Surviving Ransomware in 2022

Show Notes

Join Acora and Cymulate as we discuss the 2021 ransomware survey results and the secret to ransomware resiliency. 

Interested in finding out more about Acora? Visit our website here.  

For more information and Cymulate’s full Ransomware Study Report, click here. 

Acora is a progressive technology services provider that is leading the industry with its Experience Led Approach™. Their mission is to unleash the potential of people through outstanding IT experiences, striking the right balance between frictionless user experience and best-in-class security. Acora continually invests in the right people, processes, and platforms that enable businesses to excel and reach their full potential.

Transcript

Hello, and welcome to surviving Ransomware in 2022. Today we're joined by Secrutiny's director of product management and operations, John Winchester and Cymulate's director and cyber evangelist, Dave Klein. He'll be discussing the results from the very insightful 2021 ransomware survey and sharing the secret to ransomware resiliency

Excellent, John, great to be here. Likewise. Thanks Dave. So, we did a ransomware server this year and have. A great number of responses, about 881 respondents globally. And what made it really fascinating was every size corporation enterprise was, was represented every kind of industry vertical, uh, global representation.

And probably the biggest thing was the number of different roles. It was a great variety of roles. So, we not only do we have the normal security folks, a lot of people from GRC. And other compliance backgrounds. We had pen testers. We even had the Eagle and business responder. So non its staff respond to the survey.

It was really fascinating beyond that. I think one of the more fascinating things about it was people were very honest and 28% of the respondents had been hit by ransomware attacks and they were very forceful. On the damage and duration of these attacks. Uh, so we've got a really good view into those who have been hit, those who haven't been hit and then what happened.

Uh, and that was really fascinating. And I would say that the first thing that come across I thought was interesting was regardless of whether you were hit or not, that we found that confidence level was still low for the next attack saying, Hey, the next time or the first time. How confident do you feel?

And, and for non-victims, that was 54% confidence level and for victims only 53%. So that's rather low. Uh, it was very, very, uh, interesting to see that, which, um, which industries are, which demographics, uh, did you, did you find had the highest, um, or should we say level, level of, um, awareness and, um, and perhaps, uh, also what, what there.

Level of anxiety was regarding future attacks. So what was interesting was the anxiety level was across the board. Uh, and it was really, pretty much that that 54 or 53% level, what was interesting was getting into the actual damage and duration and frequency. So, so damage, how bad was it duration?

How long did it take to recover and then frequency? We did see a lot of outliers on. Who was hit more than others, but here's a surprise. The first part of this, this is the survey that was really fascinating, was a large majority said damage, uh, was negligible that they were able to, uh, stop the attack before it became really dangerous.

Only, uh, 19% had a considerable or total business down situation. So that's actually really kind of. Right. Only 19% had a considerable or total business down in duration. Only 14% had a duration that was longer than a week. So that is kind of cool. Right? When you think about the anxiety level, and everyone said, I'm not confident for the next attack, but then you see the damage and duration is kind of low.

That's a reason for optimism. And we'll get into some of the reasons why that's the case. Now there were outliers and, and by frequency, uh, by industry, we did see some major differences. So for example, utility companies, 50% of the respondents had been in a ransomware attack, legal 45%, right? The average overall by the way, was getting 28%.

So for utilities at 50% legal, 45%, that's pretty high, uh, food, retail, hospitality, 44. And then manufacturing and transportation services 40%. So those were the outliers, as far as frequency, meaning they're hit more. Uh, and that's kind of important to understand now on that damage and duration, we talk about the positiveness of how low, uh, in damage and, and duration.

There is an outlier there to the legal industry. In most situations we're down for over. And had had a complete business down situation. And that I think we can look to how legal works and, and John today, regardless of where you are in the world, most legal companies now have digital documentation. Right?

All their stuff is, is, is digital, right? They've gone to that kind of mentality. And therefore, when your cases rely on having that. When the, when it's gone to restore it, it takes a lot of work. So we figured that that for legal, who was really the major outlier in this survey, that's the reason for that.

Right. So overall though, enterprises is doing surprisingly well, surviving ransomware attacks, right? And I think here, what we have is their good reason for optimism. And the next part of the survey really gets into why and the. Uh, this is the case. So, so what were the types of questions you were asking Dave?

So the key here was we started with where is your level of awareness and this answers, the why, and the level of awareness was we asked about what level was ransomware awareness ad and what we found. If you look at John, if you look at 22, And 2021, ransomware is top of mind of everyone. Right? And the key here, this is the case of why I think we saw some positive results.

