Guest: Steve Winterfeld (LinkedIn)
Company: Akamai (Twitter)
Show: Newsroom

For a period of 20 months, Akamai examined ransomware attacks across different verticals. The findings were published in the latest State of the Internet (SOTI): Ransomware on the Move report.

In this episode of TFiR: Newsroom, Akamai Advisory CISO Steve Winterfeld shares highlights of the report, including insights on the evolving exploitation techniques of ransomware groups and Akamai’s recommendations on how organizations can protect their systems.

Current security trends:

  • Security discussions are now at the board level. Security auditors are asking very senior-level leaders of organizations about their “cyber risk appetite”.
  • Developers are thinking of how to develop hooks so they can pull in security capabilities as part of the pipeline.
  • Startups are trying to figure out how to be secure and not lose all their IP right away.

Highlights of SOTI: Ransomware on the Move:

  • Three models of extortion:  1) DDoS: “Pay us or we’ll take your site offline.” 2) Encryption: “We encrypted all your data and you don’t have access to it.” Operationally, the organization is shut down, in crisis mode, and it’s public. 3) Holding data hostage: “We stole your data and we’ll sell it back to you.”
  • The focus of hackers has shifted from encryption to holding data hostage. It has come to the point where hackers are going to the second-order victim and telling them to go to the victim and urge them to pay the ransom. For example, hackers are telling bank customers, “Bank X is your bank. We took all their data. You need to call Bank X and tell them to pay us, so we don’t release your data.”
  • Organizations that experience a breach are 6 times more likely to succumb to a secondary attack within 3 months of the initial attack.
  • There is a 143% increase in zero-day attacks, i.e., instead of trying to send an email, they just launch malware and then that malware will break in. This allows them to scale faster.
  • Hackers are paying bug bounties to other hackers to bring in zero-days.
  • A hacker may get initial access, some other hacker does actual ransomware, and somebody else may do the data exfiltration. Almost like ransomware-as-a-service.
  • Ransomware groups are constantly changing. They may focus on a specific industry that they know is more likely to pay, or they may focus on scale by trying to go in and do automated attacks.

On Generative AI:

  • There is going to be a big impact on business email compromise more than ransomware. People will be able to quickly and more effectively convince other people to wire money or to do something like that.
  • They are already seeing versions of deep fakes and versions of voice AI where they’re able to mimic being used again for business email compromise. Eventually, there will be more of that in the ransomware or general breach categories.

On the importance of culture:

  • It’s the culture of “I’m starting a project, so I’m reaching out to the right security people.” Trying to bolt on security at the 11th hour never works. What works is integrated security at the beginning of a project. Having security experts embedded throughout that project is critical. It enables everybody to understand the risks involved.

Advice for companies on how to break the chain of attack:

  • Understand your attack surface and make sure that you minimize it.
  • Have internal segmentation and visibility.
  • Update your playbooks. Validate them by conducting regular exercises.
  • Do a gap assessment to discover indicators of compromise. How do you monitor outbound traffic, internal data flows, etc.?
  • Do not forget the basic traditional cyber hygiene: patching, security training, etc.
  • Make sure your legal team is updated on the latest regulations. Work with them so you don’t do something inadvertently that’s not within the law. More and more laws are coming out that say, “If you live in this state or if you live in this region, it is illegal to pay ransom” or “You have to send out a notification if you get ransomware,” etc.
  • If you’re dealing with a crisis, you need to have part of your team focused on the next group who will try to break in, because a secondary attack is common. Do not get myopic. Train yourselves to not only focus on the current crisis, but be vigilant for the next attack.

How companies can keep up to date with security matters:

  • Spend 10% of your time learning the latest security trends, issues, best practices.
  • Subscribe to podcasts, news feeds, Bruce Schneier, Brian Krebs, etc.
  • Read vendor reports such as Akamai’s SOTI, IBM, Verizon Data Breach Investigations Report (DBIR), Department of Homeland Security advisories.
  • Become a member of InfraGard or OWASP or some of these security focus groups.
  • Watch a video on the MITRE ATT&CK framework and the OWASP Top 10 for API Attacks.

This summary was written by Camille Gregory.

You may also like