Professional Documents
Culture Documents
Countering Ransomware With Mitre Att&Ck 101: Expert Tips Inside
Countering Ransomware With Mitre Att&Ck 101: Expert Tips Inside
E
TIP RT
INS S
IDE
Countering
Ransomware with
MITRE ATT&CK 101
Brought to you by
Countering Ransomware with MITRE ATT&CK 101
"Unfortunately, extortion
works. And when you
combine cybercrime
with extortion, that
really works — and you
have ransomware as
a business."1
Teresa Zielinski
SVP & Global CISO, GE Gas Power
Introduction
Within the span of a few years, ransomware has become
the bane of the chief information security officer's
(CISO) existence. In 2020, businesses around the world
faced an astounding 304 million ransomware attacks.
Fifty-one percent of U.S. businesses reported their
organization was hit by ransomware that year, second
only to India (68 percent) and Australia (57 percent).2
The FBI advises against paying a ransom, but one large-
scale study found that 68 percent of U.S. companies
that experienced an attack paid up.3 And the financial
costs are just the beginning. Most victimized companies
lose the ability to operate normally, at least for a period
of time. Globally, even among organizations that paid a
ransom, only 60 percent regained access to data after
the first payment.4 Perhaps that's why several studies
have found victim companies' stock price generally falls
in the range of one to five percent in the immediate
aftermath of a ransomware attack.5
Chief information security officers can't bury their
heads in the sand if they want to. Ransomware is a
C-suite and board-level concern.
Why is ransomware so
hard to control?
Ransomware has become commoditized. As adversaries learned
that most companies pay the ransom, they increased the frequency
of attacks. Malware code is now shared in underground marketplaces
or stolen from one criminal by another. Some even offer ransomware-
as-a-service, opening the market to would-be attackers who do not
have the skills or resources to develop their malware. One study
estimated that two-thirds of ransomware attacks in 2020 utilized the
ransomware-as-a-service model.6
US$162 million:
U.S. Treasury estimate of earnings for the
Ryuk ransomware strain from Russia8
Particularly thorny
threats and risks
The Kremlin is a leading offender. Russia-based hackers launder
ransoms through Moscow-City, the capital's financial district and
home to around 50 cryptocurrency exchanges. Foreign intelligence
agencies have linked many of these same criminals with Russia's
Federal Security Service.9 Organizations from the U.S.,10 U.K.,11
Australia,12 and Japan13 have all fallen victim to recent Russian attacks.
U.S. utilities are in the crosshairs. The May 2021 Colonial Pipeline
attack shut down the company's gas pipelines, which transport 2.5
million barrels to the Eastern Seaboard daily.14 The attack received
a great deal of attention because of its impact on fuel delivery to a
large swath of the U.S. But it's the tip of the iceberg. Verizon's 2021
Data Breach Investigations Report counts 545 other cybersecurity
incidents in 2021 throughout the mining, quarrying, oil and gas
extraction, and utilities industries — 44 percent of which were
ransomware attacks.15
Lindsay Kaye
Recorded Future
Many CISOs build their ransomware defenses on the second step alone.
They invest in supposed best practices without adequate planning or
testing, losing sight of the fact that even well-built corporate security
controls fail against ransomware attacks.
No security team can quickly and easily protect every data asset
against every threat the organization might face. If that was the case,
cybersecurity would be an easy challenge. Real-world security requires
that you prioritize the threats most likely to do the most damage to the
organization and its customers. You should begin the development of a
threat-informed defense against ransomware by identifying which of their
assets are most crucial to protect.
Identify the data that matters most to your organization. For each
type of information, consider:
Next, approach the risk landscape from the opposite direction. Starting
with the comprehensive MITRE ATT&CK universe of detected tactics,
techniques, and procedures, determine which pose the greatest threat.
Develop a "most wanted" list of the attackers and TTPs that you
must protect company assets against.
Are protections configured to work the way you need them to?
Figure 1, above, shows the attack graph as it appears in the AttackIQ Security Optimization Platform,
showing the step-by-step chain of the emulation.
Figure 2, below. zooms into the attack graph to make it readable in this format.
STEP 0
STEP 1 STEP 2
STEP 3 STEP 4
STEP 5 STEP 6
As assessment results flow in, you will need to address any failures in
the organization's prevention and detection capabilities. Questions to
consider in designing the analysis process:
What are the risk acceptance criteria for scenarios that were not
successfully prevented?
