Ransomware is usually defined as a type of malicious software that denies organizations and individuals access to their data or computer system/device unless a payoff is made. However, ransomware is not just malware. It’s often part of an actual intrusion. Per Microsoft’s Digital Defense Report, “Ransomware’s economic model capitalizes on the misperception that a ransomware attack is solely a malware incident, whereas in reality ransomware is a breach involving human adversaries attacking a network.”
Typically, once a system has been infiltrated and the network has been taken over, data is encrypted and cannot be decrypted by anyone other than the attacker. Information may also be removed from the system.
The following questions were asked of David LeBlanc, security expert, author of 24 Deadly Sins of Software Security and SecureCloudDB’s Chief Product Officer, during the webinar “Ransomware and The Cloud”, the replay of which is now available on demand.
What is the biggest difference between ransomware attacks on local databases versus cloud databases?
The biggest difference is that if the database is in the cloud, and if you don't have your access controls and your network access set up properly, then the attacker can go straight to your database without having to go to the trouble of invading your corporate network first.
If an attacker can take over your database easily without having to go to the trouble of hacking your whole network, that's a lot easier for them. And in fact, we saw an incident like this where a lot of companies were using MongoDB to contain a lot of their data, and MongoDB notoriously starts off by default with no authentication involved and is accessible to the full internet. And so of course the hope is that organizations will lock their databases down and not go into production this way, but the way things are and the way that they should be are often different. As a result, tens of thousands of databases were compromised and often set up with ransomware as a result.
Can ransomware encrypt already encrypted data? If security teams are getting configurations right - encrypting data at rest in transit, etc. - can it still be held up to ransomware attacks?
Oh, absolutely. Anyone can encrypt anything as many times as they like. I can encrypt something with one key and then encrypt it with another key, and then I have to have both keys to get it back [to its unencrypted state].
So just because you have encrypted your data already, doesn't mean that it can't be encrypted again by somebody else — and now you'll need their key as well as your key in order to retrieve the plain text.
What questions should be asked, what actions should be taken, immediately following a ransomware attack in the cloud?
If you've actually been successfully attacked in the cloud, then the first thing to do is to go verify whether or not your backups are still intact or if they have been deleted; you want to find out how easily it is that you can just restore to yesterday's data. And if you can, then you want to figure out how the attacker got in, to correct that. Once corrected, you can then restore data and resume operations.
You probably also should do some additional forensics to see if you can track the attack back to the actual perpetrator and see if there can be some consequences for their criminal behavior, but your number one thing is to be able to resume your business purpose.
Do you see ransomware defense tactics evolving? If so, how?
Everything's always evolving. It's always a cat and mouse game on both sides — the anti-malware vs malware is a never ending chess game that's been going on for a long time; the attackers do one thing, the defenders do another, and then the attackers do something else. And so it goes, it just continues.
Now, there are some exciting new developments in terms of being able to look at every aspect of your network to be able to join things like intrusion detection logs and anti malware logs, software inventory logs and behavioral logs, into more and more sources of data. And what's really exciting is though security teams had the capability to join multiple sources of data together for a long, long time, they've only pretty recently been able to effectively manage and draw conclusions out of those sources of data using artificial intelligence and machine learning techniques. And so it's much, much harder to be an attacker these days than it was 20, 25 years ago, when attackers could do all sorts of things and nobody would notice.
The techniques that are available to the defenders keep growing, but I expect the attackers are not going out of business; that as the defenders get better, attackers are just going to up their game — they're going to find new techniques and new approaches. So it'll go back and forth — the defenders will start shutting the attackers down a little bit here and there, and then the attackers will come back and do something else.
Are cloud database attack strategies changing?
Yeah. As companies are starting to more and more incorporate the cloud into their infrastructure strategy, the attackers are going to start paying more and more attention to how they can infiltrate the cloud.
A couple years back, there was an example of where some attackers were able to take over a reseller that was providing services to one of the major cloud providers and because they could take over the reseller, who had full access to all the accounts and subscriptions, they had full access transitively to all the customers. That's what the attackers were after — the customers of this provider, not necessarily the provider itself. Basically, wherever there's a way in, attackers are going to try and find it.
What is the one most important thing I should do today to protect against ransomware attacks?
The number one most important thing is to know what your backup story is. That is 100% the top thing to have. Know that you have backups that are running, know how to use your backups, and know that your backup data is in a place where it cannot be corrupted using the same level of credentials that could be used to write the data in the first place.
Just because the attacker has gotten into your database, doesn't mean that the attacker should have access to your backups. So figure out what that story is. The cloud providers are more than happy to sell you their backup services; utilize those and make sure that you've got a clean story on that.
Moral of the story: plan for attacks
Try as you might, it is possible that something is going to go wrong at some point and an attacker is going to get through. Actually, it's not really a question of if this can happen, but when it will happen, and how often it will happen.
If an organizations’ defenses are poor, it could happen fairly frequently. Even if defenses are good, organizations can still fall prey to attacks because at the end of the day, a lot of the problems attackers exploit are the result of mistakes, and people make mistakes on a regular basis.
The solution, at least for databases, is to see where security mistakes are being made in order to prevent attacks such as ransomware attacks. SecureCloudDB shows organizations what database elements are misconfigured and what vulnerabilities time needs to be spent on fixing while providing real-time monitoring capabilities so that organizations can get all the benefits of the cloud without the drawbacks.
Database Activity Monitoring
SecureCloudDB Database Activity Monitoring provides perspective on what cloud database activity is occurring in real time, over time, assisting with anomaly detection and catching inappropriate activity in the act.
Asset Discovery pinpoints where an organization's databases are. In the cloud, anybody with access to the account or resource group can spin up the databases that they need whenever they need them, so they tend to proliferate. SecureCloudDB shows organizations where their databases are and catalogues them, providing insight into what utilization is across accounts in addition to providing an overall picture of what it is that’s being used.
Policies and Alerting
SecureCloudDB assesses systems configurations — what's going on in terms of your networking, your backups, your logging, common configuration items and so on. Out-of-the-box and custom policies and alerting target failures, uncover improper access, and more. Customization capabilities serve to minimize alert fatigue and reduce response time because you can decide which rules to apply to your systems, what your policies are, and how to best manage them.