We all have heard or read the analysis that the attack would have been milder if highly secure cloud services had been used. Especially when an organisation has been hit by ransomware recently, has probably suffered data loss and downtime and wants to get back to business as soon as possible. What does it mean exactly?
The answer to the problem typically isn’t on-premise or cloud infrastructure but rather lack of security hygiene and a failure in defences. More often than not it’s the inability for organisations to maintain security fundamentals like patch management, technology stack configuration, and security coding practices, that provide a foothold for the adversary. Whether a technology is on-premise or somewhere in the cloud has no bearing on the adversary’s ability to execute a ransomware attack. The two are not mutually exclusive. In actuality, organisations hastily moving data into the cloud actually increases the likelihood of future intrusions because it introduces another attack landscape to the organisation – one that is massive.
Cloud architectures and configurations are complex and are prone to mis-configurations and human error. Also, many cloud providers have their list of defences and won’t deviate from it, so it forces organisations to comply or go elsewhere. The change of security technologies introduces new issues to organisations to consider. It’s even harder to properly assess and resolve if a company’s management team is pressuring them for overnight transitioning from on-prem to cloud.
Teams moving into the cloud need to:
- Truly assess the pros and cons
- Evaluate the various cloud providers and hosting companies over several months rather than days
- Assess the cloud providers policies and procedures; especially when it comes to backups, configuration changes, and security procedures when their internal employees leave the cloud provider
- Implement an agile transition; meaning it should be a slow and multiple release transition instead of a flip of the switch…lights on transition
I think it’s pretty easy to say that any attack would have been milder if highly secure systems had been used. Security hygiene just references and security basics, maturing technology stack, maintain patch management efforts, keep rules and signatures updated, encrypt the necessary data, test backup procedures quarterly, etc.
Defending against ransomware which is one form of adversary objective and regardless the adversary needs to tunnel their way into the organisation. Companies need to stay vigilant; especially during the pandemic. Covid is putting a financial strain on people and ransomware attacks are largely financially motivating attacks with quick and relatively easy to orchestrate. Sophisticated cyber criminals will target larger companies with a larger buyout, whereas, less sophisticated cyber criminals can just as easily target residential users in order to syphon +$100s of dollars depending on the value of the files encrypted.
From a TQ perspective, companies need to stay updated on threat intelligence and streamline those IOCs and signatures into their defensive technology stack as quickly as possible to try and block or detect malicious activity before the adversary has time to ransom their files.
By Ryan Trost, CTO and Co-Founder, ThreatQuotient.