70% of the respondents, uh, said that the level of concern was that the business and or boardroom level. So, for me, what this says and what the respondents. Is that the business of boardroom level? So, for it goes beyond it. Right? So, it means that it has the business's interest. And because of that, we now get to the how, right.

So the why is you're now at the business and boardroom level concern and the, how they answered what made it better. Right. And, and for number one beyond victims and non-victims, 64, Had more money allocated because of ransomware to it. Security, uh, 58% had more staff. So, the key is you saw more money and more staffing because that concern was at the business important level.

Uh, and I think that is a real reason why, uh, things have gotten better. On top of that. Most, most companies have incident response plans over 4,300. Had changed their incident response plans to include a ransomware and over 17% have practiced those incident response plans, doing incident response drills because of ransomware.

So, you see you have more money or staff, people are changing and practicing their instant response plans. And that is kind of key. And on top of that, there's two other things we then got into because of random. What additional security controls and solutions have you adopted? And we were expecting, this was kind of a surprise, John.

We were expecting to see wow, improve backups. Right. We were expecting to hear that. Well, we're at an era where that is, that's a given, right? And in fact, that the number, the two number, the two things that were the top, things that were more important and adopted were EDR solutions and multifactor them.

And if you look at the type of attacks that occurred today, this is essential, right? EDR is essential because, uh, today attackers take any kind of signature-based antivirus and test it against their attacks before they attack. Right? So, you need the behaviour eristics approach, uh, that ADR provides you multifactor authentication.

We know that attackers take advantage of people running with two, uh, liberal pro privileges. And who can install things. And multifactor authentication is a way to prevent taking advantage of that, right. Or weak passwords, right? Multifactor authentication prevents that as well. So again, you had, you know, the boardroom level, uh, awareness, you had more money, more staff, you have IRR plans, you have ER, multifactor authentication.

And finally, and this is kind of also very critical is 84% have incorporated additional offensive practices. So let's talk about that. We need. If you think about it in the past, John, I know you and I are veterans at this. Our customers generally, after an attack are very cyber secure, uh, interested, right?

And over time their ego comes into play and it slowly disappears. It dissipates the important thing in, in, in environments, just like when we get to a car whose car has been crashed, tested. Uh, just like, uh, the food that we buy is continuously tested. You need to continually test your environment against offensive practices.

And what we found was that 84% have adopted pen testing, breach attack, simulation, advanced offensive practices, red team purple teaming, these kinds of things to practice against ransomware and other types of tax to make sure their security controls were optimized, or people are ready for, for the, for the attacks, instant response plans.

And so that was probably the final takeaway from the survey. And it was really, there's really good reason for optimism. Yeah. Um, going back to the legal. Uh, demographic. Um, was there an underlying, um, deficiency that you, you were able to pick up on the, that led to that elongated sort of recovery period?

Um, that, that, that, you know, was it lacking EDR? Was it lacking MFA? Was it, you know, it, was there something like that obvious that you could say that that's the thing that was, you know, that, that led to their either their downfall or to their ultimately, you know, prolonged recovery. I, uh, I argue that the law firms generally have traditionally not been very, uh, it forward, and I'd argue that this latest wave of ransomware, and since it hits them where it matters most.

Your online documentation for all their cases, all, all the stuff at Digitas digital, I'm sorry. Hello. That's a, that's a tongue twister, digitization, the digitization. I still think I said it wrong. The digitization of, of, of all the legal documents, uh, it's become a huge concern because again, it takes them so long to recover from something like that.

Even if they have great backups, it takes so long to recover and, and, and it's a business down situation. So I would argue. That, uh, they are becoming very tech savvy now, uh, on purpose. Right? And I think that, that we will see more ADR solutions, more multifactor authentication, offensive practices, and even some incident response plans.

Right. And if I was in legal, I think beyond just a normal cybersecurity hygiene, there really has to be an incident response plan for what do we do if we lose our digital backups or, or, or we need to go to digital backups, let's go take a week to recover. Have business continuity. Yeah. Can we do we, do we do, we do a situation where we say, okay, for the next week we notify our clients, you know, and we have that, that message ready to go in case it happens.

And we have a whole procedure of calling our best customers and things of that. There's going to be a need for them to be able to handle. Yeah, I think, I think there's a broad call to action for a lot of businesses to, um, you know, to augment, you know, historically, um, um, perhaps legal is a case in point, have you got AAV?

