The Burning Question Most Security People Want To Know

Ransomware, hackers and other malware are rampant. Ransomware attacks are up nearly 1,000% this year alone (https://blog.knowbe4.com/cyberheistnews-vol-11-36-eye-opener-the-number-of-daily-ransomware-attacks-skyrockets-nearly-1000-in-2021). Eighty-four percent (84%) of organizations experienced a ransomware or phishing event in the last year (https://resources.trendmicro.com/rs/945-CXD-062/images/Reduce-Phishing-Ransomware_Trend-Micro.pdf). There is a new ransomware victim every 10 seconds (https://infosecurity-magazine.com/news/one-ransomware-victim-every-10/). Half of organizations were exploited by ransomware last year (https://www.sophos.com/en-us/medialibrary/Gated-Assets/white-papers/sophos-the-state-of-ransomware-2020-wp.pdf). And I have seen several studies say that the likelihood of an organization getting hit by ransomware next year ranges from 50% to 100%. Wow! At the bottom side of the prediction scale, it means half of all organizations will be compromised in the next 12 months…again.

Most of these organizations have all the stuff you are supposed to have…firewalls, antivirus or endpoint detection & response defenses, secure configurations, patch management…yada, yada. Different surveys vary on the percentages of organizations that had the normal “best practice” protection, but most range from 60% to 85%. Many reports say that 100% of compromised victims had up-to-date antivirus programs. Here are some example reports: https://www.techrepublic.com/article/ransomware-no-1-cyberthreat-to-smbs-and-the-average-attack-costs-47k/ and https://www.infosecurity-magazine.com/news/antivirus-fails-to-stop-ransomware/.

This is not to say they had 100% of their assets covered and it was perfectly executed. Only that these organizations were running up-to-date malware detection, and a majority were likely running other defenses such as anti-spam filtering, content filtering, firewalls, etc. And they still got compromised. This is not surprising. It is quite normal. We have had dozens of very good antivirus solutions, built-in firewalls and security monitoring for decades for anyone to use and deploy. Even the most unsavvy organizations are savvy enough to run antivirus software, or if they run Microsoft Windows, it comes built-in and is turned on by default. So, despite so many antivirus vendors claiming 100% detection of malware, somehow malware and ransomware have continued to plague most organizations.

There is no perfect solution that can prevent all hackers and malware attacks, although more than a few software defense vendors, mostly Endpoint Detection & Response (EDR) providers, claim the ability to stop all ransomware, and all malware and hackers, 100% of the time. Here are some examples:

• https://www.elastic.co/blog/elastic-security-prevents-100-percent-of-revil-ransomware-samples
• https://www.promeromdr.com/
• https://www.globenewswire.com/news-release/2020/06/03/2042972/0/en/Fortinet-Advanced-Endpoint-Security-Blocks-100-of-Malware-in-AV-Comparatives-Real-World-Protection-Test.html
• https://www.youtube.com/watch?v=a6Aw484Z3og

Many other companies do not claim to prevent anything 100% of the time, but offer similar warranties, usually ranging from $100,000 to $3,000,000 including:

• https://www.sentinelone.com/legal/ransomware-warranty/
• https://www.cybereason.com/hubfs/dam/collateral/data-sheets/cr-breach-protection-warranty.pdf
• https://www.morningstar.com/news/business-wire/20210922005908/cloudcovers-ccb1-cybersafety-platform-now-insured-by-1-million-ransomware-warranty
• https://www.databreachtoday.com/yes-its-3-million-ransomware-defense-warranty-a-16464
• https://www.menlosecurity.com/press-releases/menlo-security-offers-1-million-malware-protection-warranty-for-worlds-first-cloud-proxy-platform-built-on-an-isolation-core
• https://www.crowdstrike.com/press-releases/crowdstrike-offers-1-million-breach-prevention-warranty-for-crowdstrike-falcon-endpoint-protection-complete

I get it. It's a great marketing meme, "We guarantee you won't get exploited!". It sells software. It makes customers happy. I've worked for companies who successfully generated sales using this type of tactic. It's not a bad thing. It's good for business and good for customers. It's win-win.

Slightly Snarky Note: Apparently, according to many of the ads, you need AI- or ML-powered, “next generation” protection, because the old types of protection did not work. I am surprised some vendor don't just randomly throw ‘quantum’ in their ads just to cover all possible jargon bases.

