How ransomware changed the face of cybersecurity

In a popularity contest for cyberattacks, Ransomware would definitely win and its (bad) reputation among the general public is well deserved. Ransomware is probably the type of attack that had the most significant influence on the cybersecurity industry in the last 10 years. Here is why.

The Prevalence

Compared to other classes of attacks – like common malware, brute force attacks, and many others – ransomware, as we know it today, is a rather new type of attack. Although early forms exist since 1989 (AIDS Trojan), ransomware really took off after 2010. CryptoLocker, in 2013, is one of the early ransomware “stars”.

You may wonder: Why is it so successful? Are the affected devices unprotected? Most of them have at least a form of protection. So, why did the endpoint security solutions (aka Antiviruses) fail to defend the devices? Ransomware was, and o some extend still is, difficult to identify. Attackers used over time ransomware components in conjunction with other threat vectors, like phishing or worm behaviors, to affect a wide variety of victims, from large groups of victims worldwide (WannaCry) to very specific industries and geographies (NotPetya).

The Psychology

Leaving the tangible economic damages aside, Ransomware has a particularity: a special psychological impact on people. While other classes of attacks can have more costly consequences, there is something unique about having the computer that you own or operate, encrypted and locked in front of your own eyes. It is a form of terrorism.

The fear of losing access to your lifetime digital photos, for example, is something that everyone can relate to. In the last 10 years, the people and businesses that desperately asked me for help almost exclusively were victims of ransomware attacks. And in most cases, there was nothing to be done, except for paying the ransom. But, unfortunately, paying the ransom doesn’t guarantee the recovery of data.

The Long Tail

Ransomware affected cybersecurity but had an impact on other industries too. One of the big issues when asking for a ransom is how to get paid and get away with it. Bank transfers are complicated and traceable while cash payments are risky and impractical. The answer to the problem has a very well-known name: Bitcoin. The transactions with cryptocurrencies, unregulated and far more difficult to trace, are a key enabler for the global ransomware’s “success”. On the other hand, ransomware also contributed to the rise of Bitcoin, by generating demand. While cryptocurrencies gain popularity due to many legit use-cases, the need for untraceable money transfers, generated by illegal activities, pushed the crypto market to higher valuations.

What to do?

Chances are, with all the efforts from law enforcement agencies and security solutions providers, ransomware will be with us for the years to come. So, how can you, individual or organization, avoid becoming a victim? There is no simple answer to the question, but there are proven strategies to reduce the risk of being infected with ransomware and, in case you do, limit the damages.

First, and I cannot emphasize this enough, do yourself a favor and backup your data! And do that regularly. Backups enable you to restore the data encrypted by ransomware but are also great from many other perspectives: hardware failures, lost or stolen devices, and even accidental deletion or unintentional modification of data.

Second, mind the clicks! We are flooded with emails and that lowers our alertness. But educate yourself, your loved ones, or your employees to think before clicking links. User awareness is one of the key tactics against all sorts of cyber threats, not only ransomware.

Third, use a good prevention-based endpoint security solution! There is a lot of hype around threat detection and incident response these days. But ransomware is a class of fast evolving attacks that leaves little time to react. Your automated security solution will be the second line of defense (second to user awareness)

If you are looking for a comprehensive approach to dealing with ransomware infections risk, here are some good starting points: The Mitigating malware and ransomware attacks guide from UK’s NCSC and the Stop Ransomware resources from CISA.

Security Architecture considerations for Cyber Resilience – why threat prevention is important

In an earlier blog this year, I compared the concepts of cybersecurity and cyber-resiliency, arguing that the main difference between the two is one of perspective. Cybersecurity is centered on the idea that attacks can (and should) be prevented while cyber-resilience acknowledges that some attacks will go through, and that organizations must prepare to deal with the consequences quickly and effectively. Many examples in recent years demonstrate 100% of increasingly sophisticated attacks cannot be prevented. This reality has generated a strong emphasis on detection and response tools in our industry, to the detriment of advanced prevention capabilities. But should we give up on prevention so quickly? Definitely, no.

To make sure we are all on the same page, Prevention refers to a broad range of approaches, technologies, and tools with the main purposes of a) reducing the options an attacker has and b) detecting malicious actions before inflicting damage to an organization. A few examples of prevention layers are: firewalls, file/disk encryption, patch management, anti-malware, exploit defense or sandboxing. These technologies can be implemented at various levels in the infrastructure. At the network level, the best-known prevention tools are Next-generation Firewalls and Intrusion Prevention Systems (IPS). At the endpoint level, the best known are Next-generation AV or Endpoint Protection Platforms (EPP).

