Eight Best Practices For Ransomware Threat Hunting
Ransomware attacks and ransomware attackers are both evolving, becoming much more complex and damaging with each passing year. Attackers are moving in and out of victims swiftly, encrypting systems or exfiltrating data well before security teams can detect their presence. What organizations need is an offensive approach in which cyber threats and adversaries are hunted down and neutralized before they can inflict any damage.
When The Hunted Becomes The Hunter
Threat hunting means that security teams should proactively comb through security data and look for hidden patterns, suspicious malware, activity or virtual footprints left behind by a threat actor. While threat-hunting approaches can significantly vary based on the resources at hand, the following best practices can help security teams be more effective threat hunters.
1. Monitoring And Analyzing Security Data Using Automation
Monitoring and analyzing security logs might sound like a cliché, but it’s one of the most simple things threat hunters can do to unveil anomalies and suspicious events. Most security tools generate far too much security data and alerts, so it’s recommended that security teams leverage automation and AI tools to correlate data from various indicators of compromise (IOCs). For example, security orchestration, automation and response (SOAR) platforms have the capability to analyze events, isolate hosts, take servers offline and do things automatically using if-then type statements.
2. Focusing On Insider Threat Detection
Ransomware can strike from the inside. Insider threats are serious, and they’re very real. This is where measures like user behavior analytics (UBA) and threat hunting come into play—reviewing data to find out who’s accessing what and learning those employees’ behaviors so that when there is anomalous behavior, UBA can trigger security teams to investigate and elevate the incident if necessary.
3. Scanning For Vulnerabilities Proactively
With an increasing number of companies becoming internet-facing and operating in the cloud, a vulnerability can open millions of customers up to attack. Exploiting vulnerabilities in public-facing applications is one of the main techniques threat actors use to steal data, deploy ransomware and encrypt systems. To hunt for potential threats and weak spots, security teams should run internal and external scans to learn if operating systems are out of date or if devices need security patches installed.
4. Monitoring Zero-Day And Emerging Threats
Since more and more vulnerabilities are being disclosed every year, attackers are fully aware of the Achilles’ heel of organizations. For example, when vulnerabilities like Log4j were announced, hackers made millions of attempts to exploit the software flaw. To stop ransomware from exploiting such vulnerabilities, businesses should proactively track these vulnerabilities and perform updates in multiple places.
5. Leveraging Expert Threat Hunters
Threat hunting is a specialized skill in short supply. External threat hunters can support the business with a wide range of cybersecurity expertise. They can run penetration tests on a regular basis, validate network integrity and the overall cybersecurity posture, uncover unauthorized activity, backdoors, trojans and evasive malware, monitor the attack surface and flag suspicious activity, or do a cost analysis on what security is needed and how much budget needs to be allocated. Businesses can also choose to outsource threat monitoring, detection and incident response functions known as managed detection and response. MDR providers combine advanced analytics and threat intelligence to deliver proactive threat detection and improved incident response.
6. Staying Updated On Latest Techniques
The emergence of ransomware-as-a-service is making it easier for novice cybercriminals to deploy ransomware without having much expertise. Attack strategies are changing, and ransomware groups are resorting to double extortion. Threat hunters must continuously evolve their approach alongside new ransomware tactics.
7. Monitoring The Dark Web
Monitor the dark web regularly to see if somebody is advertising your company’s stolen data. For example, an initial access broker (IAB) could be advertising credentials that have been stolen from ACME Corporation. If ACME discovers this beforehand, they know they’re under potential attack and can take remedies to protect themselves. It’s also important to check password leak websites like haveibeenpwned to determine if user credentials have been leaked online. One can also use the same tools that hackers use (for example, OSINT) to understand what’s lurking around on the internet and what can be exploited.
8. Making Employees Part Of The Hunting Effort
Phishing emails, lack of cybersecurity training and poor user practices are the top three root causes of ransomware attacks. If employees are trained well in spotting and reporting suspicious activities, they can play an important role in threat hunting. But getting employees to take compliance training once a year is not enough. Security teams need to constantly remind users with messages like, “Don’t pick up USB drives in the parking lot and plug them in. Don’t respond to people you don’t know. If you receive an odd request from somebody that you do know, call the person to verify its legitimacy.”
As cybersecurity defenses mature, so will attack tactics and techniques. The only way organizations can have a fighting chance is by stopping threats in their tracks through proactive threat hunting.
This article was originally posted on Forbes Technology Council