Most of the time, the vendor can only offer a 100% guarantee if the customer follows a pretty exhaustive and ultra-restrictive set of controls. If the customer does not follow all of the controls, consistently and without deviation, they do not get the warranty protection. If they do follow the required controls, they may be slowed down operationally or generate a ton of false-positives (the latter consequence is far more common). The solutions generate so many false-positives that the customer has to either research each one to figure out which ones are ones they really should be worried about, or like anyone who has ever started out with the best of intentions of reading their firewall logs, just give up all together eventually. Most organizations cannot afford to research all the false-positives or be significantly slowed down and so they do not qualify for the advertised warranty coverage. But great security takes great restriction or great inspection. It's one or the other. It is the eternal usability versus security conundrum.

There are some warrantied solutions, like CrowdStrike (Note: I own stock in CrowdStrike), that do not require overly restrictive configuration settings. There are configuration obligations and restrictions, but they are not overly onerous. They likely do a pretty good job at both preventing the vast majority of attacks and also allowing operations to work fairly unfettered. Still, I do hear about a lot of false-positives even from the best of products. It's not even a systematic problem with the defensive product, but one that is created by users doing what users do. Users frequently do things that are not malicious that appear possibly suspicious to sensors. In any case, even false-positives need to be checked out. Miss even one possible false-positive that turns out to be a real positive and you're hosed. Buyers need to check out the various products and warranties and get the one that works for them.

However, there is no perfect security solution that allows both free flowing operations and 100% security. If there was, that vendor would be the only vendor people buy from. They would be worth more than Microsoft and Apple combined. And ransomware, malicious hackers and malware would be no more. If any company built the perfect software that had no false-positives, prevented all hacking attacks, and didn't slow operations down at all, customers would beat a path to their door. They could probably charge $1,000/seat per year and get paid with a smile. Everyone upon learning how perfect they were would buy their product. Every other vendor would be out of business within a year. But there are no perfect defense vendors. The best we can do is to pick a highly accurate product that best works for our environment.

The Burning Question

The question I want to know is when a customer of one of these warranty-offering vendors gets compromised, because surely their customers still get compromised from time-to-time, why did it happen? Did it happen because the impacted systems were not running the involved solution? Did it happen because the impacted systems were not configured as recommended? Did it happen because the attack came through some other attack vector that the system simply did not protect? Most solutions only cover Microsoft Windows and another solution (e.g., Macs or Linux). Heck, CISA’s latest ransomware warning (https://us-cert.cisa.gov/ncas/alerts/aa21-265a), regarding Conti ransomware, indicates that Conti sometimes exploits using phone-based attacks (i.e., “phone calls). Good luck having any EDR system protect you against a social engineering attack that gained initial access using a phone call.

Or did the vendor actually prevent every attempted attack on every customer before it caused damage? Maybe I am wrong and there are a bunch of perfect solutions, but we just do not know about them. Maybe I am making a claim that is not true.

I am guessing that every EDR and cybersecurity vendor has some small minority of customers that still get compromised, even when running their product and/or system. They are not going to tell you that. I get it. It is in their own self-interests not to shout compromised customers from the roof tops. I would do the same 100% of the time. But, boy, I would love to hear their take on why their customers are still getting exploited when they do happen. They know the reasons, but are not going to freely share them. But knowing the common mistakes would help us all to be better defenders.

The criminal hacker world is great at sharing successful tools and techniques with other criminals to be more dangerous. Defenders are notorious for not sharing information. Victim organizations do not want to share that they were successfully exploited much less how. Even in the days where a victim organization often has to share that they were exploited and the broad details of what happened, we usually do not get the “why” or the “how”. I think it is that lack of sharing why they got exploited that continues to let us be so exploited.

I have followed the root causes of initial exploitations for over three decades. The two most common root causes for malicious hacker and malware exploitation are social engineering and unpatched software. It has been that way nearly every year for three decades, with occasional competition from weird exploits like boot sector and USB worms. So, I have the general picture of how people are being exploited: social engineering and unpatched software.

But for the customers running the elite EDR software, firewalls, multifactor authentication (MFA), security event monitoring, etc., how was the malware the malicious hacker used able to get by undetected long enough that the exploit and attack chain ended up greatly harming the customer, if it did? Social engineering or unpatched software gave the malicious hacker or malware program ?a foothold into the environment. But they then used that foothold to upload hacker tools and malware to accomplish the rest of the badness. If nearly everyone is running all of that good protection software, hardware and appliances, how are hackers and malware still so, so successful? What is missing? What can we do better? Or is every compromise only to customers without all this great, cool, EDR software and other tools (e.g., MFA, etc.)? How do hackers and ransomware still get past the very best protected?

Inquiring minds want to know.