I recently sat down with Ransomware co-authors Allan Liska, consulting systems engineer at Recorded Future, and Timothy Gallo, cyber security specialist engineer at Symantec, to discuss the challenges of ransomware and how to improve security against it. Here are some highlights from our talk.
1. Can you explain some of the common delivery methods for ransomware and how those methods have persisted?
The two most common delivery methods are email and via the web using exploits kits. There have also been some ransomware, like KeRanger for OS X, that are disguised as legitimate applications. These are less common for the desktop, but more common for mobile platforms. Email and web delivery of ransomware has persisted because the bad guys have gotten good at evolving their attack platform just enough to avoid existing security measures to escape detection.
2. What are the primary challenges organizations face when setting their security posture against ransomware?
The teams behind ransomware have gotten very good at mimicking business processes, so it has gotten more difficult to tell legitimate activity from malicious. For example, ransomware like Locky uses Microsoft Office macros that call PowerShell to pull down the ransomware loader. These are legitimate tools that organizations use every day up to the point that the ransomware loader is pulled onto the desktop.
Separately, the bad guys have gotten better at making their lures look like legitimate business email—at least superficially—so it is getting harder for users to distinguish between what is real and what isn’t. This problem will continue to grow as more advanced attackers move into the ransomware business. These attackers are skilled at creating very targeted phishing emails that are indistinguishable from legitimate email.
3. What measures can organizations implement to improve their security posture against ransomware?
October is cybersecurity awareness month. Every October security teams roll out training to try to teach users how to avoid falling victim to ransomware attacks. Unfortunately, the training is usually a one-time affair. The average person needs to hear something seven times before it sinks in, so a once-a-year discussion about protecting the organization is not enough. Training on ransomware, and other threats, should be ongoing throughout the year. Security teams should provide users with regular updates about new tactics the bad guys are using and conduct regular tests of the workforce.
But, the onus cannot be on the users to catch everything. Security teams have to work to make sure they have the most effective protections in place. A user doesn’t have to worry about doing something wrong if the ransomware never gets to them. Finding the best solution for securing email, securing the web, and securing the endpoint, along with updated threat intelligence around the latest threats—not just a list of IP address and domains, but actual intelligence around attack tactics, techniques, and procedures (TTPs)—will keep the organization better protected.
4. How should organizations approach finding a balance between minimizing risks of a ransomware attack with maximizing productivity?
The best way to strike the balance is to get buy-in from everyone. That starts by explaining the why in addition to the what. If the security team decides that Microsoft Office macros need to be disabled or Adobe Flash should be uninstalled, they should work with leaders of different groups within the organization to hash out the policy and explain to everyone why the policy is being put into place. If everyone feels like they have a say in the process and understands how it will improve the security then widespread acceptance is more likely.
Also, there needs to be a non-onerous way to create exceptions for those who have legitimate business needs. If there really is one group that can’t do their job without Adobe Flash, they should be able to continue to conduct business with perhaps extra security measures in place.
5. You're speaking about protecting organizations against ransomware at the Security Conference in New York this November. What presentations are you looking forward to attending while there?
We are big fans of the work Jessy Irwin does, so we’re looking forward to hearing her talk, "Speak security and enter." Another exciting looking talk is Paul Poh’s "Why current security practices are ineffective against today's hackers." Chris Baker from Dyn is speaking about "Criminal cost modeling"—Dyn does good work, so that should be an interesting session. Caroline Wong and Jacob Hansen’s talk about application security also looks like it will be a good one—Caroline is one of the best security people around. And we plan on trying to get Cory Doctorow to sign a copy of Little Brother, or at the very least take the blame for one of the two of us going to Burning Man.