Story image

Are you prepared for the surge in ransomware?

By Shannon Williams, 19 Aug 2021

Ransomware attacks are on the rise, with analysis identifying a 900% increase in ransomware over the first half of 2020.

Anthony Stitt, VP International at ThreatQuotient, says despite this, many organisations have been left behind with security operations.

VMware recently surveyed 3,542 CISOs across 14 countries for its recently published Global Security Insights report and found ransomware attacks were the dominant cause of breaches for organisations worldwide. 

"Despite this rise, many organisations have been left behind with their security operations, with 60% of organisations experiencing ransomware attacks in 2019 – of which 29% said attacks happened at lest once a week," says Stitt.

"In fact, according to Gartner 27% of malware incidents reported in 2020 can be lined to ransomware."

Stitt says ransomware has become a mainstream topic of concern, with high-profile attacks impacting fuel supplies on the East Coast of America and targeting transportation systems and financial service providers. 

"Organisations are conscious about protecting themselves and their customers when attacks happen, and consumer confidence has been affected as a result of this," he says.

"A better understanding of adversaries and their tactics, techniques and procedure (TTPs) is needed, so that you can understand how your organisation can mitigate any risks."

A cornerstone to any security operation is a threat intelligence program that provides better intelligence across the threat spectrum from known to unknown attacks, and the ability to leverage this intelligence for all the systems and analysts who need it, according to Stitt.

This intelligence must include internal data, events and telemetry, supplemented with external data from a diversity of sources including commercial vendors, open sources, ISACs, CERTs, government cyber organisations and other sharing communities.

"Threat Intelligence Platforms (TIPs) have risen in popularity to deal with this complexity. The first function of a TIP is to store and manage threat information no matter where it comes from," Stitt says.

"The second function is to correlate and contextualise it by prioritising the small fraction of relevant information to turn it into useful intelligence. 

"Third, the intelligence must be shared with downstream systems that use it for post-compromise detection, pre-emptive blocking, and patch prioritisation," he says.

"Finally, TIPs may include analysis and visualisation tools that assist various user groups, including SOC analysts, incident responders and threat hunters, by making it easier to share intelligence and collaborate."

So how do you get started with a threat intelligence program?

According to Stitt, open data sources and tools such as MISP, TheHIVE and Cortex are some ways to get started with threat intelligence, building and testing the processes required and demonstrating what it can do for an organisation.

"However, it is worth noting the soft costs of coding and development time required with open source tools, and it can be likely that you will end up with a single person in the organisation developing the institutional knowledge and domain expertise," he says.

"Should that person leave, costs and risks increase and the program will fail.

Stitt says, "Whether you go through this stage or jump straight to evaluating commercial approaches, keep in mind that most threat intelligence programs will cost in the range of 360,000 – 1.4 million per year for an effective capability, including people and new systems, for example threat intel analysts, a TIP and intelligence sources. 

"However, given reports of ransomware demands and if you consider a recent report that estimates the average cost of a data breach at 2.8 million with mega breaches (50 million records or more stolen) reaching 284 million, a threat intelligence program that prevents even a single breach each year will pay for itself," he says.

"However, this can be difficult to show when making the case for a budget. Unless your organisation is suffering data breaches constantly, you are unlikely to have any hard data to calculate an ROI. 

"Instead, one approach is to track your organisation’s ability to detect compromises and determine which of those were exclusively detected with intelligence from the threat intelligence program," Stitt says.

"One large global technology company was able to attribute over 1,500 compromises per annum to their intel program using this method. In the context of their overall compromise detection costs from security tools, incident response, threat hunting and alert triage, they could show a strong ROI for their threat intelligence program."

According to Stitt, each of these use cases, as well as others including threat intelligence management, vulnerability management and accelerated prevention and detection, present their own ROI areas. These include increased staff efficiency, improved collaboration, faster patching of prioritised vulnerabilities, reduced attacker dwell time and faster time to respond.

"As threats evolve and emerge, a threat intelligence program is integral for an organisation’s survival," he says.

"Now is the time to implement a threat intelligence strategy and even if you already have a program in place, there is always rooms for improvement and optimisation for your top use cases."

Recent stories
More stories