Cyberattacks are not magical events.
Logic is used to breach and navigate through environments. For security teams, this is good news.
It means that same logic can be applied to security in order to proactively defend against attacks.
In this article, we'll cover this logic in the context of ransomware.
There are many ways an attacker can take over an environment.
But not an infinite amount.
In fact, in nearly all* ransomware events, at least one of three security gaps is present.
*There is no data on the exact percentage. In a recent conversation with an expert involved in over a thousand ransomware cases, he believed it to be 100%.
There is a misconception that once an attacker breaches an environment, it’s game over.
In reality, there are multiple steps. In the case of ransomware, the steps leading to a takeover can be distilled into three primary activities:
Initial access: Social engineering and vulnerabilities are a couple of examples of the many ways an attacker can breach an environment.
Escalation: An attacker will escalate privileges, or control, in a network using identities (e.g. Active Directory misconfigurations; overly permissive user accounts).
Encryption: Once an attacker has escalated to the necessary privileges, they can then deploy the ransomware, encrypting the victims data until the ransom is paid.
Think of your network as an escape room.
But rather than exiting, the goal is to get to the control room (domain admin). To do this, an attacker will search for information in a network, leverage that information to get more information (escalate privilege), and continue doing this until they have total network control.
By understanding the access and escalation points in a network, security teams can efficiently remove the attack paths leading to the most critical assets.
To learn how you can defend from the perspective of an attacker, book a demo at https://www.shieldcyber.io/.