WEBINAR | A Deep-Dive into 2023 Cyber Threats
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
April 25, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
Key Takeaways for Ransomware Defense Strategy:
Ransomware defense refers to the comprehensive measures put in place to prevent, detect, and respond to ransomware attacks. It involves a combination of people, processes, and technology aimed at mitigating threats posed by ransomware.
Ransomware defense efforts should always be spent on ransomware attack prevention. There is also significant value to gain strategically from ransomware detection and containment. Realistically, it’s impossible to prevent all attacks or intrusions, so ensure you focus on both prevention and detection to achieve full coverage.
Today, ransomware attacks are more sophisticated and often executed by formal organizations with structured operations. Gone are the days when such attacks were carried out by lone individuals in remote locations. Ransomware groups operate like corporate entities and your defensive strategies can discourage them from attacking and protect you.
Increase Ransomware Actor’s Spend
Your goal with ransomware defense ultimately should be to increase their spend through your implementation of defensive strategies. The more security controls, logging, and automated solutions you have in place, the harder and more expensive it is for these ransomware enterprises to operate against you. At the end of the day ransomware groups must weigh the potential gain against the effort required to breach a company’s security barriers. If you are the slowest gazelle, or the least protected, then you have a high risk of falling prey to attacks.
Stay Up to Date with Your Ransomware Defense
Consider that ransomware actors invest in research and development the same way many enterprises do. They stay up to date with evasions. They stay up to date with novel techniques. They hire programmers to constantly improve and iterate on their own tooling. You should be doing the same and investing in innovation when it comes to your own defenses.
A mitigation mindset is critical to defend against ransomware. Today, a ransomware defense strategy should be twofold: one, assuming breach, and two, adopting defense-in-depth strategies.
Always assume a breach regardless of how well-protected you think you are. It’s crucial to not let your ego get in the way or make assumptions that you’re immune to an attack.
Ransomware Security Controls Alone Are Not Enough to Prevent an Attack
By implementing defensive strategies, like multifactor authentication (MFA), encryption of sensitive data, and regular backups, you can make it more difficult for attackers to cause damage. But breaches happen to even the most secure systems. No tool or measure is foolproof.
Understand Your Environmental Baseline
Understanding your environmental baselines lets you quickly identify abnormalities. The only way to do this is by collecting as many different disparate data sources as possible. For example, while you collect logged data from your EDR and you can see everything that is happening, you also can gather data from your email gateways and DNS information. The more you can measure, the more you can baseline.
Consider All Phases of An Infection and Invest Throughout Them
Don’t spend all of your budget on one security control like phishing prevention, and then spend nothing on backups. Pay for the phishing defenses, but don’t rely on them as your sole line of defense.
An example of investing time in other defenses and detection is using DNS queries. As you considering different areas of attack, some things that you would want to watch out for:
Adopt the assume breach mindset, and invest into all phases of the attack lifecycle.
A defense in depth strategy is a security approach of establishing layered detection pipelines and security controls throughout your network. Realistically there is a cost associated with integrating multiple data sources, but strategies like defense in depth will increase effort required for the ransomware group. In their risk evaluation of cost vs gain, your organization won’t be worth it to infiltrate.
You can implement preventative security measures in each of the following layers:
First Layer: Security Controls
This layer includes your application-/protocol-aware firewalls like a Palo Alto, your EDR, and your email gateways. These are the tools and software you buy and deploy within your environment. They can be preventative access controls, like a firewall blocking an IP address and help you mitigate risks.
Second Layer: Detection Pipelines
The second layer involves using these tools, like an EDR, to help serve your detection pipelines which are the logical processes that you have in place to collect, process, analyze, and react to events that are happening inside your environment.
This isn’t just collecting logs. It’s the pipeline of collection to reaction as a whole. You should spend efforts focusing on the variety of your pipeline (and going back to that assumed breach and mindset) consider your own environment and the different mechanisms an attacker may be able to leverage in it. This will help you prioritize what’s important.
Third Layer: Security Design
Building on your security controls and your detection pipelines, those two layers incorporate the third layer of comprehensive security design. As new elements get added to your security architecture, always spend some time thinking and considering how it affects the security posture of your organization as a whole.
When adopting a new technology, consider the risks that are associated.
Defensive strategies are proven to help mitigate the threat of ransomware. They have the primary goal of imposing costs onto your threat actors. In these areas of defense, we’ll talk about how assuming breach and defense in depth apply.
Phishing
The most common vector seen used in in ransomware is phishing. Yes, phishing attacks are pervasive and have only increased in recent years, but don’t put all your eggs in one basket. Assume breach (your current phishing security practices will not capture all phishing attacks) and defend in depth (try to achieve a state where you can trace the entirety of the interaction).
Here is how you can apply this defense against ransomware:
The goal is to increase the difficulty for the attacker. And you can do that by restricting what they can do.
The applications of these security measures give you an additional opportunity to detect the attack and put you in a much better state of preparedness.
Authentication
Authentication logs are an excellent source of data for implementing a defense in depth strategy. These logs can help you establish baselines for detecting abnormal activities. As you collect authentication events over time, you gain insight into what is normal behavior for a user and an admin. Continuously collecting artifacts increases the level of difficulty for an attacker trying to blend in.
You should be able to answer questions like:
It is a lot easier to whitelist these kinds of user agents than it is to blacklist known ones.
Recovering from Ransomware
Ransomware actors spend a lot of time focusing on minimizing your ability to recover from a ransomware deployment.
As soon as they get access they are going to focus on certain things:
Concentrate on maximizing your ability to recover from these sorts of scenarios with:
With the layers of security measures, it makes sense that you move beyond traditional MDR into partnering collaboratively with your security providers.
It can be difficult to manage the multitude of these events, sources and detections that are coming in at scale. You can forward everything to your SIEM, but you might be missing out on the response portion. You can forward logs, but there’s extra things that you can do to leverage additional APIs.
APIs for security tooling can be difficult to deal with and maintain. In a perfect world, integrating these API needs a dedicated dev team to focus on integrating with all these sources. Ideally, if you are partnered with someone that does a little bit more than traditional MDR work, you’d rely on their vendor integration so you would not have to manage or develop it. A perfect example of that is leveraging Office 365 APIs.
The detailed access activity that you can forward through the logs is great, but by leveraging the API’s, you can start to do things like search for abnormal content within the emails inside of your organization. That’s something that can only be done relying more on collaboration on integration with your partners.
You may want to drive an investigation. You may want to collaborate on an investigation or even just observe it. You need a partner with flexibility and transparency. Simply getting a reach out at the end of an investigation typically isn’t sufficient. That’s what your typical MDR vendors or providers will likely end up doing. Ensure you spend significant efforts reviewing your partnerships and leverage a partner that truly delivers value.