Ransomware is a particularly heartless endeavor. Criminals have targeted schools, vital infrastructure, and even patient records at a psychiatric treatment facility. The US Department of Homeland Security recognizes it as a top threat, and security professionals put defensive ransomware strategies at the top of their to-do list. As it is for every other cybersecurity initiative, defense-in-depth is axiomatic for effective ransomware protection. Building content awareness is a simple and accessible way to add another layer to your anti-ransomware strategies.
Understandably, most defensive strategies start with measures that minimize footholds attackers can find within an organization’s IT environment. Checking inbound emails for ransomware payloads, giving users practical advice on internet “street smarts,” and monitoring the network for suspicious activity are essential elements of an effective anti-ransomware strategy. Emerging AI-based data governance solutions offer an additional weapon for the ransomware fight: situational awareness informed by deep insights into content.
Content awareness builds ransomware resiliency. To understand why, it’s helpful to put yourself in the shoes (or behind the keyboard) of your opponent and think about how they plan, execute, and monetize the attack. Armed with an understanding of the attack process and empowered with insights into your content, you’ll have what you need to minimize damage before, during, and after ransomware incidents.
So, let’s start where the attackers start – establishing a foothold. Attackers use encryption to make valuable data inaccessible. To do that, they need to take control of accounts. Ideally (from the attacker’s perspective, of course), compromised accounts will have access to a wide array of business-critical data. In reality, it’s a roll of the dice. The attacker’s social engineering and malicious email campaigns entrap random targets.
It’s like Forrest Gump’s box of chocolates. Once an account has been compromised, the box is open. Sometimes the account is full of goodies, with access to a wide range of files and data. Other accounts are nearly empty boxes, with far more limited access. If you’re on defense, your goal is to keep the box closed. And, just in case the attacker manages to pry it open, it would be great if it didn’t have too many goodies inside.
Most of today’s ransomware mitigation strategies focus on keeping the box closed, which makes sense. There’s been less attention paid to managing the chocolates in the box. Least-privilege data access models, aimed at granting user access to only the data they need, are a great way to limit exposure in the likely event of an account compromise. Least privilege isn’t a preventative strategy. It’s a damage-limitation strategy that assumes – as you should – that a ransomware attacker will eventually gain control of one or more of your accounts.
But if least privilege works, why isn’t the practice more pervasive? A typical organization manages north of 10 million files, ranging from picnic invitations to private financial documents. About a third of these documents are business-critical (therefore of interest to a ransomware perpetrator). That’s a daunting number of files with an array of content that might be hard for even skilled IT teams to evaluate, understand, and protect.
For better or worse, that means end users are typically in charge of who can and can’t see their content. And sometimes, that critical source code document or the spreadsheet with embedded customer information is shared more broadly than necessary. About 12 percent of all business-critical documents risk ransomware compromise because of oversharing.
To help alleviate risk, AI-based data access governance technologies help by scanning an organization’s millions of documents using natural language processing algorithms to categorize content and detect oversharing. It’s a powerful tool that helps limit unnecessary access – and the ransomware risks that come with it.
Content awareness also helps when it comes to the detection of attacks in progress, because ransomware exploits differ from other cybercrime in one critical way: The criminals don’t need to take possession of data. Because the data doesn’t move, security measures at the perimeter aren’t in a great position to spot or stop in-progress attacks. That changes the detection picture: Instead of a few perimeter control points, security professionals need to keep tabs on a staggering number of files located across the organization.
Consequently, ransomware attack detection strategies seek to monitor encryption activity and encryption artifacts at the file level. By establishing a baseline before the attack, differentiating between routine and nefarious activities is far more straightforward. And if the baseline includes insights into the business criticality of that content, you can detect unwanted encryption and evaluate the threat to make more effective mitigation decisions.
Finally, should you find yourself confronted with a ransom demand, content awareness is invaluable. Deciding whether to pay to recover your data is a difficult decision under any circumstances but making that decision with a complete understanding of precisely what data is at risk of loss is far better than having to make it not knowing what’s at stake. Your attacker often doesn’t know if what they have is critical or trivial. Content awareness can give you the upper hand.
Ransomware is, without a doubt, an escalation in the cybercrime arms race. By augmenting your anti-malware and anti-phishing efforts with least-privileges access control, you can minimize the damage should an attack occur. Content and activity awareness establishes a baseline that makes unwanted encryption easier to spot and mitigation activities faster and more effective. And should you find yourself in negotiations over the ransom, you’ll be glad you have a clear understanding of what data is at risk.