In this blog I will review the key role of prevention elements for both the efficiency and effectiveness within the overall security architecture. I don’t want to minimize the value of other security capabilities, like incident response tools and processes, but I do want to emphasize that prevention is a key pillar of cyber-resilience and should not be overlooked even if we assume “not if but when you will be breached”.


I often say this, but it bears repeating: To understand the value of Prevention, first turn it off. The best way to explain the contribution of Prevention technologies to cyber defense is by contrasting it to a Detection and Response (D&R) only approach. For D&R to be effective, besides technology, an organization needs trained security operations staff and well-defined processes in place. There are plenty of examples where an Endpoint Detection and Response (EDR) solution detected suspicious activity and generated alerts, but there was not (enough) trained staff to analyze the incident in due time. That allowed adversaries to operate undisturbed for extended periods of time. If any of the elements of the triad (technology, people and processes) is not performing, the effectiveness of the D&R is affected.

By contrast to D&R, Prevention is automated. Statistically, effective prevention layers are capable of stopping over 99% of all threats (common and advanced) in a fully automated way. Prevention relies on technology alone, and with few exceptions, is a “set-and-forget” element. For example, an EPP solution requires only typical IT admins skills to install and very little assistance while in operation. Because of its automated nature, Prevent is a key contributor to cyber defense efficiency. Imagine a scenario where all security threats, either simple or complex, require the attention of a dedicated security team. This is the worst nightmare of any IT leader who doesn’t have such a dedicated team and can be overwhelming even for experienced security analysts. An accurate and effective Prevention solution will enable security teams to focus only on sophisticated threats and cyber-attacks that truly require skilled human attention.


While efficiency is important, the effectiveness of any security solution is paramount. Long gone are the days when Prevention-based solutions relied only on signatures of known attack to detect threats, method that leaves them vulnerable to unknown attacks or zero-day threats. Today’s Prevention employs an extensive set of advanced technologies highly effective in detecting the entire range of cyber threats including attacks never seen before. Some of these technologies are shared with D&R, with the key difference between the two categories being the threshold for detection confidence. When dealing with ambiguous situations, the security solutions are calculating a “behavior” score that represents the detection confidence. When the detection confidence level is below a predefined threshold, suspicious actions will require an analyst to investigate but, when confidence is above the threshold, the solution is certain enough that the activity is malicious and can be blocked automatically.

The automated nature of Prevention is not only important to increase efficiency, but also for the effectiveness of the overall security architecture. There are classes of attacks where immediate response is critical for limiting the impact. The best example is ransomware. When dealing with a ransomware attack seconds truly matter. It is of little value in getting an alert about an ongoing ransomware attack if it takes many minutes, hours, or even days until someone can investigate the threat. The risk of great harm being done in such cases is significant. Instead, Prevention layers will detect and respond in a matter of seconds or less, minimizing the effects of a fast-evolving attack.

Given the arguments above, it should be obvious that the accuracy and effectiveness of Prevention layers are of high importance, both for the efficiency and the effectiveness of the entire security architecture. During a keynote at RSA 2021, Anne Neuberger, Deputy Assistant to the President of United States and Deputy National Security Advisor for Cyber and Emerging Technology, commented on the importance of Prevention: “While we must acknowledge that breaches will happen and prepare for them, we simply cannot let waiting for the next shoe to drop to be the status quo under which we operate.”

It is hard (or rather impossible) to build a security architecture that enhances the resilience of the organization without strong prevention. This is also reflected in key industry standards like the NIST Cybersecurity Framework, where D&R is preceded by Identification of risks and Protection phases. Does Prevent eliminate the need for equally strong Detection and Response? Obviously not! Either managed in-house or as a service from a Managed Detection and Response provider, D&R is crucial for fighting off sophisticated adversaries that an automatic system cannot block effectively. In the next blog I will cover some key considerations on the role of Detection and Response for enhancing Cyber-Resilience.

Initially posted on Bitdefender Business Insights:

A Practical Approach to Cyber Resilience – Developing solutions (Part 3 of 3)

In the third and last part of the blog series on Practical Cyber Resilience, I will cover the Approaches, Tactics and Techniques that an organization should use when developing options for improving cyber resilience. In the previous blog, I detailed the practical five-step Cyber Resilience Analysis Process recommended both by NIST and MITRE for enhancing cyber resilience.


The fourth step of the Cyber Resiliency Analysis is centered on/around identifying specific ways to make desired improvements. These alternatives include implementing cyber resiliency techniques (such as Adaptive Response or Analytic Monitoring) in the context of the existing architecture but may also involve significant changes to the security architecture if needed. The potential solutions can be purely technical, purely procedural, or combinations of the two.

