Ransomware attacks continue to become more sophisticated and aggressive: Vishak Raman, Fortinet

October is cybersecurity awareness month dedicated to promoting online safety. The theme for Cybersecurity Awareness Month this year is “It's easy to stay safe online,” reminding users that there are plenty of simple ways to keep information and data secure. In this backdrop, Dataquest, spoke to Vishak Raman, Vice President of Sales, India, SAARC and Southeast Asia at Fortinet to understand the threat landscape and the security posture that one should adopt to protect their organization.

DQ: We have been hearing about a lot of cyber-attacks post-pandemic. However, what have you been witnessing?

Vishak Raman: While the first half of 2022 felt anything but ordinary, we continue to observe clever attackers relying on many familiar techniques and attacks, such as ransomware and process injection. However, while the security community may be familiar with many of the tactics and techniques being used by attackers, the unsettling news is that the frequency of these attacks is increasing, and the number of new variants associated with common attack vectors continues to grow.

Ransomware attacks continue to become more sophisticated and aggressive, with attackers introducing new strains and updating, enhancing, and reusing old ones. What’s especially troubling as we look at the first half of 2022 is that the number of new ransomware variants we identified increased by nearly 100% compared to the previous six-month period. Our FortiGuard Labs team saw 10,666 new ransomware variants, compared to just 5,400 in 2H 2021. This explosive growth in ransomware can be mainly attributed to Ransomware-as-a-Service (RaaS) becoming increasingly popular on the dark web. Cybercriminals are using subscription-model services and purchasing plug-and-play ransomware to achieve a quick payday.

FortiGuard Labs analyzed the functionality of detected malware to track the most common delivery approaches. In reviewing the top eight tactics and techniques, defense evasion tops the list, with many malware developers using system binary proxy execution to achieve their goal. Hiding malicious intentions is another top priority for malware developers, making the threat appear legitimate, giving it a better chance of going undetected by a security analyst.

Wiper malware data reveals a disturbing trend of cybercriminals using more destructive and sophisticated attack techniques – in this case, using malicious software that destroys data by wiping it. In the first six months of 2022, FortiGuard Labs identified at least seven significant new wiper variants used by attackers in various targeted campaigns against government, military, and private organizations. This number is important because it's nearly as many total wiper variants as have been publicly detected in the past 10 years. While we saw a substantial increase in the use of this attack vector in conjunction with the war in Ukraine, the use of disk-wiping malware was also detected in 24 additional countries.

DQ: How have you been helping organisations cope with these attacks?

Vishak Raman: Computing at large enterprises is getting more distributed every day, expanding the attack surface and exposing corporate assets to an increasingly advanced threat landscape. At the same time, customers are demanding more robust digital services, putting pressure on application developers, network leaders, and cybersecurity professionals alike. Everything is accelerating, and enterprises must build a responsive computing environment that provides for richer customer experiences—and better business outcomes.

Simultaneously increase in the breadth and frequency of cyberattacks translates into more cyber risk for organizations, which means security teams need to be just as nimble and methodical as their adversaries. Outdated point-product approaches to security are insufficient, making integrated security solutions essential to combatting this proliferation of advanced and sophisticated attacks. Organizations need tools that can ingest real-time threat intelligence, apply AI to detect threat patterns and correlate massive amounts of data to detect anomalies, and automatically initiate a coordinated response across networks. This holistic approach to a cybersecurity mesh architecture allows for much tighter integration and increased automation, making it easier for security teams to coordinate quickly and respond effectively to threats in real time.

It is time to take a strategic, converged approach to security and networking. Successful CISOs will understand that when done strategically, security can create new opportunities to improve productivity, accelerate time to market, promote innovation and agility, and deliver on all the promises of digital transformation. When security and networking are put together, these benefits can only multiply.

DQ: What are the long terms implications of a cyber-attack on organisations?

Vishak Raman: The financial consequences of a data breach can vary based on several factors, including root causes, network size, and the type of data held by an organization. A breach can affect operations, the reputation, and the brand of an organization. Because of the operational and financial impact of a security breach as well as regulatory and government regulations, business leaders are now taking a more active role in understanding their security posture and readiness to respond to a cyber incident. Many organizations now have an understanding that information security is not just an IT or infosec issue. Instead, cyber risk is a risk to the business, hence it requires the attention of the executive team and the board.

Cyber insurance is growing as an industry, and it is because ransomware has become so prolific. Insurance can sound like an easy answer to the problem of ransomware. Getting insurance in order to pay a settlement if you fall victim to ransomware is a lot easier for boards to understand than going into the various reasons why your cybersecurity efforts aren't working to thwart attacks. Although it's good to have cyber insurance, it can make you more of a target for cybercrime. And beyond that, you're not transferring all of the risk to the insurance company. Yes, the insurance pays ransomware settlements, but it doesn't compensate you for the damage to your company reputation, intellectual property losses, or the reduction in sales from publishing your data publicly or contacting customers to tell them their data was compromised.