Conclusion
In building out their organization's threat-informed defense, some CISOs
are also merging internal red and blue teams. Traditionally, these groups
operated separately, with blue teams managing defensive operations
and red teams conducting periodic (typically infrequent) tests of security
controls. Moving to a model of "purple teaming" brings together all
security staff and turns their focus to data on controls' effectiveness.
a. 20 percent
b. About 40 percent
c. Approximately 50 percent
d. 75 percent
TRUE
FALSE
Answer Key
1. Answer: B 4. Answer: B
2. Answer: D 5. Answer: B
CITATION
1
David Braue, "CISO Report: Ransomware Business Is Booming,"
Cybercrime Magazine, December 10, 2021.
2
"Share of organizations in selected countries hit by ransomware attacks in the last year as of February 2021,"
Statista.
3
Joseph Johnson, "Ransomware — statistics & facts,"
Statista, September 9, 2021.
4
Joseph Johnson, "Ransomware — statistics & facts,"
Statista, September 9, 2021.
5
"2021 Data Breach Investigations Report,"
Verizon.
6
Oleg Skulkin, Roman Rezvukhin & Semyon Rogachev, "Ransomware Uncovered 2020/2021,"
Group IB, March 2021.
7
Daphne Psaledakis, "U.S. Treasury puts crypto industry on notice over rising ransomware attacks,"
Reuters, October 15, 2021.
8
Andrew E. Kramer, "Companies Linked to Russian Ransomware Hide in Plain Sight,"
The New York Times, December 6, 2021.
9
Andrew E. Kramer, "Companies Linked to Russian Ransomware Hide in Plain Sight,"
The New York Times, December 6, 2021.
10
Tea Kvetenadze, "Russian Cyber Gang Grief Claims Ransomware Attack on NRA,"
Forbes, October 27, 2021.
11
Dan Sabbagh, "UK fighting hacking epidemic as Russian ransomware attacks increase,"
The Guardian, November 17, 2021.
12
Joseph Menn, "Ransomware attack on Australian utility claimed by Russian-speaking criminals,"
Reuters, December 8, 2021.
13
Zack Whittaker & Carly Page, "Olympus US hack tied to sanctioned Russian ransomware group,"
TechCrunch, October 20, 2021.
14
William Turton & Kartikay Mehrotra, "Hackers Breached Colonial Pipeline Using Compromised Password,"
Bloomberg, June 4, 2021.
"2021 Data Breach Investigations Report,"
15
Verizon.
"2021 Data Breach Investigations Report,"
16
Verizon.
CITATION
17
"The State of Ransomware in Healthcare 2021,"
Sophos, May 2021.
18
"Vastaamo board fires CEO, says he kept data breach secret for a year and a half,"
YLE News, October 26, 2020.
19
William Ralston, "They Told Their Therapists Everything. Hackers Leaked It All,"
Wired, May 4, 2021.
20
William Ralston, "They Told Their Therapists Everything. Hackers Leaked It All,"
Wired, May 4, 2021.
21
William Ralston, "They Told Their Therapists Everything. Hackers Leaked It All,"
Wired, May 4, 2021.
22
Alex Scroxton, "Hacked Finnish therapy business collapses,"
ComputerWeekly.com, February 11, 2021.
23
Sean Lyngaas, "Why the extortion of Vastaamo matters far beyond Finland — and how cyber pros are responding,"
CyberScoop, October 29, 2020.
24
David Braue, "CISO Report: Ransomware Business Is Booming,"
Cybercrime Magazine, December 10, 2021.
25
Andrew Costis, "Azure Security Stack Mappings: The Top Native Security Controls for Ransomware,"
AttackIQ blog, August 23, 2021.
26
"Known Exploited Vulnerabilities Catalog,"
Cybersecurity & Infrastructure Security Agency, November 3, 2021.
27
Jessica Davis, "Security Investments Increasing, But 53% Leaders Unsure of Effectiveness,"
Health IT Security, July 20, 2019
28
"Alert (AA21-265A): Conti Ransomware,"
Cybersecurity & Infrastructure Security Agency, September 22, 2021.
29
Matthew, J. Schwartz, "Why Does EternalBlue-Targeting WannaCry Remain at Large?
'The Most Widely Successful Wormable Malware Becomes Almost a Permanent Hangover'",
Bank Info Security, March 9, 2021.
ABout AttackIQ
AttackIQ, the leading independent vendor of breach and attack simulation solutions, built
the industry’s first Security Optimization Platform for continuous security control validation
and improving security program effectiveness and efficiency. AttackIQ is trusted by leading
organizations worldwide to identify security improvements and verify that cyberdefenses work as
expected, aligned with the MITRE ATT&CK framework. The Company is committed to giving back
to the cybersecurity community through its free AttackIQ Academy, open Preactive Security
Exchange, and partnership with MITRE Engenuity's Center for Threat Informed Defense.
For more information visit www.attackiq.com