Are You Prepared? Our Breakdown of Gartner's "How to Respond to the 2022 Cyberthreat Landscape" Report

In the new emerging working world, we find ourselves and the businesses which we represent forced to keep up with the current times & trends. There has perhaps been no greater example of this than the shift of the way we work over a lockdown. Now although we could expect to see this begin to somewhat reverse over cost of living forcing those WFH to come back to the office. There is no doubt that the ability to WF anywhere will be here to stay for many years to come. It is this sharp acceleration in digital transformation which although exciting, ultimately means that the subsequent Cyberthreat Landscape remains ever challenging for IT and Security Teams.

In April 2022 Gartner released their “How to Respond to the 2022 Cyberthreat Landscape” report. The purpose of this report is to provide IT and Cyber Security professionals with the knowledge and know-how of latest threat intelligence, new high-impact attacks which offer help when formulating business cases to offer better and more relevant long-term security initiatives. This imparting of knowledge is especially important now that cyber security is no longer seen as just an issue of IT risk, but now a critical business risk.

In the aforementioned report Gartner break down threats into 3 categories (Top Threats, High-Momentum Threats, and Emerging Threats). Today, I thought it would be useful to look one of the most common “Top Threats”; ransomware!

As expected, “Top Threats” usually stay at the top of the pecking order for many years, this is referenced in Verizon’s “2021 Data Breach Investigations Report” report. Unsurprisingly, ransomware sits among the top 5 threat actors in this report, also accompanied by phishing and stolen credentials. All three of these actions involved in breaches have been recognised in Verizon’s report since 2018. In fact, ransomware first entered this realm of the report in 2013, and since then it has only continued to show double digit percentage increase in terms of impact.!

But why is Ransomware still continuing to catch more and more businesses by surprise? Is it because businesses are asking themselves “are we secure?” instead of “are we prepared?” Quite possibly. But portraying that to business executives can be challenging when significant investments have already been made into ransomware protection. Realistically businesses need to understand that attackers are adapting just as fast as we are. In fact, they are utilising similar as a service offerings which we have begun to adopt over recent years. These tools such as “ransomware-as-a-service” to overcome automated defences.

As ransomware evolves to try and overcome the protocols businesses have put in place, it’s hard to see where the next stage of evolution will come from. In Gartner’s report they list 7 things that you can expect a ransomware attack to do, but I’ve cherrypicked 3 that I believe are the most prevalent; that’s not to say you should ignore the others.

1.??????Diversifying targets – Threat actors of all types will use this approach to exfiltrate defences and exploit data, but when it comes to ransomware it’s particularly common for attackers to pursue lower-profile targets rather than just consistently targeting someone at board level. By targeting lower-profile employees it gives the attackers an opportunity to perfect their attack, whilst also understanding more and more about the network by chipping away more frequently at smaller fish, before sending in the big guns to reach their ultimate goal. (Solution – Educate all staff by maximising user awareness training).

2.??????Use of SaaS applications – Nowadays we all use SaaS applications whether it’s in our professional or personal lives, but whilst these cloud applications often have a level of security in the back-end it’s not typically to a standard that you would expect or want, but why would it be? It’s not the SaaS application vendors priority[MS1]?. This is an easy win for attackers, they can utilise encryption to hide their actions to deliver the ransomware by via well “known good” applications. (Solution – Understand the level of security that is provided “as standard” with the SaaS apps you use and look to layer the security with for example authentication protocols and a CASB).

3.??????Targeting the remote workforce – Since Covid-19 the increase in remote working was drastic, and although we’re seeing businesses open their doors to employees and customers again, the majority of us seem to prefer working from home. (As discussed, this might change with the cost of living crisis, but that’s for another article) This gives attackers the perfect opportunity to target vulnerable individuals, endpoints, or services. For example, Remote Desktop Protocol (RDP), has been a commonly exploited remote access service which has allowed threat actors to launch their ransomware. (Solution – enable/deploy an Always-On VPN as well as strong MFA/authentication protocols to maintain a consistently secure service).

Although I’ve outlined some potential solutions above there are lots of recommendations that businesses should follow when it comes to dealing ransomware. Similar to the previous section I have picked 3 recommendations from the report that I think are key for all businesses to follow, but yet again, please don’t discount the other 3, they’re all worth considering!

1.??????Layered security – This is something that we live and die by at ANSecurity! Deploying a layered security approach is key as it enables business to have different lines of defences to protect the crown jewels at different stages of an attack. This approach could be particularly useful when trying to increase your protection to stop the SaaS application attack that I mentioned earlier. We’re not saying to layer the same security solutions on top of one another, but instead to layer different solution capabilities to protect your applications, data, network etc accordingly. Think of this approach like an onion.

2.??????Don’t pay the ransom – Albeit controversial if you are hit with a ransomware attack, paying the ransom isn’t necessarily the right thing to do, even if it doesn’t seem like there’s another way out. There’s no certainty that you will be able to recover all the data that has been encrypted or lost. This is why backup strategies and solutions are key! If you are unfortunate enough to be hit with a ransomware attack, having a backup strategy/solution will enable you to have some functionality whilst you’re in the response phase, which takes me onto my next point…

3.??????Build post-breach response protocols – The final recommendation that I’ve selected from the report is something that is often overlooked by businesses, despite it being seen as quick win by other members of the cyber security industry. Having post-breach response protocols in place is key, by building these procedures it gives you a head start to recovery. These can be as basic as a document that includes certain steps for businesses/employees to follow when a breach has occurred.

It’s clear ?that there are lots of things to be scared of and that lots of things can be done when it comes to ransomware, but ultimately it comes down to making sure you’re consistently reviewing your current security posture vs recent breaches/threats and making sure that the wider business is aware of what needs to be done in order for it to not happen to your business.

If there is one thing you can take away from this article it’s the two questions I mentioned near the beginning, stop asking yourself “are we secure?” instead ask yourself “are we prepared?”.