The NIST framework provides a wealth of details on how cyber resilience techniques translate into cyber resiliency approaches. A cyber resiliency approach is a subset of the technologies and processes that defines how the capabilities are implemented or how the intended consequences are achieved.

Let us take an example of how to identify potential solutions for increasing resilience. Let’s assume that during the cyber risk baselining phase we identified Analytic Monitoring as an area of high importance with significant room for improvements. To help defining improvement options, the NIST framework provides three corresponding resiliency approaches for this technique: Monitoring and Damage Assessment, Sensor Fusion and Analysis plus Forensic and Behavior Analysis. The three approaches translate into:

  • Monitoring and analyzing the behavior and characteristics of components and resources. This helps improving the ability to detect indicators of attacks and for assessing the potential damages.
  • Combining and analyzing data, collected from different information sources over extended timeframes, to provide visibility and insights.
  • Analyzing the attacker tactics, techniques, and procedures (TTPs), including malware and other artifacts left behind by security events. This provides better understanding of the impact and helps guiding the response actions.

Having these directions set, let’s shift to identify technical solutions. Contrary to the initial instinct of most security practitioners, the best time for choosing security technologies is near the end of the cyber resiliency analysis process. Making technology choices too early often leads to spending resources on technology that is not effective in the context of the overall scope of increasing resilience. Or it leads to missing the chance to allocate resources where they matter the most.

For our example, you can probably recognize that some of these capabilities described above fall within Endpoint Detection and Response solutions. EDR is an excellent choice for implementing Analytic Monitoring especially for endpoints (physical or virtual). It enables monitoring of events across all endpoints in the infrastructure, strong analytics capabilities, and detailed incident investigation to get a clear picture of adversarial TTPs.

What (pure) EDR is missing in the context of the Analytic Monitoring cyber resilience technique, is the sensor fusion (EDR is focused on endpoint only). However, EDR is expanding to include data from other infrastructure elements: like network and email. This is the eXtended Detection and Response (XDR) solution. XDR provides detection and response capabilities for a much larger area of the enterprise infrastructure and scores well for Analytic Monitoring cyber resilience technique. In the case of our example, it is a good technology to consider.

As mentioned, enhancing cyber resilience may require both adding/replacing technology and changing processes. An organization could build the corresponding processes for analytic monitoring in-house or outsource to a third party. For operating an EDR/XDR solution, an enterprise should have an internal security operations team but may also consider using Managed Detection and Response (MDR) as an alternative. MDR includes both the technology and high-level security expertise to deliver security outcomes that map directly to cyber resilience objectives.

This example provides just one option for implementing the Analytic Monitoring cyber-resilience technique. An organization should always consider multiple alternatives and feed them into the last step of the Cyber Resilience Analysis process – that is value of using the framework. Solutions will be assessed in the light of the larger context to identify the best recommended course of action. This process should be repeated and applied regularly to keep pace with cyber resiliency needs as the threat landscape continues to evolve.

Wrapping up the series, the three blogs covered some important practical aspects to consider for enhancing the cyber resilience of the organization. In the first blog I covered the four key characteristics (or guiding principles) of cyber resilience while in the second I reviewed the main objectives and the five-step Cyber Resilience Analysis methodology. The last part was dedicated to how an organization should approach the task of identifying the best solutions to apply for enhancing the resilience of the organization when faced with common and advanced cyber threats.

Initially posted on Bitdefender Business Insights:

A Practical Approach to Cyber Resilience – The five-step process (Part 2 of 3)

This is the second of a 3-blog series on Practical Cyber Resilience. In the first part, I covered the four key characteristics (or guiding principles) of cyber resilience. In this blog we will review the main objectives and 5-step Cyber Resilience Analysis methodology, as defined by the NIST Special Publication 800-160, Developing Cyber Resilient Systems.

Within the context of this framework, cyber resilience efforts should focus on four key goals: Anticipate, Withstand, Recover from incidents, and Adapt. Sometimes with different wording, these goals are included in most cyber-resilience definitions. But their meaning is always the same:

  • Anticipate – maintain a state of informed preparedness for adversity.
  • Withstand – continue essential mission or business functions despite adversity.
  • Recover – restore mission or business functions during and after adversity.
  • Adapt – modify business functions and/or support capabilities to predicted changes in the technical, operational, or threat environments.

Because cyber resiliency is a concern at multiple levels in an organization, the four goals are essential in providing linkage between various functions and levels of the organization such as program managers, mission owners or cyber defenders. These different audiences need to learn whether cyber resources for which they are responsible for, or which they depend on, are sufficiently resilient against advanced cyber threats and, if not, what can be done to improve resiliency.

