When hackers hold data hostage
Multi-layered security can better defend against ransomware
It's extortion, and it can cripple the operations of local governments, schools or corporations.
The cyberattacks known as ransomware, in which hackers compromise a network or system and then threaten to damage or shut it down unless they are paid, have doubled in the past year, according to the StateScoop news group. Municipalities, both big and small, are particularly susceptible to such attacks; local IT departments may have limited resources and attackers are continually evolving their methods. In 2019, high-profile ransomware attacks hit Atlanta, Baltimore and 23 towns in Texas.
One response has been signature-based threat detection, in which defenders find a unique identifier within a known threat and use it to recognize it in the future. Many anti-virus programs use that process, cataloging known malware. They may catch certain attacks, but some of the more dangerous malware is morphing more rapidly than they can catalog it.
“By changing the way it looks, that’s how it [malicious code] evades more traditional detection methods,” said Scott Styles, Raytheon’s cyber resiliency lead. “While we’d like to identify it, we don’t need to because we shut it down right away.”
A multi-layered, holistic strategy is more effective to defend against ransomware, rather than depending on a single tool.
For example, Raytheon has developed a technology called the REDPro platform, which uses a multi-layered, hardware- and software-based approach to protecting data and systems from malicious cyberattacks.
“You don’t want to put all your eggs in one basket when it comes to protecting your sensitive data,” said Torsten Staab, Raytheon REDPro chief engineer.
Ransomware uses encryption to lock up data on infected computers, then demands payment for its return. Many of these attacks get into systems through phishing emails that lure recipients into clicking a link or double-clicking an attachment disguised as a legitimate file.
“All it takes is one careless employee clicking on a ransomware-infested phishing email to start losing all your data in a matter of seconds,” Staab said.
These attacks can be highly targeted or they can come like a shotgun blast, according to Styles.
“In high dollar ransomware cases, we’ve seen social engineering and spearphishing at its best, where they’re targeting a specific individual that they’ve gathered intel on,” he said. “But in other cases, it’s a bulk email blast…a drive-by shooting. It preys on people’s curiosity. You can’t keep that stuff out; that’s why it’s so dangerous."
Prevention, not remediation, is the key, according to Staab. “You have to prepare and plan for this in advance,” he said.
It only takes seconds for ransomware to start encrypting gigabytes worth of data, Staab added. To fight it, REDPro combines Raytheon’s cybersecurity technologies with tech from select industry partners such as the company Virsec. It offers a real-time monitoring tool to detect anomalies in a system’s behavior and stop an attack.
“We can detect and halt a ransomware attack before it can even start to encrypt any data,” Staab said.
REDPro runs Raytheon's Electronic Armor software, which measures and monitors an operating system’s boot and runtime environment. Electronic Armor is based on the Zero Trust principle, which assumes an attacker is already in a position to do damage. The software can prevent unauthorized access, copying, modification, reverse engineering or deletion of critical software, intellectual property or sensitive data.
“In some industries, they’re still running Windows XP, which Microsoft no longer releases security patches for,” Styles said. “If those machines were cyber-hardened with Electronic Armor and other Zero Trust defenses, then those machines wouldn’t need to be patched.”
Styles said backing up data, taking multiple snapshots of the system’s state and storing backups in multiple places, including in the cloud and offsite locations, is one of the keys to cyber resiliency.
“Our goal is to keep the business up and running even during an attack,” Styles said. “We can restore to a state before the attack, even making improvements to the system so it’s no longer vulnerable.”
The platform also incorporates user, process, and storage behavioral analytics, which detects and neutralizes suspicious and malicious user activities, system services, applications, and storage media access.
“If a user works in Human Resources in Virginia and is usually online from 9 to 5, then one day this user logs in from Eastern Europe at 3 a.m. and tries to download files from a Finance-shared drive, REDPro would flag it and intervene in real-time if required,” Staab said. “Every user, system, process, and application poses a potential cyber threat or vulnerability — regardless of their origin, current location or access privileges.”