5 Things I Learned from the Ransomware Detection and Response Virtual Summit

By Brian B. Brown · October 16, 2023

Ransomware is not a new threat, but it is constantly evolving. Even if you’ve been involved in cybersecurity for years, it's essential to stay abreast of new trends, challenges, and approaches to detecting, investigating, and responding to attacks. I recently had the opportunity to take part in Trellix’s Ransomware Detection and Response Virtual Summit, and I wanted to offer a recap of key points for anyone involved in protecting an organization against ransomware attacks (if you missed the Summit, it’s available for on-demand viewing now).

1. The best defense for any variant of ransomware is to have layered visibility and controls at as many vectors as possible.

No one control point will provide ransomware protection. Email is the most exploited initial threat vector but having strong endpoint, network and especially data protection controls is necessary in the current ransomware landscape.

Layering of controls is the first step – the second is to be able to link the controls together via integrations. Security silos aren’t effective enough on their own – they benefit from the sharing of data, information and analysis that spans the silos. Not only can integrations enable a more effective view of threats, but they can also enable coordinated responses when a conviction regarding a specific ransomware variant is determined and requires response actions.

This is where XDR (extended detection and response) proves so valuable in the fight against ransomware. XDR unites data from multiple tools, giving you visibility across your environment and streamlining analysis. It creates multi-vector detections and prioritizes alerts for your SOC. You can get a first-hand look at how the Trellix XDR Platform accelerates ransomware detection and response in this video.

2. Know thy enemy. Double extortion, multiplatform threats, intermittent encryption and more – ransomware threat actors are innovating fast, and we need to react and respond in kind.

The sophistication of threat actors means that there is no safe space. Mapping activities of threats to the MITRE ATT&CK matrix is an invaluable exercise and technologies that visualize MITRE ATT&CK can make the job of knowing what to build or enhance in the security architecture easier.

Of particular importance is understanding the tooling that threat actors use. Due to the prevalence of LoLBin techniques in ransomware campaigns it becomes critical to map and rate the cross section of tools that could be leveraged by threat actors. Cross referencing what is known to be deployed and expected usage with threat actor activity can help create a baseline to work from to detect unusual or malicious behavior.

3. Detecting ransomware early means having good operational threat intelligence

Being able to understand the threat actor landscape is a daunting task but threat intelligence can make that job easier. Seeing the most prevalent campaigns bubbling up in a geo, vertical or even being targeted against my organization is critical to knowing how to react and respond.

Operationalizing threat intelligence is more than just collecting information. Putting it into action for ransomware defense means having visibility across the IT estate and correlating indicators from various telemetry sources. Threat intelligence can play a critical role in the confidence and contextualization of observed events and having the ability to “stich together a story” from seemingly disparate events via an analysis layer such as XDR makes threat intelligence more valuable.

4. Ransomware victims are organizations of all sizes and verticals.

Ransomware does not discriminate. In our research it was not necessarily the largest companies who were the most targeted victims. Often it was the smaller enterprises with revenues in the $10 million to $250 million range who are more likely to have a smaller security team. There is a greater likelihood of success for threat actors at this level due to staffing shortages and gaps in their cyber defensive architecture.

Due to the likelihood that smaller organizations will have less staff and budget to deal with ransomware and other threats it’s critical to learn from what works. Sourcing knowledge of techniques, processes and architectures that have been successfully deployed will make the job easier in determining what to focus on first. Best practices, reference architectures, and journey maps can be valuable assets to be able to map your own path forward.

Over the last few months, I’ve presented at a number of in-person Ransomware Detection and Response Workshops to help participants identify gaps in their responses and address how they can build ransomware resilience. You can check out our Events page to learn more about upcoming workshops and other in-person opportunities to learn how to put best practices into action.

5. Ransomware is cyclical.

Threat actors will introduce new variants of a particular ransomware family or change their business model and go into service (Ransomware as a Service or RaaS) to proliferate their means. Just because a particular campaign has recently dropped off in prominence doesn’t mean that it won’t return. We’ve seen the rise and fall and rise again of threats such as Emotet and Ryuk so building defenses that provide visibility and preventative measures across as broad a segment of ransomware attacks is critical.

Because of the cyclical nature of ransomware, a feedback loop and regular introspection of control capabilities needs to be part of the plan. The extremely damaging aspects of ransomware reinforce the need for a process of continuous improvement, perhaps more than any other use case in the current cyber landscape.

We will be taking a deeper dive into putting best practices into action at the upcoming Ransomware Detection and Response Virtual Showcase on November 15 in the Americas and November 16 in EMEA and APJ. I hope you’ll join us virtually to learn more about how you can stay one step ahead of attackers.