With high profile ransomware attacks taking place more and more frequently, the U.S. administration has placed an emphasis on finding out who is responsible. The question is why? When it comes to these massive attacks, their level of sophistication is far greater than most. Meaning, the cyber criminals have spent months, perhaps even years to determine the best chance of success for infiltration. They have determined the security holes, developed in-depth network knowledge, and use all of it to execute the cyber attack. Given the amount of time they take to research the company’s network, don’t you think they would cover their tracks? They often do, and do it quite well. Considering this, it wouldn’t be far fetched to assume that even the bread crumbs that are found, were left purposefully. This could effectively frame another cyber gang, or country.
Here are a couple things we do know. Many cyber gangs like to take credit for attacks. Therefore, even if the bread crumbs aren’t present, they may claim the attack as theirs on the dark web. However, for those who don’t want to get caught, or perhaps would like to frame another country, could easily do so. Considering attacks against a critical infrastructure could lead to a cyber war, the ease of framing another country or organization becomes a new level of terrifying.
Identifying Security Holes
Instead of spending time and resources trying to determine where these attacks came from, organizations should be focusing on threat prevention, by closing security holes. By having the proper means of cyber prevention in place, organizations can block malware attacks, like ransomware. PC Matic founder and CEO, Rob Cheng, states,
“Rather than the Biden administration wildly blaming other nations for foreigners exploiting America’s security holes; they should encourage governments and businesses to close the security holes. This alone will make the country safer.”
By identifying the organization’s security holes, they can then close them using proper authorization techniques. When authorization standards are put into place, the risk of a successful attack working its way into the network significantly diminishes. A few examples of authorization standards include:
- Removing network access for terminated employees
- Limiting access credentials for employees, based on job duties
- Eliminating the bring your own device (BYOD) policy
- Only allowing known, trusted programs to run within the company’s network — such as an application whitelisting
Application Whitelisting
Considering ransomware is moving beyond standard file encryption, to also include victim extortion, one would think prevention would be top of mind.
Application whitelisting is a method of malware detection that only allows tested and proven safe applications to run. If the application is known to be malicious, as many older viruses are, it will be blocked. If the file is unknown, as many new malware is classified, it will also be blocked from running. How does this compare to other solutions?
Most legacy programs use a blacklist approach, meaning they only block known bad files. As mentioned earlier, that doesn’t work for new malware, as it is still unknown and has yet to be reported as bad. Considering new malware is created daily, a blacklist approach is no longer feasible. Many security solutions have kept the blacklist but added artificial intelligence (AI) or behavioral heuristics (BH). Neither AI or BH are bad; however, for them to be triggered, the malware would have to be running at some level. When the malware begins running it may be flagged by the AI/BH protection because it’s not behaving as a trusted program would. This is a security hole.
Threat prevention is the gold standard that is missing in cybersecurity. It’s time to shift focus, before it becomes too late.