Yes, but no EDR and you know, it's, it's things like that. And the user, I think the user and the end point of the battlefields, um, that's where we see the attacks mainly landing. Um, and, and of course, you know, Those things lead to the ransomware war. Um, but, um, you know, I th I think, I think it's, it is it's, it's invariably you're only as strong as your weakest link and users and desktops.

Um, there's usually, you know, plenty of, uh, uh, attack surface on those, those things. And, uh, of course, if they're not protected by something like EDR, then, um, Uh, it's a risk. And I think also, you know, people like, you know, I mentioned uranium as strong as your weakest link. If you don't train your people, not to clink fishy, not to click fishy links in emails, they're going to keep clicking them.

And, um, we had that conversation earlier. It's just the way people are and if you don't train them and invest time in them, they won't know. Um, You can't then defend that position to say, well, Hey, you've had regular training. Um, so very, very important for organizations to have that, that piece.

It's all really wrapped up. Um, and I think, I think the user training thing came up in my, in my, uh, uh, 20, 22 new year's resolutions for CSOs. Um, you know, it was something about, there was something in there about ensuring that people have some, um, information, security training, awareness training. Um, and so yeah, it is critical.

Yeah, definitely. And, and I take them. And by the way, there's ways that you can, you can create this and gamify it. So one thing we do at simulcast is we cover the full kill chain, you know, from, from beginning to end, how about an attack and what we do a lot differently than other companies in our field is we start with phishing campaigns and we found that a lot of our customers turn it into a positive where they either use their, their messaging system.

Like. Right. Or mailer list and say, Hey, look, I found a new fishing email way to go, Jim. Thanks so much. Or, Hey Kim, that was awesome. Right. You know, so where they, they turn it into comic gamification and way to go that you found this. Yeah. Um, on top of that, beyond the weakest link, being the desktop in 2022, there's two other things that I think that will come into play a lot more.

And that is supply chain. Yeah. And you know, you think about. There is no industry in this world today, John, that you don't have software as a service for something that you don't have vendors that do certain things, that your partners aren't tied into your customers, aren't tied into your bank. Isn't tied into you.

So that, that supply chain aspect I think is, is also the weakest link might be them as well. So that the ability to test in your environment for your third parties is going to be really important. And then finally, uh, with, with dependent, We've totally thoroughly changed how we work. Yeah, I know. We're going to go back to a hybrid.

I can't wait to go back to hybrid. We were just talking about in the green room before this, about how I have to come back to London. I miss London so much. You can't get good Indian food in the U S by the way, you can't get a good Indian food. I love the London Indian food scene. Anyway, um, the key is the Phantom apps right now that were, most of them are working in a hybrid environment working from home.

Uh, and because there's so many. Uh, I would say disruptive apps that are awesome, like a discord, which used to be a gaming server communication, which now is used by all sorts of companies, slack and all sorts of third party apps that people put on their machines. You're not just talking about Phantom, it being servers, spun opera VPC is spun up by departments that the main, it doesn't know.

You talk about Phantom apps. I think that we can look at 2022, that will be. I think it's been a long, long-standing issue. It used to be called shadow it didn't it. And, um, yeah, but, but yes, I think I agree with that. And, um, uh, yeah. Um, and you, you mentioned about instant response and as, as being part of the testing, Um, cycle and, and I think absolutely that that's a super important aspect.

It's it's, it's, it's okay to test, you know, offensively test using a red team or purple or, um, breach attack, simulation tool or whatever it is. It's one thing to test the technical controls. Um, but what happens afterwards in that instant response piece involving people and communications and making sure that, you know, you contact the right people, the effected people, right?

Um, notified. Agencies, if, if needs be, you know, in, in, in most cases, um, companies are legally obliged to, um, notify under some kind of data protection law, making sure that you understand when and what the triggers are for those things super, super important, because they are, there are some really hefty fines for not doing that properly.

Um, And, you know, there's, there's certainly a, um, a dozen or so cases in the UK under GDPR, UK, where, you know, you could probably say this organization has been fined for not notifying that they were breached. Um, and you know, so, so it's, it's super important to do that. It's not just. It's, it's not just that sort of isolated, technical control piece is end to end.

