitoring of incoming threats to the enterprise network through the correlation of logs and packets from multiple security tools, coupled with hunting and detecting dormant threats

Human Factor Mitigation Human factor mitigation, educates users on how to identify a phishing email and other cyber hygiene practices as a critical defense strategy to minimize the chance of ransomware infections

Secure Backup and Recovery

Dynamic networking aids in preventing infected machines from infecting data centres and related backup systems, facilitating the restoration process when the malware is cleaned

Backup files stored in general public cloud storage systems may be encrypted with ransomware during replication

DARK WEB SURVEILLANCE AND ALERTS Active participation of the dark web activities to understand the next wave of attacks and receiving alerts so that the organization can prioritize the key areas to patch and be ready to defend

Next Generation Endpoint Security provides the last line of defense with capabilities in detecting zero-day malware, monitoring continuously, and recording malicious behaviour at the endpoint across any operating system

AI-enabled malicious traffic detection sniffs out malware occurrences by analysing metadata and picking up any traces of lateral malicious movements between devices

Email and Web Security

Internet

Continuous research on known and emerging threats, empowering security and networking gear with threat intelligence

MANAGEMENT OF SECURITY TECHNOLOGIES Requires adjustments, firmware, and signature updates for security technologies used in the network, to ensure optimum efficacy in ransomware defence

A secure backup solution to help recover files promptly after a ransomware attack. The solution can interpret and backup only valid data (not maliciously encrypted or corrupted) at regular intervals with sufficient offline backup copies

INCIDENT RESPONSE Responses to ransomware include isolation and containment of the infected devices, eradication of the ransomware and any traces in the corporate network, recovery of files through backup, and forensics to determine the root cause so as to improve security

20


While the focus for most enterprises is on cybersecurity technology and services for ransomware defence, it is equally important to incorporate

data centre and networking technologies into a holistic strategy in tackling the before, during, and after of a ransomware attack.

Backup and recovery as a strategy

keeping offline backup copies as well as frequent testing of the full backup and recovery process. The backend infrastructure of the backup solution has to be scalable with ease and speed without fear of compromising performance. A single management interface that empowers users with simplified backup, archive, and recovery process can ease infrastructure complexity concerns of enterprises, especially large organisations with multiple sources and types of data, files, and systems. In case of a ransomware attack, automated disaster recovery processes and workflow automation tools are critical to providing real-time alerting mechanisms and system isolation strategy, accelerating the recovery process.

Backup and disaster recovery best practices as a strategy could effectively minimise the impact of a ransomware attack on an organisation. A comprehensive backup solution for physical, virtual, converged, and hyper-converged environments is ideal to manage, protect, and recover data across all applications and infrastructures. When using cloud-based storage services, ransomware could infect data in the cloud as synchronisation services from endpoint to the cloud are prevalent in the business environment. This necessitates the use of inherent protection features such as interpreting and backing up only the valid data that are not maliciously encrypted by ransomware. A resilient backup strategy includes backing up data at regular intervals,

It is also critical for the backup and recovery strategy to include the speed of recovery. In critical verticals such as healthcare and utilities, where human lives are at stake, data must be recovered promptly.

21


Rethinking networking as a policy enforcer, preventing the spread of malware, and assisting in backup IAM and NAC enforcement tools enable organisations to defend themselves against the proliferation of ransomware by managing secure network access. Key features include improved network visibility, threat containment, and network segmentation. To provide better visibility, these features gather information about all corporate and personal endpoints connected to the enterprise network and can determine an endpoint’s level of vulnerability based on its patch levels. If necessary, the affected endpoint can be quarantined off the network to prevent attackers from exploiting these vulnerabilities.

NAC provides an additional layer of security by allowing endpoints to be segmented into different security group tags for policy enforcement to limit lateral movement. When an endpoint is infected, the IAM and NAC will be alerted and by working alongside the firewalls and intrusion prevention systems available in the enterprise, they can effectively limit the network access of the infected endpoint by changing its security group tag. This will prevent the ransomware from propagating along the enterprise network since lateral movement is restricted. This will secure the enterprise network since the infected endpoint is isolated until remedial actions are taken. The use of software-defined networking is also useful in achieving dynamic segmentation, where users, applications, and virtual machine instances can be segmented. In the event of a ransomware incident, connection to the data centre for backup will be isolated and only resume connection to restore the files once the malware is eradicated.

22


THE LAST WORD In highlighting the rise and impact of ransomware as a business disruptor, organisations need to rethink their security strategy before it is too late. Below are key takeaways to consider in building a defence strategy to not only combat ransomware, but also achieve a resilient security posture towards any type of cyber-attacks.

Ransomware is merely a distractor in the overall threat landscape While high-profile ransomware attacks have gained significant attention worldwide, it is important to recognise that it is just one of the many threats to an organisation. There could be other dormant malware exfiltrating data stealthily, along with injection attempts on web servers or denial-of-service attacks organisations should be prepared to defend. It is important for businesses to consider a proper review through the use of third-party service providers to bring an impartial view of the existing technology and skill sets in handling cyber-attacks as a whole instead of just focusing on ransomware as the only attack vector.

Importance of business impact analysis Improving security practices requires adequate budgets. Corporations can justify IT spending by performing business impact analysis to prioritise key assets that need stronger protection. Impact analysis can also quantify the potential costs of a successful cyber-attack, and evaluate the need to spend on security controls to reduce the probability of an attack that could adversely impact a business.

23


Deep threat Intelligence and research are key to outsmarting cybercriminals Constant research on new cyber-attack vectors, such as the release of new zero-day exploits, require a team of well-trained analysts with the right expertise to outsmart adversaries. For companies looking for a technology partner to bolster their cyber defences, it is critical to consider the partner’s ability to gather various sources of available threat intelligence, perform extensive research on malware such as reverse engineering, and hardening security solutions across the network.

Planning forward: Vendor consolidation and cloud security readiness Some of the security controls and features highlighted in this paper can be delivered using one integrated solution instead of several mitigation appliances. Currently, there is a drive towards vendor consolidation, with fewer user interfaces and point products from different vendors to make solutions more sustainable and manageable instead of having to grapple with a sprawl of security devices. Aligning on a single platform can be cost-effective and facilitate easier integration, lowering the total cost of ownership and enhancing simplicity for user agreement negotiations and budget justifications. It is advisable to seek the help of consultants from a reputable security service provider to help plan this defence framework constructively. Likewise, it is essential to plan ahead and ensure that new security controls are “cloud ready” as more enterprises shift workloads to the cloud, to avoid cloud adoption becoming a hindrance rather than a growth enabler for organisations.

GLOBAL

877.GoFrost

[email protected]

Copyright Notice The contents of these pages are copyright © Frost & Sullivan. All rights reserved. Except with the prior written permission of Frost & Sullivan, you may not (whether directly or indirectly) create a database in an electronic or other form by downloading and storing all or any part of the content of this document. No part of this document may be copied or otherwise incorporated into, transmitted to, or stored in any other website, electronic retrieval system, publication or other work in any form (whether hard copy, electronic or otherwise) without the prior written permission of Frost & Sullivan.