Stopping Ransomware Before It Stops You (Recorded at RSA 2023)

What exactly is ransomware?

Tom: Absolutely. Ransomware, I mean, there’s not one ransomware. Ransomware is really a series of attacks to be able to take control of your information on your network, whether it be your files or your information systems, and so on. And usually what those attackers do is that once they take control of this, they either encrypt it or exfiltrate them. And, actually, over last year we’ve seen a new trend where they’ve been doing both, and they hold those files for ransom. So, if you don’t pay to get the files decrypted, they have the files because they’ve exfiltrated them, and now they can use them against you. So, it’s even worse than just saying you’ve been breached. 

Is there a particular market or segment that’s more vulnerable or more at risk of being attacked?

Tom: So, there are some segments in the market that are riskier than others. I would say that the bigger the harm they can make on you and your customers, the more likely they’re going to go after you. So, we’ve seen a lot of ransomware in the healthcare system. We’ve seen a lot of ransomware also in the financial systems and so on. So, all of these sectors where you have a lot of critical personal information that companies are holding. Those sectors are more prone to ransomware. 

Is anyone immune from ransomware attacks?

Tom: No. No. In reality, we see everybody being attacked at some level. And it’s gotten worse in the sense that when you go back five years ago, ransomware was really going after mom-and-pop shops, because larger companies were seen to be out of reach. But nowadays those ransomware groups are becoming more sophisticated, more evolved. And now they’re going after those big organizations because that’s where the money is. 

Kristi: Right. Right. So, it’s not a matter of if it’ll, it’s more when. 

Tom: Exactly. We’ve seen different tactics that companies have taken to protect themselves, and unfortunately most of these tactics have failed. For instance, there was a phishing test where a company trained their employees for one year, thousands of employees for one year against phishing: Do not click that link. And after one year they did the test again, and still 4.8 percent of employees were still clicking the link. So yeah, as you said, it’s not a matter of if, it’s a matter of when you’re going to be breached.

What are some strategies or tactics that organizations should take in order to you know, protect themselves from the exfiltration or from having their data held ransom?

Tom: So, there are the tactics that we keep hearing about, which are very important, and I definitely do not wanna diminish this. Tactics like hygiene, having good practices inside the company, having good intrusion prevention capabilities. That’s still very critical, very important.

But there’s another tactic that’s also very important that everybody is really underestimating — the importance to have security inside your network. 

Kristi: Inside the network. Okay, tell me more. 

Tom: So, what happens is that, as you said, it’s not a matter of if, it’s a matter of when you’re going to get breached. And so, we know that no matter what level of security you have on the perimeter of your network, you’re going to be breached.

It’s the, you know, it’s the defender’s dilemma. You have to be right a hundred percent of the time if you want to keep them outside of the network. But if they are right once they can get into your network. So, what you have to do if you want to defend yourself against that, you have to bring your security inside the network.

You have to be able to monitor the network and control what’s happening on that network. That enables you actually to flip the script, because once the attacker is inside your network, they need to execute a series of activities such as command and control, lateral movement, and so on. And, and each time they’re executing something inside your network, it gives you one more opportunity to catch them. So, they have to be right 100 percent of the time, but you can, as long as you detect them once, you’re going to detect them, and you can stop them.

There’s a lot of discussion around public cloud and moving workloads and applications to public cloud. How does that change the defense mechanisms or the awareness when it comes to protecting or detecting ransomware?

Tom: Tremendously actually, there’s a major impact on ransomware for multiple reasons. Public clouds, first of all, most of the traffic is encrypted in public clouds. And we know that even nowadays on the internet, and in the enterprises, we have about 70 to 80 percent of the traffic being encrypted. In the public cloud, it’s almost everything that’s encrypted at some level. And so, that makes it much harder for people to have visibility into the public cloud unless they establish the right security and the right visibility into that public cloud. And so, at the end of the day when you have public cloud and you are concerned about ransomware, you need to have decryption capabilities. You need to have your security inside the public cloud as well to monitor what’s going on. 

