Locked chain on laptop keyboard showing ransomware attack

Can You Predict the Likelihood of a Ransomware Attack? Yes, You Can

After the first three moves in a game of chess, there are 121 million possibilities. While a novice plays a game until they get checkmated, a grand master understands several moves in advance. Akin to a grandmaster’s ability to visualize, a security leader of an organization needs to think ahead, especially when cybercriminals are using tactics, techniques, and procedures that are extremely sophisticated.

For instance, the LockBit ransomware-as-a-service has been around since 2019, but the 2.0 version, LockBit’s authors claim, is one of the fastest file-encrypting ransomware variants in the deep and dark web market today. Ransomware 2.0 doesn’t just encrypt; it destroys. Lateral spreading to offline devices is another trait. Data backups are rendered useless, and access to critical data is gained through legitimate credentials of ‘recruited’ insiders.

It becomes essential for businesses to do things differently and move towards a predictive approach to tackle ransomware attacks.

The problem: Why are organizations failing to prevent ransomware attacks?

A ransomware attack can be the outcome of multiple attack vectors, but the most common of which are phishing, remote desktop protocol (RDP), and software vulnerabilities. To protect against ransomware attacks, organizations align with global frameworks such as NIST and CISA guidelines. Organizations invest in phishing simulations, cybersecurity awareness training for employees, password managers, etc., to control loss of credentials. To prevent RDP-based attacks, organizations purchase firewalls, logging and monitoring services, data backups, and perform periodic vulnerability and threat scans. Finally, organizations also invest in vulnerability management services to detect software vulnerabilities. These are the very basics of what all organizations are already doing and constitute only a small percentage of all the activities an organization does to protect against cyberattacks, including ransomware.

On average, enterprises deploy 45 cybersecurity services and products in their environment. Each product provides insight on an individual dashboard, but there is no method by which the security team can correlate data from all the cybersecurity services/products in their environment to get complete and real-time visibility. Despite all the investment, security teams lack the ability to objectively predict the enterprise-wide likelihood of a breach. Siloed cybersecurity services without a cohesive and dynamic metric leaves cybersecurity evaluation an opaque, jargon-rich, complex, point-in-time, and reactive process.

The solution: A predictive and real-time approach

Since ransomware attacks have evolved from a ‘spray and pray’ tactic to a meticulously planned event, businesses need to be better prepared. What is the missing link that can nudge a novice business towards becoming a cybersecurity grandmaster with foresight and adequate visibility across security vulnerabilities?

Security and risk management leaders can improve visibility by adopting a proactive and predictive cybersecurity approach which:

  1. Correlates vulnerabilities outlined by the plethora of cybersecurity products to secure people, processes, technology, and third parties.
  2. Takes the API feeds of signals from the services/products. Using real-time machine learning-enabled risk quantification, the repository can simulate a ransomware breach-likelihood score for every employee, endpoint, cloud asset, business unit, and more.
  3. Uses the ATT&CK MITRE matrix for a granular and prioritized list of vulnerabilities visible to decision-makers. For instance, ransomware breach-likelihood across the initial vector, execution, persistence, privilege escalation, and defense evasion are available through data collected from all the products and services.

While there is significant research on initial exploitation and use of perimeter defenses, there is a gap in central knowledge of the adversary process after initial access has been gained. ATT&CK for Enterprise focuses on TTPs (tactics, techniques, and procedures) that adversaries use to make decisions, expand access, and execute their objectives. It aims to describe an adversary’s steps at a high enough level to be applied widely across platforms, while still maintaining enough details to be technically useful. Representing ransomware likelihood in simplified terms converts its threat from an intangible “maybe” to a business concern that cannot be left unattended.

By taking a predictive approach with quantified risk management practices, organizations can unify their cybersecurity strategy and gain real-time visibility across their environments, while creating a platform that improves their understanding of financial risks and how to communicate them between internal and external stakeholders.

Ransomware preparedness isn’t just about the technical and cyber responses. This proactive risk management approach can help organizations better grasp the potential financial impact of a breach to evaluate the necessary steps to reduce and mitigate damages now, and in the future.