WEBINAR | A Deep-Dive into 2023 Cyber Threats
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
April 18, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
Unless you’ve been on a quiet sabbatical or otherwise offline and not watching the news for the last year or so, it’s been the talk of the town. Ransomware is one of those recent topics that has left cybersecurity circles to hit the public consciousness. It’s been all over the media, the Twitters, and featured weekly in just about every security company’s blog, including our own most recent Q2 report.
I’ve answered more questions about ransomware this year with non-IT friends, casual acquaintances, and even my mom, than I’ve ever even talked about my job. It’s a threat that’s not going anywhere, and based on the amount of articles we’ve written and webinars we’ve attended, it’s still a very hot topic and will likely continue to be until criminals figure out another way to make more money in a less extortion-y way.
It’s a pretty bleak picture, or at least it seems to be. Blue teams are constantly under siege, and much like the movie “300”, attackers are throwing everything they’ve got at the embattled security Spartans holed up in their SOCs. Attackers, like Xerxes’ army, have more time, resources, and initiative than ever. Meanwhile, companies are losing millions in payments to attackers and costs of incident response.
We’ve seen businesses slow to a crawl or get stopped dead in their tracks in the wake of an incident. Not to mention, we’ve all seen the effects of the media fallout and speculation more than a few times, as well as the impact on the public. The good news is: There’s a way forward but it’s going to take the strength of a phalanx to do it.
Outside of a few offhand references to the movie “300”, we’ll spare the in-depth history lessons on tactics and specific groups for another time (plus we already have some great blogs on the topic).
On this go-round, let’s focus on what today’s reality is, some general things to think about in the fight against ransomware, and how to reduce your risk. Some of you may be first-time visitors, so there will be some 101-level things we’ll talk about, but also cover some more advanced topics as well.
Through the first half of 2021, we’ve seen a number of groups appear on the scene and another group of them disappear, reappear, or rebrand. The tactics have changed over the years, evolving from targeting individuals and small businesses to going after large corporations and other big businesses, as criminals seek larger payouts and more public impact. These days it’s not only a question of encrypting data and holding the decryption key (and your data) for ransom, but also if the public disclosure of your data is worth the price.
A large number of threat actors in the ransomware scene are growing more professionalized and operating with unprecedented levels of technical expertise (and maybe even some business acumen). Some of these groups often perform due diligence and choose victims carefully; on the other hand, you also have your criminal groups who target companies and individuals indiscriminately. Motivations for one actor may not be the same for another actor, but there’s usually always a financial angle. They may find their way in via myriad means, but historically, it’s all of the usual suspects: exploited vulnerabilities and social engineering, with a side of luck and/or preparation.
Look, we get it, it’s hard to defend against the unknown, and sometimes even knowing leads to decision paralysis. Which vulnerabilities do you tackle first, and which ones are the most dangerous, i.e., in this case, what causes you to fall victim to ransomware? And that doesn’t even take into account all of the other possibilities when it comes to vulnerabilities.
There are concerns with compliance, making sure you don’t brick an application when you upgrade or update a server, losing access, or any other second- or third-order effects from patching that can affect uptime, security, and cost. Sometimes it’s even a question of knowing exactly what assets you have and where they are, which can also be a struggle.
Several prominent ransomware actors target specific vulnerabilities, buy compromised accesses, use phishing attacks, or a combination of all of these to be successful. In light of this, it’s going to take a few different approaches to stay safe.
Patching, Updating, and Asset Management
This is a process that never ends. At a minimum, you should identify your most critical systems and assets, understand where those assets and your important data live, identify who has access, and develop processes around patch management. In addition to identifying the assets, having a plan for regular backups and storage should be implemented. If you’re looking for help to get started on the path of discovery, you can access our free asset discovery tool Orca here.
When vulnerabilities are announced publicly, pay attention to the CVSS numbers. Although these scores do not always reflect how widespread the exploitation of the vulnerability is, it does give a good idea of the relative ease to accomplish an exploit and the impact it may have. While you may not be able to patch right away, look at vendor recommendations to mitigate risk until a system is patched; but also remember to circle back to actually finish up with patching.
It’s also a good idea to look at exposed services and ports, either through scanning, penetration testing, or a combination of these. Criminals such as initial access brokers specialize in selling compromised remote access, such as SSH, RDP, and VPN; while botnets and mass scanning techniques are able to hunt for vulnerable infrastructure at scale and in an automated manner.
Phishing Awareness Campaigns
Regardless of the threat, phishing will always be a way in. It’s been a hallmark for several ransomware campaigns, and there are a likely handful of ransomware groups who are actively using the method. We’ve talked phishing before, but just as a refresher, it may take a combination of user training, anti-phishing tools and policy, and some process to fight it; hopefully layered among some other security tools and incident response policies.
Mitigating Insider Threats
An interesting tactic that should be mentioned here is there are criminal groups who are actively seeking insiders to help them gain access or provide other kinds of needed insider information. Whether it’s a result of financial reasons or something more sinister, the threat from insiders is real, and isn’t just the accidental URL click from a phish. Depending on the size of your organization it may mean looking into an actual insider threat capability, or developing processes shared among security teams, to include cyber, fraud, legal, and physical security.
Unintentional insider threats may also mean leaving information exposed on the internet, such as credentials, keys, passwords, and even internal documents on public repositories, such as GitHub, or in other publicly accessible infrastructure, such as an AWS or SharePoint instance. All of these might help outsiders understand internal processes, network layouts, or allow access to different parts of your estate.
Threat intelligence is only a part of the overall defensive strategy, but can add context and other valuable information to the fight against ransomware. We have been tracking dozens of ransomware actors, their leak sites, as well as other criminal locations for years. We understand how they can gain access and may even have insight to vulnerable organizations they might be targeting. We are also constantly updating profiles and other information that could be valuable to your defenders.
If you’re curious about how SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) can help shed light on ransomware and other threats, you can take it for a 7-day test drive, or contact us to schedule a demo and discuss your particular intelligence needs.