CISOs should play an active role educating the executive team and the board about risks to the business that could result from a cyber breach as well as on new regulatory requirements and customer expectations. They should also establish regular discussions about key programs and investments needed to prevent and respond in the event of a breach. 

DQ: What must organisations do to protect themselves from cyber attacks?

Vishak Raman: Incident response consists of the policies and processes used to identify, contain, and eliminate an incident. As you add more technologies to your IT stack, you increase your attack surface. Simultaneously, digital transformation has eliminated the idea of a network perimeter since even people in your offices use a wireless connection. These changes make incident response more challenging.

Your incident response plan isn’t a “set and leave it” process. While your policy defines objectives and roles, you need to continually test and iterate your processes. Newer regulations and standards focus on training incident response teams regularly with tabletop exercises or red teaming. The more your team reviews and iterates the processes, the faster they can contain and eliminate an incident. Although each incident is different and the specifics are unpredictable, knowing how you plan to respond and continuously iterating the processes enables cyber resilience.

Training for All Employees: When regulations discuss employee training, they usually specify that training must be related to an employee’s role and responsibilities. For example, business-level employees need awareness training that tells them how to identify phishing attacks. However, your security analysts already know what a phishing email looks like. They need training that helps them detect anomalous behaviour in systems and networks so that they can investigate, contain, and eliminate threats faster. By providing meaningful training through tabletop exercises and red teaming, you give them an opportunity to learn based on their job function.

Identify and Optimize Your Data with AI: As you increase your attack surface, you add more tools. At each attack vector, your security analysts get alerts all day long, leading to alert fatigue. To overcome information overload, you must optimize your security data, so that your teams have high-fidelity alerts. Further, you need to do this before an incident occurs because your analysts won’t have time while they’re responding to one. When you use automation and artificial intelligence, you enable your security analysts by identifying the most important security data and streamlining response activities. It becomes a force multiplier. Network detection and response (NDR) with self-learning artificial intelligence (AI) is helpful to better detect intrusions.

Maximize the Benefits of SOC and NOC: Today, you need to converge security and networking, enabling them to work together.The SOC is the center of your defensive security program, a centralized location where your security analysts monitor systems and networks to detect an incident. When you converge security and networking, your SOC has the necessary visibility into the activity that indicates abnormal access or data exfiltration.

The NOC is the center of your network health and performance, overseeing infrastructure and equipment, wireless systems, databases, firewalls, network devices, and connectivity. They ensure that your systems remain available. When you converge security and networking, you ensure that the NOC can focus on network outages related to their duties instead of starting an investigation that is really a security incident that they need to transfer to the SOC. By providing the SOC and NOC with the same data, they can focus on their tasks, ultimately ensuring enhanced availability and security.

Have a Vulnerability Mitigation Plan: Software vulnerabilities remain an attack vector. Adversaries pivot their methodologies in the aftermath of a new vulnerability announcement, often within hours or days. To enhance security and reduce security analyst overload, installing security updates as quickly as possible is critical. In addition, another way to  detect threats earlier that are relevant to your organization is by using a digital risk protection service (DRPS). Such a service can monitor an organization’s external attack surfaces to discover unknown/known vulnerable internet-facing assets that can be used by attackers. It can also monitor the dark web, underground and invite-only adversary forums, and open-source intelligence (OSINT) forums, to discover leaked credentials/data that are up for sale. 

All of this can help an organization take action earlier and faster on imminent cyber threats.

5. Kindly highlight top observations/trends of the evolving cybersecurity landscape?

An evolving threat landscape, an ongoing cybersecurity skills gap and the explosion of the edge with work-from-anywhere (WFA) means traditional network and security architectures no longer work for today’s digital business. Organizations require a hybrid approach that converges networking and security to be able to reduce complexity, while securing and connecting hybrid and remote users to advanced security with superior performance. 

Two key market and industry trends, convergence and consolidation, are key drivers of security markets long-term growth. Traditional network and security architectures, especially rigid systems hidden behind a permanent perimeter, no longer work. The explosion of edge and cloud computing, combined with the rapid transition to work-from-anywhere, requires a hybrid approach that converges networking and security. This enables the agility that today's organizations require. 

We are at the forefront of networking and security convergence, empowering our customers to reduce complexity while maintaining superior performance. Making this happen requires the consolidation of vendors and technologies. Organizations don't just need fewer vendors to manage but also the consolidation of product functionality. The most effective approach is consolidating point products into a unified cybersecurity platform. Fortinet's innovation strategy, led by our in-house engineering and development teams, allows us to maximize this trend towards convergence and consolidation for our customers and partners. For example, the Fortinet Security Fabric mesh platform is designed to provide consistent security for organizations, delivering broad, integrated, and automated protection across multiple edges, from endpoints to data centers and across hybrid cloud environments.