The war on cyber threats, especially ransomware, is an ongoing battle. Despite the progress that organisations have made in threat detection and response, adversaries are continuing to innovate and adapt to achieve their mission in targeted environments.
According to the M-Trends 2022 report by cybersecurity firm Mandiant, organisations in the Asia Pacific (APAC) region have significantly reduced their dwell time, which is the amount of time an attacker is present in a victim environment before it is detected. They took an average of 21 days to notice cyber intrusions in 2021, instead of the 76 days they took in 2020.
While a shorter dwell time indicates that investments in detection and response capabilities are paying off, it might also be due to the growth of ransomware attacks in the region. Case in point: Ransomware-related intrusions accounted for 38% of the intrusions Mandiant investigated in the APAC region last year, and the median dwell time for such intrusions was nine days compared to 38 days for non-ransomware intrusions.
“Ransomware attacks tend to have a short dwell time because the goal is to make money. Those attackers will break into the network and then encrypt, steal and threaten to publish those files. They reveal themselves quite quickly so that they can make an extortion demand and get paid as soon as possible,” says Steve Ledzian, Mandiant’s vice president and chief technology officer for Asia Pacific and Japan.
He continues: “This is in contrast to cyber espionage, where the bad actors want to stay invisible for as long as possible so they can keep stealing data and intellectual property without being discovered.”
Intrusion detection is as important as prevention
With organisations becoming increasingly connected, they need to be prepared to face a larger attack surface.
For instance, the M-Trends 2022 report found that supply chain compromise was the second most prevalent initial infection vector identified in 2021. It accounted for 17% of global intrusions that year, compared to less than 1% in 2020. Most of the supply chain compromise intrusions in 2021 were related to the SolarWinds breach and the SUNBURST backdoor malware.
Given the wider attack surface, simply taking preventive measures is not enough to fully protect an organisation against ransomware attacks. Moreover, it is worrying that 76% of intrusions in the region last year were identified by external parties, including ransomware actors.
Ledzian advises organisations to build intrusion detection capability as prevention alone is not 100% effective. He says: “There’s still a mindset in some organisations that when it comes to cybersecurity, prevention is better than a cure. It’s true prevention is better than a cure, but the catch is that prevention is never 100% so having the cure is equally important.”
“What they need to also have is the ability to discover intruders who are already in their networks. This allows organisations to intercept cybercriminals even after an intrusion but before they encrypt and steal files. Businesses can then eject the attacker from their networks and avoid or minimise business damage.”
Without that internal intrusion detection capability, attackers can go unnoticed and proceed unhindered to achieve their mission. The victim will only realise the intrusion through the ransom note, which by then is too late.
Steve Ledzian, vice president and chief technology officer for Asia Pacific and Japan, Mandiant
However, Ledzian highlights that it takes more than just technology to effectively detect and mitigate intrusions. While security technologies can detect successful intrusions, they only show that something is wrong in the network. Human cybersecurity experts – armed with threat intelligence – still need to investigate, find clues and piece the clues together to get the complete picture of the cybersecurity incident before remediating.
To stay ahead of the latest tech trends, click here for DigitalEdge Section
Organisations without their own team of human investigators can leverage managed detection and response services, such as Mandiant’s Managed Defense, to strengthen their cyber defence.
With Managed Defense, Mandiant experts swiftly scope, investigate and prioritise alerts with context from nation-grade threat intelligence.
Fuelled by up-to-the-minute threat intelligence, the Managed Defense threat hunting team designs and conducts hunt missions to reveal the stealthiest threat actors. It does so by leveraging data analytics, automation and elite experts with intuition and frontline experience.
Additionally, the Managed Defense team will notify organisations when evidence of compromise has led to an investigation. They will also work with the organisation to contain compromised assets and quickly scope and investigate incidents.
“Managed Defense helps to catch intrusions quickly as well as intercept and mitigate them before there's any business impact. It can reduce the dwell time for our customers from 21 days to an average of two hours,” notes Ledzian.
Verifying your ransomware readiness
Besides having intrusion detection capability, Ledzian urges APAC organisations to treat ransomware as a business issue rather than an IT problem. “Many organisations believe they understand that ransomware is a business problem but in reality, how prepared are their business executives to face those attacks? Organisations that think that only their technical people need to prepare for such attacks don't really understand that ransomware is a business problem,” he says.
Mandiant’s Tabletop Exercise can help improve an organisation’s readiness to respond to ransomware attacks. It evaluates the company’s cyber crisis processes, tools and proficiency in responding to cyberattacks from both an executive strategic and technical incident response perspective.
During each exercise, Mandiant consultants introduce multiple scenario injects based on real-world experience in a roundtable environment to observe the organisation’s simulated actions and decisions in response. Thereafter, Mandiant will provide a written report with a step-by-step summary of scenario inputs and responses.
“A lot of learning can come from Tabletop Exercises, and those learnings build experience. That's one way for the business to effectively prepare for ransomware attacks and other security incidents,” claims Ledzian.
In line with that, he also encourages APAC organisations to continuously validate and measure the effectiveness of their cybersecurity programmes. “It’s not enough to just have security controls. Organisations must constantly validate the effectiveness of their cybersecurity plans, given the growth and prevalence of ransomware.”
They can do so with the Mandiant Advantage Ransomware Defense Validation service. It leverages Mandiant’s threat intelligence, repurposed ransomware samples, and automated validation infrastructure to provide organisations with a safe way of testing their security controls against the latest ransomware. Mandiant experts will also review an organisation’s progress and share insights on curated ransomware evaluations planned for the business.
All in all, there is no end state for cybersecurity. While the defenders are getting better at their job, attackers are also getting more sophisticated. APAC organisations must therefore keep pace with attackers by continually investing in not only cybersecurity technologies but also talents and capabilities.
“Simply deploying cybersecurity technologies isn’t effective in stopping very sophisticated cyberattacks such as multifaceted ransomware attacks. Organisations need to complement their layers of cybersecurity solutions with more strategic capabilities like cybersecurity experts and threat intelligence that enables those humans to make the most appropriate decisions,” concludes Ledzian.