Effective ransomware protection requires intelligent defense
On average, it takes 326 days to detect and contain a destructive cyberattack. Only intelligent, networked security strategies can help.
According to a study by the Ponemon Institute for IBM, it takes organizations an average of 237 days to detect destructive cyberattacks, such as ransomware attacks, and another 89 days to resolve them: This means that the attackers are able to operate more or less unhindered on the network for an average of 326 days. The previous year it was “only” 315 days.
There are several reasons why so much time elapses between infection and response. Attackers are getting better at disguising their intrusion and presence. This is because they use legitimate tools that are already in use to manage networks, endpoints, and operating systems. Such attacks, which initially introduce little or no malware but rely on existing components of the operating system or common software packages, are known as “living off the land” (LotL or LoL). They typically use PowerShell or VBScript scripts or batch files that automatically execute sequences of commands. Commercial security tools such as Cobalt Strike and elements of the Metasploit framework, which are commonly used by network administrators and penetration testers, can also be misused as attack tools. To avoid early detection, attackers often use tools to disable or even uninstall antivirus software.
This allows intruders to operate under IT’s radar and spread throughout the network. They exploit security vulnerabilities to gain privilege escalation, take over poorly secured administrator accounts, or use tools such as MimiKatz to steal credentials. Finally, they use command and control servers to download encryption Trojans and other malware and extract data.
If cybersecurity leaders fail to detect intruders in time, they can strike with full force, crippling entire IT infrastructures and causing maximum damage. The damage caused by cyberattacks is becoming increasingly costly for affected companies. According to the IT industry association Bitkom 88 percent of companies in Germany will be affected by data theft, sabotage, and espionage in 2020 and 2021. The damage in 2020 will amount to 220 billion euros, twice as much as in the previous year.
Sophisticated attacks require a synchronized defense
Traditional signature and behavior based IT security solutions often fail to detect sophisticated attacks because incidents on the network appear innocuous in isolation and are not correlated. For example, lateral movement of malware often goes undetected. Even advanced security systems based on machine learning and other AI technologies struggle with detection when they can only analyze a small portion of the entire event. Efficient and effective defense therefore requires information sharing between IT security components and synchronization of actions. One example: If a firewall detects malicious traffic on the network, it should automatically alert the security software on the endpoint. The security software can then identify and terminate suspicious processes. In many cases, the endpoint agents can even directly remove infected components based on this information. Conversely, when the endpoint security solution detects that an endpoint device has been compromised, it immediately notifies the entire network and isolates it. This prevents the attacker from spreading across the network, extracting data, or reloading malware.
Conclusion
IT departments are often overwhelmed defending against sophisticated and persistent attacks. Even with advanced behavioral and AI-based methods, detection often takes too long because endpoint and network events are viewed in isolation and out of context. This is where specialized integrated cybersecurity systems can help: By intelligently networking the components and coordinating their cooperation, infected endpoints can be detected and isolated more quickly, preventing the spread of malware across the network.
