The key to ‘fighting through the fog of war’ in cyberattacks

As awareness of ransomware attacks grows, more and more organizations will be taking steps to protect their data. It’s possible that attackers could shift the...

For decades, organizations have allocated massive amounts of their information technology budgets to cybersecurity technologies to prevent networks and devices from being compromised by attackers. But amid the rise of nation-state cybercrime syndicates, and the general trend of malicious actors employing increasingly sophisticated social engineering tactics, completely stemming the tide of cyberattacks has become a virtually impossible task.   

More recently, the biggest challenge stems from financially-motivated actors that are increasingly targeting organizations’ sensitive data in ransomware campaigns, which has fueled the creation of a booming $8.4B industry. This type of crime has become easier to carry out because of the surge in adoption of cloud services and SaaS applications that happened during the pandemic, which enabled businesses around the world to continue operating after the shift to working from home.  

Now, all of these factors are fueling a shift in the traditional cybersecurity mindset. More organizations are realizing they need to accept the near-certainty of being hit with a cyberattack. Rubrik Zero Labs data found that global IT and security leaders were notified of a cyberattack an average of 52 times in 2022, or one attack per week. But if they focus more of their security spending and training on getting back up and running afterwards — which includes quickly restoring access to their critical and sensitive data — organizations can minimize the computing downtime that typically comes with ransomware campaigns. This can also help mitigate the financial impact of such attacks: In August, the city of Dallas estimated that a ransomware attack earlier this year cost taxpayers more than $8.5 million  

My perpetual thesis is that cyber criminals are in this business to make money on the black market, which is why one in two organizations have experienced a material loss of sensitive information in the last year, including intellectual property, financial data or personally identifiable data, according to the most recent Rubrik Zero Labs report.   

But an important question to consider is: How do we fight through the successful cyberattacks that happen and keep our businesses up and functioning? This ties into a strategy known in cybersecurity circles as “cyber resilience.” Cyber resilience is distinctly different from traditional network and endpoint security solutions that are focused on preventing attacks, and instead is aimed at helping organizations reconstitute their business operations — and most importantly, their data — while at the same time working to get attackers out of their environment and repair the damage they’ve caused.  

Some of the principles of cyber resilience borrow from the lessons U.S. military leaders have learned during wartime. In those settings, a concept has emerged that “You’ve got to fight through the fog of war” — meaning that everything you were going to war with would eventually be hit. All your plans would suffer setbacks, and you needed to be able to adapt in real-time to achieve tactical goals. And maybe most importantly, you needed to have effective communication up and down the chain as the dynamic situation evolved.  

This same mindset is at the heart of cyber resilience: having the ability to simultaneously work to mitigate a cyberattack, conduct forensics to determine the threat vector, evict the bad actor and reconstitute impacted business operations to include restoration of services and the associated data they need to operate. Of course, the explosion in the amount of data organizations generate and store in the course of their operations complicates matters. While cloud services and SaaS applications have enabled organizations to work more productively, they have also created a situation where sensitive data is being stored in multiple locations for more than half of organizations including on employees’ work laptops. That, in turn, has given malicious actors more targets to choose from.   

A classic case in point is human resources and corporate benefits systems. There’s a perception that all of an organization’s sensitive data sits in these systems, but that isn’t always the case. Oftentimes we find that when companies need to do bulk registration of their employees with benefit providers, personal information is exchanged via e-mail and spreadsheets, and this personal data is left on individual laptops or in shared folders without being encrypted or password protected.   

In another scenario, an accounting staff member who is testing a new payroll system will download a bunch of W-2 forms to their laptop to see if it can ingest them and ship them over to the accounting system. In both of these instances, the problem is that employees sometimes forget to delete these files from their machines afterwards, leaving the door open for attackers to break in and gain access to this valuable data.   

Another challenge with organizations that use SaaS applications and cloud services is that data is stored in multiple locations, making it challenging to keep track of where the most critical data — such as payroll processing information — lives and who has access to it. And it is also tough to determine how critical data moves around a corporate computing environment. For example, one employee could access this kind of data to create an Excel spreadsheet and send it to another employee as an email attachment, who could subsequently alter the data and create a Word file. Being able to track all of this not only helps organizations better protect the data, it also can flag abnormal activity that could point to stealthy cyberattacks.   

As awareness of ransomware attacks grows, more and more organizations will be taking steps to protect their data. It’s possible that attackers could shift their approach to more destructive tactics, employing tactics that nation-state hackers have previously used to cripple industrial control systems and equipment.   

But so far, this hasn’t been broadly applied by financially-motivated cybercriminals, who typically want to be able to come back and target their victims multiple times. And if they destroy your computers, they’re not going to be able to get that ransomware money out of you because you’re having to replace your physical equipment. These attackers really don’t want to do too much damage because they need you to be a viable host.  

Michael Mestrovich is vice president and chief information security officer at Rubrik. 

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories