Changing tactics to win: preventing blackmail software attacks

There are great challenges in defending against this threat. Enterprises should focus on the initial access vectors and supply chain risks that can systematically determine the precursors of data theft and blackmail software attacks, so as to strengthen protection. By properly collecting relevant data and parameters, monitoring open source and external attack surfaces is an important magic weapon for enterprises to identify and prevent attacks.

The challenges faced by enterprises cannot rely solely on firewalls

It is almost impossible or very difficult for small and medium-sized enterprises to respond to threats within six hours. Generally speaking, small and medium-sized enterprises do not have enough resources to quickly implement the emergency patch management cycle, and the number of their security resources is relatively limited. These limited resources may be focused on the network, implementing basic blocking functions and processing, such as configuration, patch management, network and application firewall configuration, anti-virus, determining access management control, logging endpoints and Windows events, and so on. At most, small and medium-sized businesses can implement endpoint detection, response, and SIEM, often with the help of secure managed service providers.

Large enterprises with richer resources have a certain "fighting ability", but they are sometimes hindered or bound by the bureaucracy within the enterprise. What is needed to deal with blackmail software is to focus on quickly cutting off the attacker's initial access and fixing exploited vulnerabilities in the supply chain. Security and auditing features can usually identify vulnerabilities, but rely on information technology capabilities and appropriate processing to patch or protect credentials. If the deployment of a branch or subsidiary network is involved, it is even more complicated. In these cases, the enterprise may not be able to centrally manage patches and implement configuration management for specific business entities. At the same time, the threat search team for security operations should monitor attackers to exploit vulnerabilities and find ways to prevent attackers from entering the enterprise environment and preventing them from shifting positions and elevating privileges in the enterprise environment. This situation is not uncommon, and there have always been problems.

Dealing with and preventing blackmail software attacks requires us to change our minds and pay attention to the comprehensive protection that can delay and prevent attackers. If we consider that attackers can control the speed of the network, monitoring malicious traffic to ransomware makers is not a good advice, or a failed practice. This is especially true for small and medium-sized enterprises.

However, by properly defining and continuously monitoring outside the firewall before a blackmail attack occurs, security experts can detect and fix misconfigurations that can be exploited by ransomware makers and other misactions made by employees.

Monitor digital threats and external attack surfaces

Tracking digital threat monitoring is critical here, especially when companies are looking for credentials to log in to employees' devices. When trying internal login points and exploits, it is very useful for enterprises to implement the following measures.

First of all, it is necessary to monitor the dynamic information of new attacks on the network.

Secondly, it carries out surface and deep monitoring of various networks, and complements the analysis of security engineers to aggregate compromised data sets according to the needs of specific customers.

Finally, data leaks should be monitored and detected.

Monitoring of the external attack surface combines the most critical factors such as asset discovery, shadow IT, detection of malicious and abnormal communications, and the infrastructure of the threat initiator. The result of this approach is that we will see a view of corporate risk from the outside to the inside, and it can be easily understood by the relevant stakeholders. This measure is not just about continuously scanning the periphery for vulnerability management.

External attack surface management is not just as simple as discovering some IP or websites, it is a problem of understanding how Internet-oriented assets relate to enterprise business from an environmental level, as well as the risks it brings. If an enterprise implements the following measures, it can prevent attackers from exploiting weaknesses or vulnerabilities to infiltrate the corporate network.

First, unknown assets must be continuously discovered.

Second, identify the characteristics of assets, services, applications, and software to ensure that patches are up-to-date.

Thirdly, under the premise of considering the company's location, subsidiaries and third-party suppliers, survey the company's assets to ensure continuous and centralized management.

Finally, determine the status of the discovered assets, such as vulnerabilities, shadow IT, etc., as well as determine the business background of these assets.

In addition, there are several important issues to pay attention to: to determine the geographical and business differences of various assets, and to identify the infrastructure of malicious manipulators and the threat communication posed by insiders; at the same time, for the detection of data leakage, it is necessary to determine whether key suppliers have the possibility of leaking enterprise data.

The search for external threats is a positive analysis of technical data, and its purpose is to determine the real threats faced by enterprises. With this information, security engineers can improve security controls to maintain the confidentiality, integrity, and availability of data, systems, and networks.

While there is no so-called "panacea" to block extortion software attackers, it is critical to prevent them from accessing the enterprise environment or exploiting vulnerabilities or weaknesses in the technology supply chain. Companies must implement large-scale and cost-effective attack surface surveillance and digital threat surveillance to seize the best opportunity to identify and defeat blackmailers.