As ransomware attacks increase, security teams and the media focus on dealing with the ransomware attack itself. However, there is an earlier phase to ransomware that we don’t hear about often enough – the botnet infection. VerSprite’s Threat Intelligence Director shows why it’s important for us to turn our sights to the first cyber kill chain.
Let’s talk modern ransomware.
Ransomware is a type of malware that is used to encrypt a victim’s data and make it inaccessible to the organization, hobbling business operations. The cybercriminal or gang then holds the victim organization “at ransom” to demands of an exorbitant amount of cryptocurrency to restore their access capability and revenue flow.
Ransomware as an attack model is the same as it has ever been, but the tactics, techniques, and procedures have evolved.
Under the best of circumstances, ransomware has long been a challenge for even the best-prepared cybersecurity teams. Lately, we have seen an unprecedented rise in the number and complexity of these attacks. (In 2016, estimates put a business getting hit by ransomware every 40 seconds, 2021 is predicted to see a 4 fold increase at every 11 seconds) Ransomware gangs have evolved into enterprises with marketing, PR, and partner programs. Some cyber-gangs even provide Ransomware as a Service. As with all businesses on the rise, the ransoms have skyrocketed as well, sometimes settling at double or triple the amount originally asked.
2021 is on track to see an average global ransomware damage cost of $20 billion, almost double the $11.5 billion reported for 2019.
Business has been good to them.
Let’s take a few moments to discuss the modern ransomware distribution model that my Threat Intelligence team at VerSprite detects. Almost every major ransomware incident in the news lately has had a two-part delivery, and as such, two cyber kill chains. The one we all focus on and hear about in the media is the second in this chain of chains, the ransomware. However, there is an earlier phase that we don’t hear about often enough, the botnet infection.
Many of the major ransomware strikes we see today are preceded by a botnet infection on the target’s network. We have seen these botnets go undetected, or worse, ignored for periods ranging from 11 days to as high as 42 days before they strike. This gives the adversary plenty of time to plan how to evade defenses, identify targets, and to gain access.
Lack of early detection allows ransomware gangs to choose their battlefield very carefully, which gives them the advantage. The key to combatting ransomware is to take this advantage away.
We must choose where this battle occurs. We must intercept them earlier in the first kill chain when the botnet command and control is established.
The keys to defeating Ransomware are part of a manifold approach, including Endpoint Security, SIEM, Threat Vulnerability Management (TVM), and Endpoint Configuration. However, the best cybersecurity is a combination of processes, procedures, and systems that push your circles of defense outward from your assets.
I often speak about “aggressive Blue Teams,” and this is exactly what I mean. It is better to have the battle on someone else’s territory. In cybersecurity, we used to accomplish this with edge defenses, but that is no longer the only territory we have to defend. Cloud services and a massively distributed workforce have driven home the need to consider each environment, and each endpoint, as the network edge. In the past six years, we have seen more focus on those targets both in defense, and adversarial tactics. We must respond by expanding our circle of defense into the networks beyond our control.
As an industry, infosec must shift the way we think about this problem. Reactionary behavior will always keep us in the position of dealing with the fallout. We must think about this in a constant state of pre-work as if we know we will be hit. Once we accept this, we may operate from a hunter’s footing and shift the timeline of events to not be in the adversary’s favor. Time is the battleground here, not your network edges. Thinking that the edges of your assets are where the battle is will leave you in the position of operating in a siege mentality. While this is a valid assessment, this approach will never allow you to gain ground on the adversaries attacking your network.
As a thought experiment, let us assume that at some point your assets will be hit by ransomware. What would you do to try to delay the inevitable?
Knowing a ransomware attack is inevitable puts you in the position to be in the right place on the timeline to disrupt the attack. Endpoint protection should be the last ring of defense against these attacks. The next ring is detection and response systems (think SIEM and SOAR/Network monitoring), but what then?
As it stands, detection of these botnets is not always trivial. Their communications are not consistent, and they are good at looking innocuous. But they do share their data, and data in exchange is where data is vulnerable.
My team at VerSprite can successfully detect these botnets from outside the infected organizations by monitoring and mining the exchanged metadata. Using the same tactics, techniques, and procedures used by intelligence agencies around the globe, my team can predict who is likely the next target, generating findings using our BreachSeeker tool to provide an early warning system to our clients. Often with incredibly accurate targeting data. It is possible to detect these botnet infections, even in places where endpoint security is weak and where logging and correlation is underutilized.
Australia is an example of an entity who understands the importance of early botnet detection. They have begun to weaponize threat intelligence to enable regional cyber defense, moving their presence back up to the first cyber kill chain, and warning their businesses when the threat takes shape.
Threat Intel is becoming an integral part of regional cyber defense. Time is the aggressor’s greatest comfort – let’s take it away from them. We must set the battlefield of our choosing, and we can do that with external threat intel collected via botnet metadata.
We can hunt those botnets and take away the adversary’s most precious resource – time.
Endpoint security, network monitoring, and response are always going to play critical parts in a layered approach to defense. We simply must have them, and we must be very good with those tools. But Threat Intelligence from outside the organization provides a new set of optics to go with this. Hunting beyond the walls of the castle and rooting out threats before they can strike. We can add another ring of defense that reaches further up the kill chain and reduce the time to respond in such a way that we appreciably reduce the aggressor’s window of operation.
We get to choose where we engage the adversary. Let’s use that to our advantage.
VerSprite’s Threat Intelligence Group provides organizations with real-time threat monitoring, analysis, prevention recommendations, and mitigation. Our elite team works with companies across all industries and security maturity levels to defend against threats. For more information on Versprite’s Threat Intel Group or our botnet detection service, BreachSeeker, contact one of our security advisers today. Learn More →