Ransomware Taxonomy: Four Scenarios Companies Should Safeguard Against

While October is designated as Cybersecurity Awareness Month, focusing on keeping your company and customers safe should be a constant priority, especially with the growing number and sophistication of ransomware attacks worldwide. As companies interact more digitally with customers and end-users, their attack surface increases, presenting more opportunities for would-be attackers.

We’ve spent a lot of time studying ransomware attacks and instead of viewing them as an amorphous threat, have looked for distinct scenarios that can be identified and mitigated. These efforts have resulted in a taxonomy to identify four specific scenarios companies should be aware of to defend themselves:

1) An attack against a company’s corporate data and back-office services to disrupt their operations. 

This is the classic attack scenario that comes to mind for most folks when you hear the word “ransomware.” For some environments, this can unfold as easily as a compromised username and password being used to infiltrate a virtual private network (VPN) to access network resources. Once a bad actor is inside, they can take control of a company’s IT infrastructure. By locking out internal users from their laptops and servers they require access to do their jobs, this type of attack can immediately shut down the ability to operate the business.

The security technical debt in the IT environment is the key focus for remediation to limit the impact of this type of attack. By deploying basic tools such as multi-factor authentication (MFA) to verify user credentials, companies can avoid these disruptive and expensive ransomware attacks. A few suggestions for companies to consider:

  • Deploy a Zero Trust architecture to reduce the attack surface and continually add security applications, devices, and capabilities to prevent intruders from accessing their network resources.
  • Launch defense-focused initiatives focused on areas like identity management and governance, security monitoring and intelligence (to detect and alert for unusual account activity), credential management, and asset quarantine solutions.

2) An attack against a company’s engineering organization to disrupt service delivery to its customers.

Some attackers may target the servers and infrastructure that underpin a company’s service delivery to customers. In many organizations, engineering or tech ops maintain software-as-a-service as a distinct environment separate from corporate IT. Bad actors may seek to interrupt critical service delivery such as website functionality, online customer support, and customer-facing applications.

An organization that is squarely focused on the first scenario targeting corporate IT might have significant gaps lurking in the engineering environment underpinning service delivery to customers. Engineering teams can also speak a different language from the folks in IT, so organizations should tailor their risk discovery and remediation efforts for each environment that must be protected.

  • Leverage XaaS capabilities via the cloud and managed services versus on-premises infrastructure, allowing greater threat detection and vulnerability management.
  • Develop and deliver centralized security functions and services via an Operational Security Stack to ensure consistent adoption and adherence.
  • Proactively assess and address security risks and identify required risk mitigation via a secure development lifecycle approach.

3) An attack against a company’s engineering infrastructure to leverage that infrastructure in a supply chain attack to distribute ransomware against other companies.

In these types of sophisticated attacks, threat actors will compromise a company’s product engineering build and release infrastructure to gain access and distribute trojan updates to the downstream users of their software.

These software supply-chain attacks are particularly appealing for attackers because they take advantage of the trusted relationship between customers and vendors regarding the integrity of the distributed software.

We recommend a trust but verify approach when it comes to your vendor’s value chain security and to consider threat modeling from both an outside-in and inside-out perspective. Here are some ideas to make your architecture infrastructure more resilient against supply chain attacks:

  • Implement baseline security controls in all build server environments, including embedded, application, and cloud.
  • Design and align to consistent, secure core reference architectures easily managed and scaled to meet business requirements.
  • Leverage penetration testing and security assessments to ensure all production environments are secured and hardened.

4) Attacks leveraging product vulnerabilities in on-premise software hosted and operated by a customer to distribute a ransomware attack against that customer.

In this scenario, an attacker targets an installed version of commercial software to act as a point of distribution for a ransomware attack throughout the victim organization. This might be achieved through product vulnerabilities or leveraging stolen credentials.

Based on our analysis and identifying similar characteristics of other ransomware targets, we recommend the following steps to mitigate product risk:

  • Establish a process for continuous evaluation of company products, risk posture, and state of controls by working with stakeholder teams to prioritize risk mitigation and close critical security gaps.
  • Establish and maintain tight internal and external product security awareness and reporting that is consistently monitored and inspected.
  • Ensure transparent customer notification and clear communication pathways to maintain trust and demonstrate accountability when addressing security vulnerabilities.

While the pace of the digital economy continues to drive business growth and rapid innovation, it is also fueling an unprecedented level of cyber threat globally. Each of these ransomware scenarios presents the opportunity to improve your defenses by taking a proactive and zero trust approach to threat detection, mitigation, and response. Stay safe!


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn