In my role as CISO, I frequently talk with policyholders, underwriters, and brokers, looking for details on the latest cyber-attacks and, more importantly, guidance on how to best protect themselves. Most of the conversations center on ransomware, and for a good reason—If you have read any of Corvus Insurance’s ransomware reports, these attacks are on a record-setting pace for 2023.
The data in these reports is gleaned from ransomware leak sites, which we monitor to better understand the overall velocity of attacks and related trends. For 2023, the big takeaway is the spike in activity—Q2 attacks were up 30% over Q1, and Q3 was up 11.2% over Q2. These increases are even more stark when viewed from a year-over-year perspective. Q3 of 2023 was up more than 95% over Q2 of 2022. If you add it all up and look at what we’ve seen for early Q4, we will surpass 4,000 ransomware victims posted on leak sites for the first time.
What’s contributing to this activity? While there are many factors, one that has had an outsize impact is the CL0P ransomware group. CL0P isn’t new—the group first came on the scene in 2020 but flew under the radar. That was until January when CL0P used a zero-day vulnerability in the GoAnywhere file transfer software to steal data from over one hundred victims. Shortly after, in Q2, CL0P struck again with the mass exploitation of a zero-day vulnerability in MOVEit file transfer software, impacting hundreds, if not thousands, of companies.
When you connect all these dots, a few things become clear. First, incidents are not just increasing year over year, threat actors are investing in finding and exploiting vulnerabilities at a much faster rate. Second, businesses must take these incidents seriously and act.
How exactly? Here are four cyber-attack prevention strategies to help organizations assess and remediate risk and strengthen processes and systems against breaches.
The Foundation: Risk-based Vulnerability Management
Risk-based Vulnerability Management (RVBM) is a cybersecurity strategy that helps organizations prioritize patching vulnerabilities based on the inherent risk to the environment. While it may seem like patches can be done in a few clicks, some, especially those requiring a large number of systems, can take time to see through completion. RVBM prioritizes patching efforts based on which vulnerabilities present the most significant risk to the organization. This determination is based on a variety of factors, including:
● Is the asset public- or internet-facing?
● Does the asset contain any sensitive information?
● If the asset is taken offline or removed, will it have a high or low impact on the company's day-to-day operation?
Unlike traditional vulnerability management, which puts teams in scramble mode with little prioritization, RVBM eliminates the guesswork by prioritizing what to address first. This allows teams to allocate resources accordingly while moving other threats to the bottom of that queue. RVBM then guides teams to what must be patched and how to quickly remediate the issue.
Immutable Backups
Naturally, there are instances when a ransomware attack takes down a business’s systems. When this occurs, it’s all about how quickly you can recover. An organization's chances of doing so quickly and successfully are only as good as its backups, which are unsurprisingly becoming a target of ransomware groups. Bottom line, it’s vital that backups are protected.
Companies today should use immutable backups so that attackers can’t delete or modify those backups. Immutable backups deliver far higher levels of security and data retention than traditional backups, which provide for a more resilient backup strategy. Organizations must test their backups to ensure that everything they think is being saved is being saved. This is not something to leave to chance when you need those backups most.
Passkeys over Passwords
Attackers are targeting user credentials. Whether it’s phishing emails or malware designed to steal passwords, credentials are the target. Passkeys provide a new, more secure, and convenient way to authenticate. They are phishing-resistant, so attackers can no longer trick users into giving up their passwords, and there is no way for attackers to bypass their security. Organizations should work to deploy passkeys as the primary authentication method for users in their organizations.
Companies like Microsoft, Apple, and Google offer passkeys to improve user security. In the case of Google, they announced support for passkeys earlier this year and recently announced them as the default option across personal Google accounts.
Endpoint Security
Most modern attacks still rely on malicious code to run on laptops, desktops, or servers. One of the best investments any company can make is still having a strong endpoint security solution, like Endpoint Detection and Response (EDR). This technology monitors systems for malicious code or evidence of suspicious activity. Anything flagged as unsafe is immediately quarantined.
While this may sound like standard anti-virus, EDR provides improved detection capabilities far beyond what you will find in off-the-shelf AV solutions. What separates EDR is the rapid investigation and containment capabilities it provides. EDR delivers “flight-recorder” technology that allows security teams to rapidly investigate any suspicious activity and quarantine the system until it can be cleared as safe.
All these steps help ensure that help desk personnel are not giving the keys away to the wrong people. Ransomware activity has ascended to new heights in 2023, and while it’s too early to predict the activity for 2024, it isn’t too early to take actions that will protect your business. That way, you’re prepared for whatever happens in the weeks and months ahead.
