IC-JANFEB23-PG06+07_Layout 1 17/02/2023 10:15 Page 7
EDITOR’S CHOICE
preventative approach that tries to stop a ransomware attacker from breaching the walls, and instead focus on arming themselves with the tools that can detect and stop an attack in its tracks. One thing is for sure, in the sprawling IT landscapes of today, artificial intelligence (AI) will play a decisive role in the war against ransomware.
A DIVERSIFYING THREAT
Early forms of ransomware operated on autopilot and followed a simple business model: infect as many computers as possible, because at least some proportion of the victims will surely pay to recover their files. This so-called commodity ransomware soon evolved to search out and encrypt entire network drives – the rationale being that you are increasingly the likelihood of locking something the victim cannot live without. This initial evolution also saw attackers start to target organisations such as manufacturing companies, rather than individual people; as businesses are more likely to pay bigger ransoms to recover critical files. From here, commodity ransomware was combined with worms – so it could now land on a single system but then rapidly infect neighbouring systems too. This was an important step forward for attackers, as only one victim needed to fall foul of the phishing email so attackers could quickly spread to potentially thousands of other machines. Despite being around for many years, such commodity ransomware does remain a
genuine threat. An example of this was the WannaCry attack in 2017 which locked down hundreds of thousands of computers, while in February last year, commodity ransomware shut down a US natural gas facility for two days.
Attackers have continued to step up their game and diversify, replacing automated tactics for more sophisticated and targeted methods. These attacks often take weeks of planning and, after gaining an initial foothold, attackers manually adapt their movements to the specifics of the environment they have broken into. Such tactics were employed in the successful ransomware attack targeting JBS Foods, which was conducted by one of “the most specialised and sophisticated cybercriminal groups in the world”, according to the FBI. Alongside diversification of the attack
itself, the ransomware business model has also branched into a franchise model. The franchiser supplies the tools, playbooks and other necessary attack infrastructure, while franchisees use these services to carry out attacks, sending a percentage of the ransom back to the franchiser. For all intents and purposes, ransomware has become a fully-fledged industry; it is hardly surprising that the sophisticated human-operated variants have been identified by Microsoft as “one of the most impactful trends in cyberattacks today”.
WHY AI IS A CRITICAL WEAPON FOR MANUFACTURERS IN THE WAR ON RANSOMWARE
AI TO REINFORCE THE RANKS Well-known commodity ransomware variants can generally be blocked on entry if security teams have access to timely indicators of compromise. Even newer types of commodity ransomware that successfully bypass preventative measures are typically quite limited in scope, and can be overcome with a good backup and restore process. Containing more fast-moving commodity ransomware variants can be more difficult, although in
these cases, zero trust and other policy- driven controls are a decent armoury to contain outbreaks.
When it comes to the most targeted, human-operated ransomware attacks, success is no longer reliant on prescriptive policies, or hardened security configurations that are focused on prevention. While useful to a point, a sufficiently motivated attacker will eventually overcome these. In this case, focus must shift from trying to prevent the inevitable, to instead detecting and halting successful attacks at the earliest possible point – and this is where AI comes in. With estimates indicating the average dwell time in a ransomware attack is 43 days, AI should play a decisive role within the security team to help flush out the threat. While a team of analysts may need days or even weeks, AI can rapidly – if not immediately – detect when attackers are moving through systems before the ransomware deploy button is hit. This is because AI can contextualise and consolidate the wide variety of signals and markers left by attackers as they move through systems to reach their intended goal. AI can pull all this disparate information together into one clear picture, meaning security teams can efficiently respond to the most critical threats.
CONQUERING THE RANSOMWARE BATTLEFIELD Ransomware continues to be a serious threat to manufacturers, and as demonstrated by some of this year’s high-profile incidents, it is not going away any time soon. Security teams in manufacturing companies should take note of these high-profile ransomware incidents and view them as a case study of what can happen if they are not ready to deal with the wide variety of threats. If you are the target of a human operated attack, it is simply not realistic to expect security analysts to have all angles covered. As ransomware operators continue to diversify, manufacturers should look at adding AI-powered means of detecting ransomware to their arsenal, so they can significantly reduce the time taken to spot the threat.
Vectra AI
www.vectra.ai
INDUSTRIAL COMPLIANCE | JANUARY/FEBRUARY 2023 7
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38 |
Page 39 |
Page 40 |
Page 41 |
Page 42 |
Page 43 |
Page 44 |
Page 45 |
Page 46
