How to Build Your Employee Monitoring Posture to Combat Ransomware
By Dr. Christine Izuakor - September 15, 2021
Ransomware has become an annual event for many organizations, costing them millions in lost productivity and revenue. While there have been some notable successes in fighting off this threat, the industry as a whole must continue strengthening its resolve in order to safeguard against future attacks. Part of this can come down to recognizing the role that users and employees play in fighting off these attacks and providing them with info and tools they need to help reduce risks.
The recent ransomware attack against Accenture is yet another illustration of the notion that, big or small, no one is safe.
“Accenture is a well-respected company that I am sure is spending an exorbitant amount of money on security but they have a lot of ground to cover. It’s very hard to protect a multi-national company like Accenture…If a $45 billion company like Accenture is vulnerable then everyone is vulnerable,” Michael Goldstein
No matter the size of your company, a people-centric approach to fighting back against ransomware attacks is one of the best ways to best combat this growing plague to businesses. The good news is that there are many options available based on each organization's budget. From keeping your employees and users educated on the risks to implementing a robust employee monitoring program, a multi-layered people-centric program is the only way to effectively defend against attacks.
These principles can be used by organizations of any size in their efforts to fight back against ransomware.
The latest trends in ransomware attacks and causes
Ransomware is a form of cyber attack that targets users' data and threatens to release it unless a ransom is paid. Hackers are demanding cryptocurrency from victims in exchange for returning control over their files. The attacks can take on many different forms but it typically causes disruption to the company or user’s digital experience. These impacts can also spill over into the physical world as well as operational technology and information technology converge.
Users are feeling the sting even more as smartphones get targeted
It’s not just enterprises that are in trouble. Individuals are also in the hot seat. For example, there have been more recent targets for mobile devices. The Android ransomware targets all of the phone's functions such as sending emails and text messages or making calls and showing notifications and essentially turns the device into a zombie with no functional controls.
Quality over quantity still an effective method for hackers
Cyber attackers are applying the principle of “quality over quantity” when selecting their targets and planning attacks. Additionally, the impact of these attacks tends to exceed the direct financial damage that potentially results from paying a ransom. The cost also includes lost productivity, time spent on investigation and response, and potential reputational damage if the incident is made public.
Insider threat recruiting schemes
Unfortunately hackers are also recruiting employees from within organizations to steal data and attack companies for them. For example, it’s been reported that a string of emails sent by the Demonware ransomware group were soliciting users to become accomplices in an insider threat scheme.
Hackers recruit insider threats for attacks because it gives them access to people who can support their intent and can receive instructions on how to carry it out. They can use these sources of information to help them develop attack plans and contingency plans as well as overcome any protection controls in existing systems.
In a world where detection is critical to surviving cyber attacks this creates a very dangerous situation of the “false negatives”. When your authorized users turn on you and become insider threats, it’s harder to detect without advanced tools. As the name implies, a false negative is the opposite of a false positive. Where a false positive is like the fire alarm ringing when there is no actual fire, a false negative is like the alarm remaining silent while a building goes up in flames. In other words, false negatives occur when detective tools deployed by an organization fail to alert on real threats. Oftentimes, these false negatives are a way for intentional ill-willed employees to avoid being caught as they help external hackers.
A people-first strategy for combating ransomware
As the cyber world continues to evolve, it’s imperative to take a people-centric approach to cybersecurity. This means engaging the public through education, information sharing, and technical solutions that all lead back to people.
The first step is to think of security not just in terms of protecting machines but also human beings. Think about the people who make up your user base as well as your supply chain. This will tell you both who can cause harm whether intentionally or unintentionally and also identify who will feel the effects of an attack. Before thinking about the technology running their computer systems, think about who those people are. Once you know, you can craft a multi-layered approach to combating threats. Typically that should include the following:
- Training and awareness: Training and awareness of employees is a proven way to prevent attacks when done consistently. The success of an attack usually requires action from a user to execute the malicious code. The more end users are aware of the risks of clicking on links or attachments that can launch ransomware in your environment, the higher chances you have of avoiding the successful introduction of the malware in your network. Employees should also have an easy way of reporting ransomware attacks to the right team in order to protect yourself and your company. They should also be encouraged to report any attempts at recruitment from hackers so that the team is on alert. If one person has been asked at your company, the chances are that many others have been asked as well. Everyone’s response to the hacker recruiting attempt will vary based on the user’s moral code, incentives, loyalty to the company and more.
