With many employees now working from home, organisations are exposed to a vastly increased attack surface and must re-assess their endpoint security strategies to ensure they are equipped for this new environment. Tamer Odeh, Regional Director at SentinelOne in the Middle East, tells us how enterprises can best improve their endpoint security and why prevention is crucial for defending against sophisticated attacks.
Tell us about ransomware – how much of a threat is it to modern organisations?
Ransomware attacks continue to pose a threat to modern organisations, especially during the COVID-19 pandemic. In fact, the increasing diversity and total volume enabled by RaaS and affiliate schemes, along with the low risk and lucrative returns, only serves to suggest that ransomware will continue to evolve and increase in sophistication for the foreseeable future.
There are different types of ransomware. Examples like DopplePaymer ransomware employ lightning-fast payloads to perform over 2000 malicious operations on the host in less than seven seconds. This means that legacy detection and response methods are failing to prevent infections, and defenders’ response to ransomware often starts after the ransomware has achieved its objectives.
Moreover, in the case of Maze ransomware, it has plenty of time to encrypt tens of thousands of files. Unfortunately, if a business relies on the cloud, for virus signatures or reputation lookups, time plays a huge role in the process.
Huge damages can occur in one minute. In one test, SentinelOne’s Labs recorded 23,969 events triggered by Maze within the span of a mere 60 seconds. Each one of those events is a file being encrypted in preparation for hackers heavily threatening a company’s head and demanding a ransom to unlock its data.
All this damage underscores why local protection models – as in, those that are located on endpoints and don’t need to pause to fetch marching orders from the cloud – are superior to products that suffer from cloud lag and the dwell time it grants attackers.
Can you give us a summary of the methods of infection?
There are various methods of infection based on various situations. Some ransomware criminals take advantage of the challenges and vulnerabilities created by BYOD, IoT and Digital Transformation initiatives using technologies like social, mobile, cloud and software defined networks. Remote workforces demanding the ability to work from anywhere at any time while accessing company data and using cloud applications also create challenges and increase the attack surface.
However, usually methods of infection include the below:
- Breaches through phishing and social engineering
- Infection via compromised websites
- Malvertising and breaching the browser
- Exploit kits that deliver custom malware
- Infected files and application downloads
- Messaging applications as infection vectors
- Brute force through RDP
Other ransomware criminals recruit employees inside the firm as a means of breaching security controls which is a technique one would normally associate with nation-state actors engaged in espionage.
Are remote workers more vulnerable to ransomware attacks?
Yes, they definitely are – with millions of people working from home, there is an enormous attack surface ripe for the taking by malicious actors. It is no trivial task to provide the same levels of security for all these employees, operating outside the (relatively) safe perimeter of their offices and local intranet.
Furthermore, with time and numerous IT ‘temptations’ (like letting your kids use your work laptop for browsing) employees’ awareness levels can be eroded, leading to an increase in their vulnerability to cybercrime.
What other key threats are remote workforces facing?
An increased number of staff working remotely presents an opportunity for Business Email Compromise (BEC) fraud, as the whole scam relies on communications that are never confirmed in person.
Phishing campaigns are also a threat for all employees whether they are based in-house or remote, but for workers who are unused to working ‘home alone’ and are now dealing with an increase in email and other text-based communications, it can be easier for them to lose perspective on what is genuine and what is a scam.
In particular, with a rise in malspam playing on fears of Coronavirus from the ‘usual suspects’ like Emotet and TrickBot, remote workers need to be extra-vigilant.
How should organisations plan for a ransomware [or other] cyber incident?…