In 2023, “cyber resilience” became more than just a phrase used in IT circles and earned its place on the executive board agenda. Simply put, resilience means going beyond implementing preventative measures to resist an attack, by ensuring business outcomes are the same in spite of an attack.
The rise in awareness of cyber resilience on the list of business priorities is directly linked to ransomware: Two thirds of organizations were hit by ransomware last year. It’s only logical that more organizations are starting to think it's a question of when ransomware will affect them - no longer if.
Prevention still has the biggest role to play when organizations look at their cybersecurity posture and resilience. Securing, monitoring, and actioning endpoints needs to come first in that strategy. Ransomware comes in many different forms, but many of the most prolific strains use devices to their advantage. The risk that remote ransomware in particular, when a compromised endpoint is used to encrypt data on other devices on the same network, confirms the need for a more resilient endpoint strategy.
To execute a defense-first endpoint security strategy effectively, businesses need to stick to these core principles.
Keeping a Clean House
Maintaining cyber policies and making sure employees stick to them is one of IT’s biggest pain points - but it's crucial that policies are followed. People are one of, if not the most important factors in security, both in terms of the risks they present and their role in organisational defense. Even with the most advanced cybersecurity solutions in place, a business is only as strong as its weakest link – and in many cases, this can be its people. If one person’s device is exposed, it can expose the whole business.
Additionally, IT teams need visibility across all devices that are being used to access their business’ data. Eighty percent of remote encryption compromises originate from unmanaged devices on the network.
IT teams need to be able to find devices accessing their data, discover any software vulnerabilities, whether there are any unknown services running, or unauthorized browser extensions; identify endpoints and servers that still have guest accounts enabled; check if approved software is rolled out on devices; and remotely access devices to dig deeper if need be, such as editing configuration files.
Fending off Attackers
Ransomware attacks are unique. Each attack combines a different set of tactics, techniques, and procedures (TTPs), and as a result there is no ‘one size fits all’ protection solution. What works against one attack, will not always work against the next one. Consequently, some threats will need more attention from security teams than others.
Endpoint protection serves as the initial barrier for businesses against many of these threats, reducing exposure and enabling defenders to respond. For security teams monitoring and prioritizing threats that are presented to businesses, endpoint detection and response can filter out and automatically block millions of threats. Analysts can turn their attention to more business-critical security issues.
To have the best chance against the plethora of threats out there, security analysts need all the threat data they can get their hands on. An endpoint solution that is tapped into real time data sources, gathered across a large sample base, will give teams the data they need to prioritize threats.
Mitigating Ransomware
Endpoint detection and response (EDR) tools can root out processes attempting to make a connection to non-standard ports, identify processes that have recently modified files or registry keys, and can remotely access a device to deploy additional forensic tools, shut down devices, and run scripts or programs. Anti-ransomware protection capabilities also identify and block malicious encryption attempts.
Remote ransomware poses a more nuanced challenge to security teams. Remote ransomware now makes up around 60% of human operated ransomware attacks. If the initial attempt is blocked (for example, by security technologies on the target devices) the adversary rarely gives up, choosing instead to pivot to an alternative approach and try again, and again.
Most endpoint security products are ineffective in this scenario because they focus on detecting malicious ransomware files and processes on the protected endpoint. However, with remote encryption attacks, the processes run on the compromised machine, leaving the endpoint protection blind to the malicious activity.
Organizations need to look for solutions that universally detect and stop all ransomware in its tracks, including new variants and both local and remote ransomware attacks. Using advanced mathematical analysis of file contents, sophisticated endpoint solutions detect malicious encryption wherever it occurs. Any maliciously encrypted files are automatically rolled back to their unencrypted state, irrespective of size of file type, minimizing the business impact.
Adversaries have become more sophisticated and more elusive, requiring a defense-in-depth strategy like EDR that includes protection, detection, and response at every point along the attack chain and that covers entire environments. Investing in endpoint solutions are critical to giving security teams the tools they need to ask detailed questions when hunting down threats and strengthening IT security operations posture.