Woken by Ransomware, Are We Hypnotized by Tunnel Vision?

Do you know what is positive about ransomware? It gets noticed. This might seem obvious, but consider its significant role in maturing companies' cybersecurity strategies. It’s fair to say that ransomware has awakened many to the importance of cybersecurity, but has it also blinded us to the more invisible attacks?

Over the last five to ten years cybersecurity has become a boardroom subject in the majority of enterprises. This would have never happened without ransomware. Ransomware has been the best board-level awareness tool ever.

Visibility Does Not Equal Impact

Of course, we can only guess what would have happened if ransomware didn’t exist, but I think it’s safe to assume that cybersecurity maturity would be significantly lower across the board. If we take the iceberg model and plot some of the impact a specific attack can have, it stands out that they are not all instantly visible like a ransomware attack at execution. They remain under the surface but can affect your business significantly. 

A hack focussed on espionage to get competitive information may never become public, but can completely destroy any competitive advantage you have as a company. 

Considering this, maybe those under the surface do even more harm than the more visible techniques. The possibility that you are not aware of them can even increase the impact. 

Awareness Is Key

To fight and limit the impact of an event efficiently you need to be aware of it. When someone steals some money from your wallet without you ever noticing it, this will have an impact but there is no chance you can reduce the impact or act on it. Besides that it will also not activate you to build in controls to prevent it from happening again. There is no learning curve and chances of recurrence increase since the thief got his share and your preventive measures will stay the same leaving the vulnerability, which is apparently there, in place.

So while ransomware matured the cybersecurity industry, it also has a flipside. The focus on this specific kind of problem within cybersecurity led to tunnel vision. A lot of point solutions focus primarily on ransomware neglecting other tactics. Even worse, when a company didn’t face a ransomware attack recently it’s sometimes a reason to call their cybersecurity strategy successful and sit back and relax. While this might be true, the lack of ransomware on its own proves nothing. When under the surface the cloud expenses increased by 300% due to crypto mining and you're not able to be competitive in the market because of a competitor creating a sandwich with your secret sauce, it could still be devastating for your company. 

Low and Slow

On a more to the point level, you could say that focus shifted a lot to preventative and detective measures for ransomware. Neglecting signs of the low, slow and ‘silent’ attacks. There are many examples of attackers being present in networks for multiple years taking advantage of every piece of information available within that network. Chances of missing such attacks are bigger since there is no direct visible impact. It needs detection on a very granular level. Chances of detecting this also increase with the use of advanced analytics like machine learning, AI and anomaly detection. Last but not least it requires a persistent security professional who is really determined to find out the cause of any signal that might occur.

Other examples of low and slow attacks that are hard to catch are sleeper cells and logic bombs where action on objective is only executed in future scenarios or conflicts.  

Hunting

The low and slow attacks can be really sophisticated and specifically focussed to create a minimum amount of ‘noise. Because of that, these attacks are hard to catch. A way of increasing the chance to catch those attacks you need to start hunting exercises. Splunk’s PEAK framework describes different methods to hunt. Hypothesis-Driven Hunts, for example, are a way to investigate likely attacks without any current tangible evidence. Preferably they are based on threat research translated to the specifics of the business. What kind of motives could be in place when actors target our organization? What would most like their TTP’s (Tactics, Techniques and Procedures) and how could I find evidence for this in my environment? Another method is Baseline Hunts. Splunk can help you establish baselines of normal behavior and identify anything out of the ordinary. Model-Assisted Threat Hunting takes it one step further by using machine learning to automate the process. 

Last Patrol

Look at it as the guard who does a last patrol on the whole building before leaving. When something is wrong an alarm should have been triggered but he’s still doing his rounds chasing the hypothesis that someone circumvented all the preventive and detective measures that are in place. Maybe the hardest thing to do within security operations is to spend enough time on this. You need to spend time hunting something without having any evidence of it actually occurring. Still this is the only way of finding those low’s and slows that might already impact your business without you even knowing.

Panoramic View

When you have a good security strategy in place you should not only focus on everything with direct impact. It's your job to have a view of the bigger picture. Splunk can help you with that due to its open and extensible nature. The focus of Splunk on enterprise resilience enables you to widen your view and get that full panoramic view on risk avoiding only to focus on yesterday's news.  

Threat modeling on your most important or vulnerable assets, services and processes can also help you to. Take the time to think about what could harm you under the surface and how you can build resiliency to prevent those. As a security professional, be ready to explain investment in protecting the invisible by creating that business case of invisible impact and pivot from tunnel vision to a panoramic view. Ultimately, this will contribute to making those invisible attacks visible before their impact becomes too significant to ignore.

^Sources