And it's ensuring that your, your controls do the protect detect, respond to piece properly so that you, you surface the event into, um, into that IRR, um, process and, you know, having it, having it well, document. How that looks, um, is, is, is very, very important and it needs to be tested because things break when, whenever there's a person involved or a process involved, you've got to test these things.

Cause you know, things change, people change, processes, change, or they need to change, um, to adapt. And so this continual testing thing is super, super important. Um, and, and, you know, it's, it's, it's just that feed through, from the technical, through to the IRP that I wanted to highlight as being, um, very important.

So indeed, and one thing we talked about backup, but, but actually testing your ability to recover. Um, what, what good is it to have a immutable backups if actually that I work, right. So, you know, further down the line. Yeah. Or they take a month to recover. I think, yeah. The biggest thing is, is what people have found is, is two things is, oh, the backups aren't, aren't complete.

So we've lost things and then they get into a differential, but what have you lost? And then the second thing is, is duration. How long does it take to backup? I mean, to recover, right? Uh, and so that's why testing is critical. Um, also, you know, I'm from Simon late, you know, extended security posture management, which is offensive testing.

The other thing here is often we look at, at, especially in, in, um, 2021, but it was also true in 2020 was the fact that how quickly. New attack techniques, uh, tactics and procedures came out, uh, new indicators or compromise having a solution that allows you to test that incorporates all these new things ILCs and TTPs, you know, within, near real time where the vendor updates it for you.

So you just get just continuously test is critical, right? And also when you look at that, You know, the idea of being able to come up with a solution that has prescriptive output, like you said, who's involved well, not just the red teamers and the purple teamers and the cybersecurity staff. It's a crew that has to say, Hey, listen, sock.

Here's what we found. EDR needs to be better tuned. Here's how you do it. Hey, looking at active. We were able to add a new admin user. Yeah. We shouldn't be able to do that. Call the ADE team and tell them we'll do this. Right. And so the idea of, of one of the key recipe or principle ingredients to make an, a continuous continuous in an easy fashion is having that prescriptive output is having the updated, you know, actual intelligence in a way that.

Yeah. yeah. And I think also really, really important to involve all of the senior stakeholders. You know, when there is an incident in that incident response testing, you know, if, if, if you don't have the PR the right escalation procedures in place, Um, you know, that's, that's a problem cause your, your I R process is going to hold a really a critical point.

Right. And, uh, you know, no organization should have that. So, so making sure that, you know, it's not just about writing a process that keeps it in the sock. It's got to be able to go and grow from the SOC into the business, you know, at the right level. So. The correct. Um, you know, hierarchical escalation in, into the organization to, to create that awareness, to ensure that the, you know, the broader communications or recovery plans kick into action.

Um, otherwise, otherwise the business will, will just stop. Um, so, so, you know, it's, um, I think it's, yeah, it's, it's fascinating subjects and, um, I think it's, uh, it's one that I'm sure we could both spend, uh, a good deal of the time talking about. It sounds, it sounds like, uh, uh, the next podcast podcast. Yeah.

That's a great idea. Well, I don't, I would also caveat, uh, you talked about bringing in the business and stuff like that. And again, this survey shows that when you bring in the business and the boardroom, you get results, right? The, as it relates to the business, I I'd argue one of the things that some of the surprises my customers talk about testing against ransomware is when they test the incident response plan and bring in the businesses.

My favorite story. And I think, again, you and I have been in this business a long time is, you know, when you're in cybersecurity, you start very technical. Then you realize you need several other languages that need to speak to be successful. And what most people tell me is when they run attack simulations and, and do full, full on incident, response, planning, uh, practice, the biggest thing that they learn is when they approach a business people is how to talk to them.

Give them the risk right there. There's this vulnerability it's been exploited in the wild and we are, have this much risk. It means this to the business. It means this dollar value loss, right? The, the executive doesn't need to know that it was a buffer overflow. Nope. Uh, and a CVSs score of nine. Plus with RCE capabilities.

Which by the way is my native language. It's your native land locked for J absolutely. Absolutely. This is not heaven. This is people talk. Right. And if people want to know what's the impact to my business, what if we don't do anything? What if we do something, what is the reduction of risk? You know, what is the monetary value?

And that's kind of important. So that that's, uh, that's the aspect of, you know, how. Yeah, definitely. Well, thank you. Both feel invaluable contributions on how to survive ransomware in 2022. If you're looking to optimize your security posture and prepare for ransomware, then contact the cosine for more information on how to inquire simulates free ransomware audit.