Vulnerability scanners are not enough to prevent ransomware attacks


Justin Berman, CTO at Skybox Security, explains why modern cybersecurity must extend beyond vulnerability scanners when it comes to ransomware

“Which Vulnerability Scanner Should I Buy?” is the wrong question to ask security managers when planning ransomware attacks.

Lindy Cameron, CEO of the National Cybersecurity Center recently notified that “Ransomware is the most immediate cybersecurity threat to UK businesses”.

Cybersecurity leaders need to think about this and consider how best to protect their business resilience. To ensure success, leaders must ask the right questions to inform a solid cybersecurity strategy. “Which vulnerability scanner should I buy?” is the wrong question.

Vulnerability scanning is a fundamental part of many corporate security strategies. But scanners are purely reactive cybersecurity tools. As we see in the headlines every week, traditional reactive cybersecurity strategies fall short. Multimillion-dollar ransomware payouts — along with successful attacks on healthcare, water, and energy supplies — are proof that the outdated scan and patch playbook needs to evolve.

Digital transformation expands the attack surface

During the pandemic, many industries have accelerated their digital initiatives. Unfortunately, an unintended side effect of digital transformation has been the large-scale introduction of many new vulnerabilities due to the expansion of the attack surface. Unfortunately, security was just an afterthought as companies focused on making the shift to remote working a success. Once the dust settled, a Skybox investigation revealed that 73% of C-level executives were concerned that the distributed workforce had introduced new vulnerabilities and increased exposures.

Already strained by talent shortages, security teams suddenly had more to protect: more endpoints to configure, more cloud technologies to secure, and more changes to properly validate. Meanwhile, they are drowning in security alerts. According to Dimensional research, 93% of IT security players cannot process all security alerts on the same day. Additionally, cybersecurity teams are constantly bombarded with attacks and breaches, some of which are made public, some of which are not.
There are three key reasons why modern cybersecurity must extend beyond scanning and remediation solutions:

1. Snow blindness

Organizations are struggling to keep up with the influx of new vulnerabilities. In the first half of 2021, 9,444 new vulnerabilities were reported by Skybox Research Lab, pretty close to last year’s record pace. However, given the raging storm of vulnerabilities, CISOs cannot continue to drown their frontline defenders with ominous alerts.

2. Vulnerabilities hidden in plain sight

Uncovering hidden weaknesses in smaller and even unknown assets is essential. Cybercriminals know that operational technology (OT) and Internet of Things (IoT) devices are difficult to secure, so they focus on these as “soft” targets, as they lack mature cybersecurity controls . For example, Skybox research noted a 46% increase in new OT device vulnerabilities in the first half of 2021, compared to the same period last year. Additional Skybox research found that 83% of respondents had experienced an OT breach in the past 36 months.

3. Remediation should take place as soon as a vulnerability is discovered

In an ideal world, remediation would occur as soon as an exposure is discovered. However, a recent CISA Council warned that threat actors continue to target known vulnerabilities, many of which are several years old, all with patches available.

Double Dip Ransomware: The New Trend Businesses Need to Prepare For

Chris Huggett, Senior Vice President EMEA at Sungard Availability Services, explains what to consider regarding double extortion ransomware. Read here

Illuminate a proactive new path for cybersecurity

Armed with advanced insights, CISOs can confidently prove to their board that they’ve successfully patched millions of malware exploits. It is impossible that scanners alone can provide this validation. Taking the following steps will protect organizations in today’s challenging cybersecurity climate:

  • Aggregate data beyond scanning. Incorporate data from configuration, patch, and asset management systems. Also include endpoint security tools, threat and intelligence feeds, and various other assets such as OT, cloud, and network devices.
  • Develop an interactive model of the entire OT, hybrid, and IT environment. Security teams must have complete visibility of the entire attack surface or they cannot protect it. Their understanding should include whether the devices are properly “hardened” and whether the access permissions they assume are in place correspond to what is true in reality. If the security professionals have configured the network correctly, this makes the lateral movement aspect of the attack much more difficult.
  • Perform advanced exposure analysis. Use threat intelligence to identify exploitable vulnerabilities. Then, correlate this data with a company’s unique network configurations and security controls to determine if the system is potentially open to a cyberattack. This allows perfect storm threats to be calculated that are exploited in the wild and not protected by existing security controls.
  • Identify remediation options for environments that go beyond patching. Alternative fixes include adjusting configurations, applying appropriate policies, applying IPS signatures, implementing network segmentation, etc. This is especially vital for OT networks which cannot be effectively protected using scans and patches.

Work smarter and make better security decisions

What causes violations? Exposed vulnerabilities. Don’t try to patch everything – you will fail. Instead, focus on vulnerabilities that are actually exploited in the wild.

Vulnerability scanners can tell you that a vulnerability exists. However, the scanners lack information about the cyber-kill chain. Tracing the stages of a major cyberattack is imperative, from seemingly minor vulnerability exposure, to lateral movement, to finally network shutdowns and data exfiltration. Today, it is possible to identify the most dangerous threats, instead of wasting resources trying to patch every vulnerability.

Written by Justin Bermantechnical director at Skybox Security


Comments are closed.