The tactics employed by cybercriminals have become increasingly sophisticated, and they continually evolve to evade the security measures organizations are implementing to thwart them. While it’s important to have the right tools in place to defend your data, many experts advise that an element of offense will boost the effectiveness of your security strategy.
According to research Sophos conducted earlier this year with midsize businesses, Carden said that 37 percent of surveyed organizations were hit by ransomware in the past year. And for 54 percent of those, cybercriminals actually succeeded in encrypting their data. “96 percent of those whose data was encrypted got their data back,” he said. “And then, the average ransom paid by midsize organizations in this case was $170,404. However, on average, only 65 percent of the encrypted data was actually restored after the ransom was paid.”
Carden said that while the survey shows a reduction in the overall number of attacks so far this year, “Our experience shows the potential for damage on these targeted attacks is significantly higher.”
Three Simple Steps to Defending Against Ransomware
In light of the findings from the Sophos survey, Carden offered some best practices for protecting against attack. “First and foremost, assume you're going to be hit by ransomware,” he said. “Not a single sector, country or organization size is immune from this risk, and it’s better to be prepared but not hit than the other way around.”
The second vital step is to always make backups. “Backups are the No. 1 method organizations use to get their data back after an attack. As we've seen, even if you pay the ransom, you rarely get all of your data back. So, you'll need to rely on backups either way,” Carden said. “You should have one that's onsite and doing continuous backups all the time. Then, that onsite one backs up to tape, for example. That is then housed offsite, it’s offline, no one can tamper with that data.”
Finally, Carden noted the importance of testing your backups to make sure the process is functioning properly. “It’s more important than ever to keep the adversaries out of your environment in the first place. If they get in your environment, they’re going to exfiltrate data,” he said.
Adding Offensive Tactics to Improve Your Security Program
While a strong defense is undeniably valuable, other experts at Black Hat highlighted the importance of playing offense when developing a security strategy.
For Victor Marchetto, senior information security field solution architect at CDW, this is where security assessments involving red and blue teams come into play. “CDW has a wide array of services to bolster your defenses and help your cyber defenders assess their current effectiveness and identify gaps,” he said. “Prepare for real-world cyber incidents by testing your blue team or security managed service provider by conducting a CDW red team assessment by assuming a breach or starting from the ground up.”
“If you are building an internal blue team or looking to take yours to the next level, a CDW purple team assessment can be just the edge you’re looking for,” Marchetto said. “In this service, we provide a red, or offensive, agent to find the cracks in your enterprise’s security foundation, and a blue, or defensive, consultant to review your organization’s response in real time. With this simple concept of the purple team, both sides of an attack can be analyzed and examined, forming a more complete picture of an enterprise’s security needs.”
Microsoft Has Implemented Offensive Security Measures
In a related session at Black Hat, Alexandre Fernandes Costa and Reid Borsuk of Microsoft offered a glimpse into the recent evolution of red teaming at the company, which has been added to provide a more collaborative approach to offensive security there.
Borsuk explained that Microsoft began altering its approach to security assessments five years ago. “We were noticing that the red team influence was limited in the broad security organizations,” he said. “Instead, we became a lot more intentional about our role and how we’re actually influencing all of these organizations. We did this in a few different ways, including by adopting the purple team process and other operational frameworks.”
Purple Teaming Can Provide Important Security Insights
Borsuk explained how purple teaming helped Microsoft advance the offensive aspect of its security strategy. Using only red or blue team approaches limited the amount of information and perspective the company could gain. “Instead, we really like the purple team process where all three of the blue team, the red team and the product team come together and develop attacks on their own. All of these individual groups can combine and get benefits from these types of models,” he said.
Borsuk detailed the process: “One of the things we always try and do during our purple team engagements is detection testing. We’ll go into an environment and set off some of the alarms and make sure that those alerts get all the way to the blue team, and the blue team is able to investigate them effectively. This allows the blue team to ensure that its alert pipeline is working, and it also allows the red team to test detection evasions.”
Costa summarized the process by saying, “You need to make sure that you establish a framework, a framework that helps the business to move the needle and that also helps you to be consistent, making sure that every time that you go out there and engage with your engineering teams, you are providing and maximizing the value and the impact of those engagements. No matter if that is a typical red team operation, a purple team or a high-frequency pen test element that you can come up with that engages and connects to your business model.”