To help achieve the goals, NIST provides a structured approach in the form of the cyber resiliency analysis process. In developing this process, NIST leveraged previous work done by MITRE: The Structured Cyber Resiliency Analysis Methodology (SCRAM). Both methodologies rely on five key steps:

  1. Understand the context
  2. Establish the initial cyber resiliency baseline
  3. Analyze the systems
  4. Define and analyze specific alternatives
  5. Develop recommendations

Each step focuses on a specific problem:

Step 1: What do we care about? This step establishes the purpose of the cyber resiliency analysis. Those performing the analysis and the stakeholders who will use the results of the analysis must establish a common understanding of the context. They must agree on what information will be provided to analysts and on what will be assumed. They also must identify factors that constrain the selection of cyber resiliency solutions.

Step 2: What can we build on? As I mentioned in a previous blog, cyber resiliency overlaps with cybersecurity but also with other business continuity planning efforts. Activities in this step establish a baseline assessment of the system, which includes existing capabilities that can contribute to cyber resiliency.

Step 3: How do cyber risks affect overall business risks? Now is the moment to have a closer look at the business architecture (including systems architecture) to identify how advanced cyber attackers, by taking advantage of architectural and design decisions, could affect the business effectiveness. In other words, this is risk analysis.

Step 4: What could we do to improve cyber resilience? A wide variety of cyber resiliency techniques, with corresponding approaches and technologies, can be identified. Some of these will and some will not be feasible in the context for which the cyber resiliency analysis is performed. Activities in this step identify and analyze specific alternatives for improving cyber resiliency.

Step 5: What do we recommend? Cyber resiliency techniques are interdependent and interact with techniques for cybersecurity and business continuity. Thus, we need to analyze combinations of specific alternatives and provide potential courses of action. All of these in the context of the constraining factors identified earlier. This step produces recommendations consistent with the defined purpose of the cyber resilience analysis.

What is obvious looking at these steps is the criticality of stakeholder engagement. Program management office, user community, operations, security, all need to be engaged in various stages of the process. Without strong engagement of these stakeholders, the results of the analysis can easily become useless.

Not so obvious is the complexity hidden behind the five steps. To help on executing the process, NIST (and MITRE SCRAM) includes detailed activities that need to be carried out in each step.

While the diagram looks busy, keep in mind that this is a blueprint, a general approach that can and should be tailored for the needs of each organization.

In the final part of this blog series, I will cover approaches, techniques, and technologies to be considered when developing specific alternatives to improve resilience.

Initially posted on Bitdefender Business Insights:

Three takeaways for a Small Business from the Microsoft Exchange hack

I heard this so many times: “My company is too small to be the target of an advanced attack”. Unfortunately, this is not true and the recent cyber-attacks on Microsoft Exchange servers clearly show it. Compared to the recent SolarWinds Orion security breach that directly affected mostly large organizations, the Exchange vulnerabilities were used to attack in excess of 30.000 organizations in the US alone, mostly small businesses and local government offices. 

Here are the three lessons that a small business should learn from this incident:

  1. Every organization (and person) is a potential victim of advanced cyber-threats. This highly automated attack that used four zero-day vulnerabilities shows that virtually no organization (large or small) is safe. Either to be used as a pivot point toward larger targets or simply by chance, it is only a matter of time until a sophisticated attack will “knock” on the doors.
  2. Cloud services are a safer choice, especially for small organizations. This is due to at least two reasons. First, many software providers (Microsoft included) have a “cloud-first” policy. That means the cloud solutions will get the new features, enhancements, and even bug fixes first. For example, in this case, the Microsoft Exchange Online is not affected by the attack. Additionally, the large cloud infrastructures benefit from the most advanced security options in the market and are staffed with the “creme-de-la-creme” in terms of cybersecurity personnel. Does this make them bullet-proof? No, but the likelihood of a breach is smaller. Second reason: small organizations are typically slow in applying security patches even when these become available. Many of the Microsoft Exchange servers affected by the zero-day vulnerabilities exploited in this attack will remain unpatched for months, leaving them vulnerable to attacks.
  3. Cybersecurity is getting professionalized. Highly professionalized. Advanced attacks are becoming increasingly common and are affecting a large number of organizations around the world. Basic cybersecurity skills are no match for the security challenges of today’s world. Small organizations cannot typically afford to spend resources on skilled cybersecurity professionals (not to mention that we are currently facing a significant shortage of cyber defense talents). Alongside the use of cloud services instead of on-premises infrastructure, an SMB should also consider relying on Managed Security Services and Managed Detection and Response Services to keep their IT infrastructure running and secure.

These three points should be considered for increasing the cyber-resiliency of the organization. But they are NOT replacing the actions required to check if your infrastructure was affected by the attack. For more context on the breach and the recommended remediation steps check this Microsoft blog post.