Front-line Data on Defending Against Ransomware
According to new data released by Microsoft, digital threat activity in 2022 reached a new all-time high. Driven by lucrative ransoms, password attacks have soared to an estimated 921 attacks every second. That represents a 74% year-over-year increase. The credentials gained in these attacks are critical to success in ransomware attacks. Unlike malware attacks, ransomware generally requires that the cybercriminals gain access to a highly privileged user account such as a Domain Administrator.
In Microsoft’s 2022 Digital Defense Report, front-line data provided by Microsoft’s response engagements revealed weak identity controls topped the list of contributing factors in successful attacks followed by ineffective security operations and data protection strategy. Ransomware attacks carried out by advanced persistent threats (APT) or human actors continue to evolve in complexity. They rely on credential theft and ultimately the ability to move laterally through a network as they piece together the permissions and resources needed to complete their campaign. These attacks in general eventually include compromised identity systems such as Active Directory (AD). Gaining control of the identity system allows the attacker to steal additional credentials, modify permissions, access secure systems, and remain undetected.
Protecting against these attacks requires implementing directory system security best practices. Misconfigurations in these systems create a weaker security posture and allow a critical path for attackers to escalate the breach. Credential attacks can be further thwarted by implementing phishing-resistant MFA. In Microsoft’s findings, 88% of engagements they responded to did not have MFA implemented for sensitive and highly privileged accounts. Identity controls were also lacking in Microsoft’s findings with administrators across 84% of organizations not implementing privilege identity controls such as just-in-time access to prevent the continued use of compromised accounts. Just-in-time (JIT) security controls can provide elevated and granular privileged access to an application or system in order to perform a necessary task. JIT allows for provisioning secure access when needed and reduces standing access for resources. Further protection against human-operated ransomware can be found in implementing least privilege access and use of privilege access workstations (PAW). In Microsoft’s findings, none of the affected organizations implemented proper administrative credential segregation and least privilege access principles. A PAW provides increased security for IT administrators working with servers and applications that pose a higher risk if compromised. Dedicated PAWs cannot be used for high-risk activities such as web browsing, email, and other controlled applications further protecting them from exploitation.
The 2022 Digital Defense Report also revealed significant security gaps in security operations, tooling, and IT asset lifecycle management across organizations impacted by ransomware.
- 68% of organizations did not have an effective patch management process
- 60% of organizations had no use of an Endpoint Detection and Response (EDR) tool
- 60% did not invest in Security Information and Event Management (SIEM) technology
- 84% of impacted organizations did not enable integration of their multi-cloud environment into their security operations tooling
- 76% lacked an effective response plan
Cybercrime as a service (CaaS) is a growing and evolving threat to organizations worldwide and will continue to drive an increase in corporate attacks. In 2022, the Microsoft Digital Crimes Unit (DCU) observed continued growth of the CaaS ecosystem with an increasing number of online services facilitating various cybercrimes, including human-operated ransomware. Phishing, which originates many incidents, continues to be a preferred attack method as cybercriminals can acquire significant value from successfully stealing and selling access to stolen accounts.
Fortunately, cyber defense systems and best practices have kept pace with the latest attacks. If you are ready to take the next step in ensuring your critical data and infrastructure remain available to support your business, contact us. We’re here to help.