Another day, and another major attack surfaces. Garmin has been forced to shut down many of its services, including Garmin Connect which keeps wearable data synchronized and aviation database services, plus centers, online chat system, even emails. Though Garmin is just calling it an “outage” on Twitter, it’s likely that the ransomware has succeeded in encrypting Garmin's internal network.
“Ransomware attacks can severely disrupt business and cost hours of productivity and profit, which we can see in this most recent incident at Garmin. There are, however, a few basic steps that an organization can take to minimize their exposure to ransomware and keep their services up and running,” says Torsten George, cybersecurity evangelist, Centrify.
George’s advice? “First, implement security awareness programs to educate employees on how ransomware is being deployed and how to avoid spear-phishing attacks. Frequently update anti-virus and anti-malware with the latest signatures and perform regular scans. Create an application whitelist, allowing only specific programs to run on a computer. This should include the disabling of macro scripts from Microsoft Office files transmitted over email. And finally, back up data regularly to a non-connected environment and verify the integrity of those backups regularly,” he says.
“In addition, to prevent bad actors from accessing critical systems, infrastructure and sensitive data, an effective privileged access management solution using a Zero Trust approach is key,” says George. “By verifying who is requesting access, the context of the request, as well as the risk of the access environment, organizations can minimize the impact of a ransomware attack and prevent malware from spreading through a network.”
Richard Cassidy, senior director, security strategy, Exabeam adds, “A recent report revealed that 82% of SOCs are confident in their ability to detect cyberthreats, but with 40% also reporting staff shortages and only 22% of frontline workers tracking dwell time, it’s no surprise attacks like this keep happening.”
According to Cassidy, the stages in the ransomware kill chain begin with the distribution campaign. “Adversaries use techniques such as social engineering to trick users into downloading a dropper, which initiates the virus infection and malicious code execution. Next, during the staging phase, the ransomware embeds itself deep into the victim’s environment,” says Cassidy. “The ransomware has ample time to scan systems for files to encrypt. Having identified target files, the ransomware begins its encryption process, which can take anywhere from seconds to hours. After the files are encrypted, a message is delivered demanding payment for the ransom.”
The best defense against ransomware is a good offense through proactive prevention and mitigation, explains Cassidy. “Behavioral modeling through user and entity behavior analytics is one of the most effective approaches. The goal is to monitor certain behaviors on a regular basis in order to recognize what is normal for users and devices on the network,” he says. “This makes it easier to detect unusual behavior that could be the result of a ransomware attack. Typically, a ransomware attack takes several stages, making early detection possible with the right solution.”
Bottom line: as these attacks continue to penetrate new targets, it should be crystal clear to manufacturers that no one is exempt. Solid security hygiene is crucial. And, it needs to extend beyond the office IT environment. OT environments are equally attractive to today’s sophisticated hackers.