Collective Defense Really Can Thwart Ransomware Attacks

OPINION — If cyber threats had a most wanted list, ransomware would be well within the top five, and headlines from the past few years cements this into reality. This is due to how financially and operationally impactful malware has become, with no signs of hitting its peak yet.

For instance, this year, we saw a record-breaking $40 million ransom paid out via a US insurance company after having all of its data and networks locked out. According to NSI, as of last year, the average requested ransom is $200,000, a staggering increase from the average of only $5,000 in 2018. And to make matters worse, according to Cyware Threat Intelligence Specialist Neal Dennis, if an organization has been victim to a ransomware attack in the past, it’s exceedingly more likely to be successfully impacted a second time. The resulting situation is leading more organizations to consider ransomware insurance; however, there are more proactive solutions, such as a collective defense strategy, that can thwart these attacks.

It’s also important to note that these attacks do not care what purpose an organization serves, how large or small they are, or if they are within the same geographic region. Threat actors have varying motivators, and at the base of it is to collect money or steal data (perhaps both).

For example, ransomware attacks have been responsible for nearly half of all healthcare data breaches in 2020, with more than 2,100 on record in the past 10 years. Similarly, 90% of all financial institutions have at some point, been the target of a ransomware attack with a 520% increase in both phishing and ransomware attempts reported during the earliest months of the pandemic. Government bodies too were a primary target of ransomware, with 33% of all attacks in 2020 being tied to malware.

While financial institutions, healthcare, and governmental organizations are heavily targeted by ransomware, in total, the projected related financial impact is set to exceed $20 billion this year.

Intelligence Leading to Proactive Defense Against Ransomware

The typical ransomware kill chain starts with a malicious website or email such as a phishing lure. In these campaigns, a threat actor or group begins targeting organizations with intent to breach their network. It is during this period that intelligence can make the difference between a successful attack, reduced impact, or zero impact. Data as simple as a relevant IP address or URL can proactively thwart the attack; however, security teams typically need this from external sources.

From here, if the attack is successful, the infection spreads, begins to build a foundation in a network, scans the system, and then encryption begins. Unfortunately, once the malware has made its foothold within the network, it can take as little as a few minutes or several hours to wreak havoc and serve its purpose. While intelligence can reduce the time to respond and remediate the attack, the probability of zero impact is fleeting.

The Need for a Collective Defense

Today, many organizations fly solo when it comes to protecting their networks and hardening their security (except outsourcing resources such as MSSPs).

While there are information sharing groups such as ISACs and ISAOs, primarily in North America, and CERTs led by governments, a common concern is that there is more ingestion of intelligence rather than reporting or sharing it back out. This is typically a side effect of organizations sharing intelligence post-attack and in the lessons learned stage rather than as it’s happening. The concern here is that if an organization is being attacked now, the data, even if not fully enriched, is the missing link that peer organizations need to thwart the same or similar campaigns.

What exactly is a collective defense strategy? Collective Defense is an approach to cybersecurity that fosters collaboration between organizations via threat intelligence sharing and coordinated response against threats. This strategy initially focuses on ensuring internal teams have complete visibility into threats and related intelligence and then expands to both sharing and ingesting intelligence from trusted peers.

Go beyond the headlines with expert perspectives on today’s news with The Cipher Brief’s Daily Open-Source Podcast.  Listen here or wherever you listen to podcasts.

Shared Intelligence is a Force Multiplier

There are countless examples of where shared intelligence, stemming from the shared data of an organization being attacked, has led to the successful prevention in another. These scenarios prove how valuable shared intelligence is and why it’s a force multiplier. Let’s take a look at when an aviation company was experiencing a DDoS attack.

At the time of the attack, the organization shared information about it through the Aviation ISAC. A week later, another aviation company noticed signs of a potential DDoS attack and notified the Aviation-ISAC, who communicated with, among other members, the first victim. As a result, to help apply the lessons learned from the earlier DDoS attack, a cyber expert from the first victimized company who had been through the attack got on a plane and flew to the location of the second aviation firm to help them work through the attack.

That rapid response, which helped solve the underlying problem, would not have been available or successful without information sharing. This use case shows how information-sharing relationships can build trust and potentially enable valuable knowledge and experience that can be leveraged for related kinds of cyber-security collaboration, in this case, for actual incident response. In the end, the two organizations were technically competitors, yet they came together in a collective defense.

Read more expert-driven national security insights, perspective and analysis in The Cipher Brief