Cyber attacks have become an established threat to global security. Every week seemingly brings a new high-profile breach and threat actors are employing increasingly innovative ways of launching attacks. Last year alone there was a 300% rise in infections involving the use of ransomware (1), malware that blocks or denies the victim access to their own systems or data until a ransom is paid.
Over the past four years, the development of new ransomware variants and capabilities has dramatically increased and recent analysis (2) indicates that criminals may have received over $1 billion in ransomware payments in 2016.
With ransomware attacks becoming more sophisticated, the targets of attacks has expanded from members of the public, traditionally perceived as much easier to compromise than businesses, to industry and government, the consequences of which are more widely felt.
Coupled with these more advanced ransomware attacks, businesses are also facing an increasing risk of data and financial theft as attackers make use of the access obtained by delivering the ransomware to carry out additional criminal activities on internal networks.
Indeed, the most damaging aspect of ransomware attacks is arguably not the immediate financial loss incurred, despite the fact MWR are now seeing million pound ransoms on a regular basis. What is more damaging is the operational business continuity impact that ransomware attacks cause as these attacks move beyond single endpoint and network shares attacks to enterprise wide infrastructure ransom. If an organization is not able to access key data, its core critical systems or communications platforms, operations can grind to a halt until the ransom is paid or extensive restoration and system rebuilds are carried out.
So what can be done to stop attack methods such as ransomware that threaten the very operations of a business?
In any crisis situation, speed is of the essence and identifying an attack’s source rapidly is key to preventing further damage and ensuring that the process does not repeat when backups are restored. In MWR’s experience, the most effective way to identify the source of an attack quickly is to identify the file owner’s domain user account from which the malware is being deployed, and look for the computers on the network that are using that account.
However, while determining the origin of an infection may help stop the encryption that is already underway, this requires a rapid response and during every second that “patient zero” is being tracked down, business critical data are being infected or encrypted for ransom. Prevention and detection tactics both act to slow the attacker, but whether the attacker will ultimately be stopped depends on the skill and persistence of the attacking and defending teams.
It is therefore essential for any organization choosing a cyber incident response service to select one that is trusted, capable and has the experience necessary to respond effectively and quickly to sophisticated cyber security attacks. The UK Government’s Certified Incident Response (CIR) (3) and Cyber Security Incident Response (CSIR) accreditation schemes provides a list of consultancies with such capabilities.
MWR achieved Cyber Incident Response (CIR) and Cyber Security Incident Response (CSIR) accreditation in 2013 specifically because of its understanding of the threat posed by highly skilled threat actors and its experience of full incident response lifecycles. Its 24/7/365 Incident Response Hotline and rapid remote response technology ensures that appropriate action at the time of an emergency is taken to minimize business impact.
MWR’s Incident Response team’s remote response capability enables it to gather the necessary artefacts to support an investigation and intervene with containment measures implemented in the field, regardless of where a client’s endpoints are geographically located. Compromise assessments help to understand thoroughly the effectiveness of existing security controls and whether attackers are currently on their network, while incident readiness programs assist to identify gaps in a client’s incident readiness and provide training to help improve resilience and the ability to respond to attacks.
When a business is under attack, it is critical to have the expert support needed to rapidly recover and minimize impact. Knowing that experienced investigators and responders are available when an incident occurs should be part of any organization’s incident response plan. MWR’s core solutions ensure that a business is fully equipped to respond to an incident with the agility and efficiency attackers bring to bear.