Ransomware Attacks Will Happen – Prepare to Detect, Investigate and Respond


By Zulfikar Ramzan, Chief Product and Technology Officer, NetWitness

The last two years have been an inflection point for ransomware, with attacks growing in frequency and sophistication. The perpetrators are no longer lone wolfs or small groups seeking payouts in the hundreds or even thousands of dollars. Rather, an entire ecosystem has taken root, with attackers demanding millions of dollars. Ransomware-as-a-service is one example of how the challenge is evolving, and now there are reports that threat actors are investing in burgeoning cybercriminal operations, much in the same way that venture capitalists invest in startups.

Companies can no longer simply hope that they won't be the target of a ransomware attack. There's no surefire way to prevent one of these attacks. Motivated threat actors will ineluctably find ways to gain access to an enterprise's IT infrastructure. Security teams need to be ready and know what to do to minimize damage.

To address these concerns, organizations have employed multiple approaches: educate users so they are less likely to get spear phished, patch vulnerable systems, and perform data backups.

Unfortunately, judging from the success of recent ransomware attacks, these steps are clearly inadequate: a user will eventually get compromised, a system will remain unpatched, and restoring from a back-up will fail.

Therefore, security teams must take steps to quickly detect and respond to attacks when they occur. Achieving this aim requires dynamic visibility across . An Extended Detection and Response (XDR) platform provides that situational awareness by effectively and intelligently monitoring logs, packets, and endpoint devices across on-premises, virtual, and cloud-based assets. By applying analytics to this visibility, XDR platforms empower security teams to understand the scope and root cause of a ransomware attack. If designed correctly, these platforms should allow security teams to investigate incidents across different digital assets.

Finally, with visibility and insights in hand, it's time to act. Security teams can implement recovery processes to contain the impact and recover swiftly. Of course, this framework is rough and many details have been omitted. It is important to remember, however, that time is the enemy. Every passing second can result in more systems becoming impacted and fewer tenable options. Taking a holistic approach that considers depth and breadth of visibility, insights, and action across all key digital assets is far superior to an approach that cobbles together multiple different point solutions. The RSA Link Community has numerous technical resources to help security teams deal with ransomware.

Not every enterprise can or should handle this process alone. In those times when some extra assistance is needed, enterprises shouldn't shy away from bringing in trusted partners for assistance with incident preparation, discovery, and response.

The best way to prevent lasting damage involves preparing for attacks and being unafraid to act when one occurs. Swift, decisive, and purposeful action combined with the right technology platforms is imperative for parrying the challenges posed by today's threat landscape.

Sustaining Partners