Intelligent CISO Issue 43 - Page 68

decrypting myths
Can you give us some insight into how the frequency of ransomware attacks has changed and why ?
There are many different attributes as to why this has happened . One of them is to do with political relationships between countries – we must be aware that some variants out there have been linked back to nation states . But I wouldn ' t say that ' s the predominant driver .
Key issues are those such as the impact of the pandemic and people working more remotely in less secure environments . There ' s a lot more fear , uncertainty and doubt that attackers are exploiting around things like COVID-19 and getting users to click on links and open attachments .
Most ransomware is delivered through some form of social engineering or a phishing attack , but it has become so easy for attackers to execute and get a return from that attack . There is also the increased rise of cryptocurrencies which make it easier for them to receive payment , but still remain anonymous and more difficult to track .
Why are existing tools and strategies not working against these types of threats ?
Perhaps what we focus on too much is stopping the ransomware from getting in and detecting it once it ' s there because that becomes an evolving process . It is a continual movement of the goalposts .
We try and detect based on signatures , so attackers then change the code and manipulate those signatures . We try and chuck it on behavioural patterns so if a process methodically goes through and encrypts files alphabetically , we can see that process is something we want to block and so again the attackers will then evolve their code to do encryption on a more sporadic basis .
A lot of the focus has been on that initial intrusion point and stopping and detecting it from executing , whereas
David Higgins , EMEA Technical Director at CyberArk
perhaps we should be taking a step back and looking at the commonality in all these different variations we ' ve discussed .
This is something more targeted that we can focus on because a lot of ransomware discussions are isolated to the endpoint , but while a ransomware attack will hit one endpoint to start with , its objective is to spread . So , there ' s this kind of propagation that happens within ransomware that often isn ' t necessarily focused .
68 www . intelligentciso . com