Stop following the herd to start fighting ransomware

Circuit board and shield icon. Hardware security, computer data protection and electronic technology concept,
(Image credit: Shutterstock / Blue Andy)

While a surge in ransomware and data breaches is doing nothing for the confidence in security technologies, the harsh reality today is that organizations cannot rely on isolated data resiliency and disaster recovery strategies to keep out the criminals.

Ransomware and extortion incidents grew by 67% last year, according to NTT Security Holdings’ 2024 Global Threat Intelligence Report. These are record times for security software companies and yet the threats do not go away. Unsurprisingly, research from Evanta shows that CIO priorities are still dominated by cybersecurity, despite considerable investment in cyber security strategies and technologies.

Most enterprises have a data resiliency strategy. Traditionally this takes the form of Business Continuity (BC) and Disaster Recovery (DR). However the technology and processes designed for data resiliency do not provide the capability needed to achieve cyber resiliency in the age of destructive cyber attacks, like wipers and ransomware. Clearly. Something is not working and organizations need a shift in tactics to protect their data and infrastructure.

Almost all of the latest cybersecurity frameworks and regulations, such as NIST Cybersecurity Framework 2.0, and regulations such as EU Network and Information Security (NIS2) Directive 2.0 or EU Digital Operational Resiliency Act (DORA), are focused on building resilience: not just the ability to prevent and detect, but also to withstand cyberattacks through response and recovery, two functions that have been traditionally seen underinvestment.

The average enterprise has over 130 different cybersecurity tools installed, according to Deloitte, the vast majority of which have failed to be integrated and operationalized enough to prevent organizations from becoming victims of a cyberattack. Any continued investment in prevention and detection is only likely to produce a fractional decrease in residual cyber risk, while creating more friction with users, less agility for the organization, more alert fatigue, higher licensing costs, and even more security infrastructure to manage.

James Blake

Global Head of Cyber Resiliency Strategy at Cohesity.

Cyber resiliency and stopping ‘double-tap’ attacks

Spending on response and recovery (in contrast to detection and prevention) delivers the cyber resiliency that these latest frameworks and regulations require to withstand modern cyberattacks with minimal impact. The challenge is how to achieve cyber resiliency in a world where so much has already been invested in cybersecurity tools?

To move to a posture of cyber resiliency, two things must be established as a foundation. Firstly, the ability to recover must be put beyond the reach of adversaries. Secondly, response planning must have provisions for the rapid recovery of not just production systems but also the security, authentication and communications platforms needed to effectively and efficiently respond to the incident.

This is a key difference between the more traditional approach of data resiliency to that of cyber resiliency. Where data resiliency focuses on a small number of root causes that have formed the basis of business continuity and disaster recovery scenarios for decades, including flood, fire, power loss, equipment failure and misconfiguration; to achieve cyber resiliency we need to deal with an adversary who is actively trying to disrupt our response and recovery efforts, and continually adapts their behavior.

It’s important to recognize here that the response needs of the security operations team are as important as the recovery needs of the IT operations team in reducing the impact of an attack. Approaches that rush to recovering systems without understanding the nature of the attack will not remove the gaps in controls that didn’t prevent or detect the attack.

Ongoing attacks will therefore reinfect recovered systems within minutes. Ransomware gangs are increasing their use of ‘double-tap’ attacks, where they circle back and reattack organizations they previously hit but that refused to pay a ransom. These attackers will take advantage of the same vulnerabilities they used to gain access the first time, if they’re not closed. Organizations can also be attacked by other gangs using the same Ransomware-as-a-Service platform.

Cyber resiliency is key

This is why the cyber resiliency approach is so key. As destructive cyber-attacks target an organization's ability to respond and recover, it makes sense to give organizations the ability to do this safely and quickly. That means recognizing how an attack can hurt existing systems and even security functionality. Traditional security tools that are located on end-points struggle to function when an organization has isolated systems in response to ransomware and wipers. Recovery, without closing these vulnerabilities and bolstering gaps in controls will leave an organization exposed to exactly the same attack again in the future. And over relying on security tools that may not actually work or can be trusted, even if they do, only exacerbates the problem.

In short, there are some key reasons why most organizations fail on this front. The first is that disaster recovery and business continuity approaches tend not to be appropriate for dealing with cyberattacks. Organizations that incur the highest costs of a destructive cyberattack are those where the backups have been rendered unusable by the adversary or where attacked systems are recovered without the appropriate remedial steps to remove the threats and vulnerabilities.

The second is that IT and security operations teams do not tend to collaborate. Investigating an attack does not inform mitigation, which means that security teams often find they do not know the best steps to take to prevent reinfection. A third reason is that security controls may not be available following an attack. 

BC/DR priorities often focus on critical business applications first because they’ve been drawn up by the IT Operations team working with the business units in isolation of security. But it’s critical to recover a trusted Minimum Viable Response Capability (MiViRC), so IT and security operations can work collaboratively with their internal and external stakeholders, using trusted tooling where an adversary cannot observe to disrupt response and recovery operations, to manage the incident.

While many data management vendors tend to offer isolated environments focused on the recovery needs of the IT Operations team, they often forget the intrinsic relationship between response and recovery, which is needed to deliver cyber resilience. That should be a major focus, if we are to compete with the growing threat of ransomware. Organizations need to rethink security strategies, not follow the herd but look towards a more collaborative, platform approach to resiliency. It really is the only way to stop ransomware from winning.

We list the best cloud antivirus.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

James Blake

James Blake is Global Head of Cyber Resiliency Strategy at Cohesity.