Stopping ransomware means breaking the 'chain'
In the wake of the Travelex attack, the entire industry must get smarter at understanding what attackers need to monetize their campaigns successfully.
Users are the first (and often easiest) target, credentials are the second target and your data is the final target. Consider how to better enable and protect all three of these – applying a bigger or faster version of legacy-based technologies is not the way forward. The key to best-practices security is in data collection, analytics and monitoring.
When dealing with cybersecurity for your organization, you must understand three critical factors: what are you protecting (data and users); where those resources are; and what you are protecting them from. It's clear from the sparse information recently released that Travelex has a handle on points 1 and 2, but perhaps not so much on point 3.
Outside of DDoS, attackers need credentials to perform any significant damage to an organization. If they can bypass the need for this, they almost always will. The ransomware attack chain is a tried and tested go-to resource in the arsenal of the attacker, because it targets users. The attack chain uses a number of methods to infect an organization's systems, which, if successful, can bypass an entire organizational security framework in seconds, with ease.
However, there are ways to stop this. An understanding of the behaviors associated with the ransomware attack chain allows defenders to turn it into a kill chain instead and stop the incident as it mounts, long before it reaches its final initiation stage. This can be achieved through user and entity behavior analytics (UEBA) technology, which tracks and learns users’ regular activity on the network and immediately alerts security analysts to suspicious and anomalous behavior.
Hackers can hide behind zero-day attacks, or exploit unsuspecting users via targeted phishing and ransomware campaigns, but there's no doubt that if you're tracking the behavior of your users and endpoints, you'll almost always find the anomaly in plain sight and be able to quickly contain it.
It’s also important to note that with good secure back-up and recovery policies in place, organizations can fully recover from even the most sophisticated of ransomware attacks. However, Travelex – and all companies – need to consider more effective security awareness training initiatives internally, which will help mitigate the impact of the ransomware attack chain.