Kristi: Gotcha. So, public cloud is encrypted probably close to a hundred percent, and you still need visibility. And so, if the attackers are also using encryption, how do you know the difference between the good traffic and the attackers? 

Tom: That’s where you need to have good security tools. You need to be able to capture the packets and route them to the proper security tools to analyze the traffic. And so, decryption helps you. Also, behavioral analysis, ETA, Encrypted Traffic Analysis, helps. And having a good AI to analyze the traffic and the behavior is very important.

Are there some trends or some things that you are continuing to hear that continue to surprise you from a security perspective?

Tom: Yes, they are a couple. I’ve been hearing a lot about other security technologies like EDR, for instance, and CM and SOAR. And there’s an assumption that once you have one of these you are safe and you’re secure. And that surprises me because we know that every security tool has its flaws and its weaknesses and its blind spots. And so, we know that you don’t just need one security tool or one technology — you need to stack them up: It’s the security stack. And in your stack, as I was mentioning before, in your stack you need to have security on the network, not just on the endpoint, but you need to look into what’s happening on the network. And, and there’s one thing we keep saying at ExtraHop, and I’m sure you guys say that as well at Gigamon. We say the network is the “ground source for truth,” which basically means that no matter the devices you have connected, or you have secured with EDR, no matter whether they are covered by an agent or they have the right OS for your EDR, for instance, you can still secure those devices if you monitor and secure the traffic because any device on the network generates and receives traffic.

Humans are the reason why we get ransomware, because they click the link after a year of training not to click the link. But from a remediation and threat hunting, the human is really important for that, right? You can’t automate that.

Tom: Yes, absolutely. You can’t, and that’s why it’s important to have the right automations, but also the right tool for the security person. For your tool to surface the alerts and the security person to be able to quickly react to these activities.

Kristi: Right, and so to have the great tools that are in place that can help highlight the most important things, right? We always talk about security, automate the things that you’re gonna do all day long, right? That the things that are known remediation. But the complex things you need good tools that really show you all the information and then allow that human to go look into it more, correct? 

Tom: Absolutely. And our philosophy is really that the security analyst has to be in control. But they have to be helped in the sense that you can’t just throw alerts at the security analyst. You can’t send them to multiple security tools and have them figure out what needs to be done. You have to bring up those alerts in a way that’s consumable and that in a way that the security analyst can quickly react. And that’s where a lot of companies are talking about integration and security stack. And that’s where this really matters. 

Kristi: So, going back to the fact that ransomware, they’re gonna get in, they’re gonna try to do things, but if you’re able to detect that little move, right? Whatever they’re trying to do, reaching out to command-and-control lateral movement. They attempt to exfiltrate. The security controls in place need to allow that analyst to quickly know, hey, this is something you need to pay attention to. 

If an organization is not prepared, what are some of the first steps or first recommendations you would give them?

Tom: Absolutely. So there, there are multiple things. And I would say baseline is make sure you have all the tools. Make sure your network is covered and not just the end devices, that’s super important. Because very often what we see is we see security professionals consider an attack from their perimeter perspective, they get blocked there. But if the attack gets through, then it’s a Hail Mary. It’s all hell gets loose, you know? And it’s, they go straight to paying the ransom.

But if they have the security on the network, then they can intervene and they can stop that in its track. And, and that’s where, you know, that’s the, the title of our show here. It’s, you have to stop the ransomware before it stops you, before you get to the extraction and the ransom. And you can stop them if your security is present in the network.

Kristi: Sounds good. So, if I understand you, you’ve got to have good security tools. You need to have visibility into everything, the perimeter, and especially inside, and the cloud. Because otherwise you’re going to miss that one time the attacker has to be right. Once they get inside. 

Tom: Yes. And just to summarize, so good hygiene, good perimeter defense, but don’t rely too much on this. Have visibility inside, and be able to quickly react, for what’s going on inside the network.