- Employee monitoring program: Mastering insider threat detection, and being able to prevent these types of attacks is paramount to every organization's people-centric anti-ransomware strategy. Employee monitoring software can help on that front. Whether a malicious or error-prone user, with the right employee monitoring technology organizations can quickly detect abnormal behavior.
More specifically, user behavior analytics can help reduce the risk of undetected attacks and help you detect and respond more quickly. There are quite a few tell-tale signs that can suggest a company may have been compromised, especially with ransomware. The obvious sign is seeing that dreaded ransom note pop-up on the screen. Other common symptoms that may hint that an organization has been compromised can include activities like high resource utilizations, malware alerts, increased reports of access issues from users, and more. Note that attackers are continually finding new ways to trick traditional alerting technology. Without a solution intelligent enough to conduct deep learning and adapt quickly, attackers can outsmart traditional detection tools to avoid setting off alarms.
- Incident response planning and testing: Once a crisis has started, there's no time to decide if and how to respond. It's critical to have an actionable plan in place beforehand so that you can focus your resources on efficient incident response and containment after an attack. It’s also critical to test these plans and practice implementing them in real-life scenarios where possible. Whether doing a tabletop exercise to think about and walk through what steps might need to be taken in a ransomware situation or doing a full-blown penetration test user ransomware – these testing efforts are critical. To protect your organizations, be sure to proactively create an incident response plan. Again, be sure to focus on the people in this equation and outline who will be in charge of what and the role that each user plays in response when a breach occurs. Make sure that key players are aware of and committed to the plan.
Remember to start with people, but also never forget the tech basics
A key step addressing the threat of ransomware is prevention. Before focusing on how to respond, limit your exposure to such attacks. Do this by maintaining a healthy organizational security posture and following general security best practices including regularly backing up data. Next, focus on detection and response. There are tons of network monitoring tools and technology that can be used to detect suspicious events that can lead to attacks. When looking at technology solutions that help help in your people-centric strategy look for the following key features:
Ability to monitor all user activity around the clock. Ransomware never sleeps and you need to be alert 24/7. The best user behavior analytics technology can ingest relevant data such as network activity, emails, instant messaging, keystrokes and more at any time. Even better, some solutions offer dark web tracking, psycholinguistics and more advanced user activity considerations. These features can help determine when users are acting abnormally which can ultimately lead to ransomware attacks.
Also, when it comes to ransomware specific technology, ensure you are looking at options that maintain an up-to-date, robust database of known ransomware signatures. Some use honeypot files, which, if modified, informs the user of the potential attack. These techniques allow users to detect ransomware variants early enough to prevent data theft. Quick action is also important. The best solutions can intercept the command to encrypt (or delete) your files and safely store a copy of the files outside the attacker's reach. On detection, this technology shuts down the attack and blocks the malicious user account so it can't encrypt your files or make changes to the file system. Early attack interception minimizes the restoration efforts. Great tools can send email notifications immediately after the attack is detected to alert the security team to expedite response and recovery.
If you need help getting access to these critical features, we’re here for you. Veriato offers a tool called RansomSafe™ that acts as a vital layer in your ransomware defense, combining just-in-time data protection with multiple mechanisms to detect, and shut down attacks before they hold your business hostage.
Ransomware is a major threat faced by organizations and people around the world. It encrypts your files and holds them ransom. If you have files that are important to you and are not available to decrypt, you're in danger. That's why we are focusing on building a people-centric approach to combating this threat: by helping organizations create strong backups of all their important data, by educating users on how to identify potential threats and protect their data, and by building tools to let organizations push back against attacks and regain access to their data without hurting sensitive business operations. Now is the time to get proactive and address the ransomware epidemic.