Why Effective Security Operations Is the Key Defense Against Ransomware

Cybercrime, piracy and data theft. Network security breach. Compromised computer showing skull and bones symbol. Digital 3D rendering concept.

Ransomware poses a genuine risk to ending any business, regardless of its current size, maturity, or success. 

The significant costs associated with ransomware attacks—from ill-advised ransom payments to lost revenue from downtime to expensive incident recovery processes—along with other negative consequences, like damaged reputations and fleeing customers, put all businesses at risk. The threat becomes even more challenging when factoring in the growing trend of working from home, which leaves more organizations exposed than ever before. 

For IT teams, recovery often stretches into weeks and months—yet it only takes seconds for ransomware to start inflicting damage. 

The Impact of Ransomware

While ransomware has been a significant threat for many years, it’s impact continues to grow as threat actors leverage its destructive capabilities to cripple organizations from small school districts and businesses to corporate giants and large governments. In fact, a recent forecast by Cybersecurity Ventures projected damages from ransomware have skyrocketed to $20 billion annually, which is more than 57 times the figure from 2015. 

Already this year, an American insurance company paid a $40 million ransom after it was victimized by an attack, while 2020 saw the average ransomware payment explode to $312,493 from 2019’s figure of $115,123, a 171 percent increase. But the growing numbers are not the only trend to which you should pay attention.

A bright lock in the center of the image with orange lines emerging from it. 

Bad actors are becoming more brazen. Some ransomware variants are capable of stealing data, and now attackers often threaten to expose stolen data if victims don't pay up. These scare tactics may convince some organizations that a ransom is a small price to pay to protect their brand reputation. Unfortunately, that mindset only encourages more such attacks in the future.

How Ransomware Works

Ransomware is a form of malware which typically encrypts files on the infected system, making them inaccessible. To unlock the files, you need a decryption key—although paying a ransom doesn't guarantee the files will be unlocked.

Other types of ransomware don't encrypt files, but instead disable access to them or—in some cases—alter the behavior of a file or application. Whatever the case, you'll know your device is infected because a ransom note will display on your screen, typically asking for payment in bitcoin.

The Role of Security Operations in Combatting Ransomware

To stay protected from today’s threats, organizations require comprehensive security operations that not only thwart attacks like ransomware and minimize their potential damage, but also reduce the risk of attacks occurring in the first place.  With complete visibility of their organization’s entire environment, round-the-clock monitoring, and advanced analytics for threat detection, skilled security experts can effectively prioritize and address vulnerabilities and potential threats in a timely manner.

For any business, understanding the guidelines and enacting the practices of the National Institute of Technology and Standards (NIST) cybersecurity framework is a smart avenue to take when it comes to implementing sound security operations. The NIST framework  includes 5 core functions—identity, protect, detect, respond, and recover—that can both help reduce your risk of becoming a ransomware victim, but also help you overcome an attack if you do end up compromised. 

Achieving Protection Through NIST’s Five Core Functions

Ransomware attacks need vulnerabilities to exploit. These can be vulnerabilities in systems, people, or processes. The first step in protecting these is to understand what risks exist inside your environment. That is why the first function of NIST is identify.

1. Identify: To identify where ransomware has the potential to start, organizations must have around-the-clock monitoring for vulnerabilities, system misconfigurations, and account takeover exposure across endpoints, networks, and cloud environments. The fact is, when zero-day vulnerabilities are announced you may have just minutes to respond.  So, personalized risk remediation is vital, along with a validation process that ensures vulnerabilities were successfully eliminated.

2. Protect: With cybersecurity becoming increasingly complex, customized protection is essential in today’s threat landscape. Organizations need to invest in a team who understands the intricacies of their business as well as their unique environment. This lets you take a proactive approach to cybersecurity, which means eliminating the opportunities for ransomware to take over.

A big part of the “Protect” function involves cyber hygiene and employee awareness. Ninety percent of cyberattacks involve social engineering, and people do make mistakes. In fact, along those same lines, eighty-eight percent of breaches involve some form of human error. People within your organization are a critical attack surface who need protecting. With proper training, you can avoid ransomware by teaching employees to be on the lookout for social engineering attacks, like phishing, and prepare them to report mistakes that could result in data loss. 

To provide effective security awareness training for your employees, you’ll need to team with a partner who can provide (and sometimes manage) the training program and its content and who can ensure your team is prepared for the latest ransomware threats they might soon encounter. 

3. Detect: The third function in the NIST framework involves detection. As you might expect, threat detection and response capabilities can be critical in the battle against ransomware.  A solid foundation of managed detection and response (MDR) involves monitoring for ransomware threats 24x7 across your entire attack surface. By identifying suspicious activity early and correlating it across multiple data sources, you can confirm the presence of ransomware in minutes, providing the opportunity to respond and recover to help avoid a catastrophic event. 

A good MDR provider can augment your existing IT team’s capabilities with a cloud-based SIEM platform, advanced analytics, and intelligence feeds that are continually monitored by skilled security experts. This goes a long way to raising your overall security posture.  

4. Respond: Knowing you are the victim of ransomware is just the start. Effective security operations are critical to responding quickly and limiting the damage. This is where you need skilled and well-trained security experts at your side. 

Effective response begins with an ability to isolate endpoints so you can eliminate threat propagation quickly and effectively. Once that occurs, you can identify the root cause and begin remediation processes. Managed investigations and rapid remote incident response ensure that ransomware is contained before it can do damage. In addition, learning from incidents and implementing custom rules keeps your organization better protected in the future. 

5. Recover: Security operations in all NIST functions play an important role, and that certainly applies when businesses are in the recovery phase. In a time when security breaches aren’t a matter of if, but when, cyber resilience is essential. Time is critical, and threat detection and response capabilities are key, allowing you to minimize damage and recover soon. 

Also valuable are cyber insurance and assurance plans that provide financial support not only in recovery activities, but also in terms of legal expenses and regulatory fees. 

Partner to Mitigate Ransomware Risks

Amid the ransomware threat, MSSPs and MSPs need to partner with someone that can automatically and continuously map, profile, and classify assets on a network to help you understand the attack surface. Moreover, service providers need a partner that can monitor environments for threats 24x7, and respond when necessary to thwart attacks before they gain traction. And they need a trusted partner that is experienced in developing incident response strategies and has a coordinated team in assigned roles that’s ready to act and pivot at any time. 

The partner and response team must not only act effectively when under the gun with an attack in progress, they must also be able to evaluate and determine what led to the attack, where it succeeded and where it ultimately failed, and what can be done in the future to ensure it won’t happen again.

A strategic approach is ongoing, and involves expert insight at all times and continued planning and renewed strategies to stay ahead of new threats in an ever-evolving landscape.

Learn how Arctic Wolf can protect against ransomware and help end cyber risk for your customers. To become a partner click here.

Author Con Mallon is vice president of product marketing at Arctic Wolf. Read more Arctic Wolf guest blogs here. Regularly contributed guest blogs are part of MSSP Alert’s sponsorship program.