Add a New Dimension to Ransomware Defenses

Ransomware is a particularly heartless endeavor: criminals have targeted schools, vital infrastructure, and even patient records at a psychiatric treatment facility. The US Department of Homeland Security recognizes it as a top threat, and security professionals put defensive ransomware strategies at the top of their to-do list. As it is for every other cybersecurity initiative, defense-in-depth is axiomatic for effective ransomware protection. Building content awareness is a simple and accessible way to add another layer to your anti-ransomware strategies.

Understandably, most defensive strategies start with measures that minimize footholds attackers find within an organization’s IT environment. Checking inbound emails for ransomware payloads, giving users practical advice on internet “street smarts,” and monitoring the network for suspicious activity are essential elements of an effective anti-ransomware strategy. Emerging AI-based data governance solutions offer an additional weapon for the ransomware fight: situational awareness informed by deep insights into content.

Content awareness builds ransomware resiliency. To understand why, it’s helpful to put yourself in the shoes (or behind the keyboard) of your opponent and think about how they plan, execute, and monetize the attack. Armed with an understanding of the attack process and empowered with insights into your content, you’ll have what you need to minimize damage before, during, and after ransomware incidents.

So, let’s start where the attackers start: establishing a foothold. Attackers use encryption to make valuable data inaccessible. To do that, they need to take control of accounts. Ideally (from the attacker’s perspective, of course), compromised accounts will have access to a wide array of business-critical data. In reality, it’s a roll of the dice: the attacker’s social engineering and malicious email campaigns entrap random targets.

It’s like Forrest Gump’s box of chocolates. Once an account’s compromised, the box is open. Sometimes the account’s full of goodies, with access a wide range of files and data. Other accounts are nearly empty boxes, with far more limited access. If you’re on defense, your goal is to keep the box closed. And, just in case the attacker manages to pry it open, it’d be great if it didn’t have too many goodies inside.

Most of today’s ransomware mitigation strategies focus on keeping the box closed, which makes sense. There’s been less attention paid to managing the chocolates in the box. Least-privileges data access models, aimed at granting accounts access to only the data they need, are a great way to limit exposure in the likely event of an account compromise. Least privileges isn’t a preventative strategy. It’s a damage-limitation strategy that assumes – as you should – that an attacker will eventually gain control of one or more of your accounts.

Which raises the question: if least-privileges works, why isn’t the practice more pervasive? A typical organization manages north of 10 million files, ranging from picnic invitations to private financial documents. About a third of these documents are business-critical (therefore of interest to a ransomware perpetrator). That’s a daunting number of files with an array of content that might be hard for even a skilled IT professional to evaluate, understand, and protect.

For better or worse, that means end-users are typically in charge of who can and can’t see their content. And sometimes, that critical source code document or the spreadsheet with embedded customer information is shared far more broadly than necessary. About 12% of all business-critical documents risk ransomware compromise because of oversharing.

New AI-based data access governance solutions can help. They work by scanning an organization’s millions of documents using natural language processing algorithms to categorize content and evaluate oversharing. It’s a powerful tool that helps limit unnecessary access – and the ransomware risks that come with it.

Content awareness also helps when it comes to detection of attacks in progress. Here’s why. Ransomware exploits differ from other cybercrime in one critical way: the criminals don’t need to take possession of data. Because the data doesn’t move, security measures at the perimeter aren’t in a great position to spot or stop in-progress attacks. That changes the detection picture: instead of a few perimeter control points, security professionals need to keep tabs on a staggering number of files located across the organization.

Consequently, ransomware attack detection strategies seek to monitor encryption activity and encryption artifacts at the file level. By establishing a baseline before the attack, differentiating between routine and nefarious activities is far more straightforward. And if the baseline includes insights into the business criticality of that content, you can both detect unwanted encryption and evaluate the threat to make more effective mitigation decisions.

Finally, should you find yourself confronted with a ransom demand, content awareness is invaluable. Deciding whether to pay to recover your data is a difficult decision under any circumstances. But making that decision with a complete understanding of precisely what data is at risk of loss is far better than having to make it not knowing what’s at stake. Your attacker often doesn’t know if what they have is critical or trivial. Content awareness can give you the upper hand.

Ransomware is, without a doubt, an escalation in the cybercrime arms race. Content awareness can give you the upper hand in the battle against it. By augmenting your anti-malware and anti-phishing efforts with least-privileges access control, you can minimize the damage should an attack occur. Content and activity awareness establishes a baseline that makes unwanted encryption easier to spot and mitigation activities faster and more effective. And should you find yourself in negotiations over the ransom, you’ll be glad you have a clear understanding of what data is at risk.

Modern AI-based technologies autonomously scan all your content –whether it’s structured or unstructured, in the cloud or on-premises – so you can benefit from content awareness without adding staff or complicating your users’ workflow. Content awareness adds depth to your existing defenses against account capture and unwanted encryption, helping you prepare for and respond to ransomware attacks. It deserves a place in your anti-ransomware strategies.

This article originally appeared in Help Net Security.