In recent months, security vendors are noticing that attacks on web applications and APIs, along with 0-day vulnerabilities, have skyrocketed. Especially since the “availability” of exploits like log4j Y Spring4Shellincident response teams have faced 0-day vulnerabilities relentlessly that have consumed their time and attention.
On the other hand, the number of ransomware as a service (RaaS) attacks has also grown exponentially, with groups of cybercriminals as active in recent months as with you, that in countries like the United States has been able to put in check the supply chain of numerous companies.
In this context, Akamai has revealed new findings on the behavior of cybercriminals through traffic and the most popular attack techniques at the latest RSA conference. To get to know them in more detail, we had the opportunity to chat with frederick god, pre-sales manager of Akamai in Spain. This is what he told us.
[MuySeguridad] How do cybercriminals act in a ransomware-as-a-service strategy? What are the different parts of the chain and how important is this way of acting today?
[Federico Dios] In general, almost all criminal organizations that engage in ransomware use the same techniques. The parts of the chain are:
- Find entry point: The most frequent are the attacks of phishing to infect a device through which to access the victim organization.
- Lateral Movement: Once the entry point is infected and exposed, the goal is to move around the organization and compromise other elements from which to cover the majority of the infrastructure being attacked.
- Exfiltration: Before performing any encryption process, attackers steal information of different types. A common example is the theft of credentials, personal information of users or clients, among other things.
- Encryption: This point is the best known in the entire attack process, which consists of encrypting all possible devices. The higher the percentage of infrastructure locked down through strong encryption, the higher the gain for attackers.
- Sending a ransom note: Once the above actions have been carried out, the attackers send the communication asking for the ransom to release the encrypted data and infrastructure.
- Profits: Unfortunately, in many cases criminal organizations make profits as a result of their attack. These can be either through the ransom demanded or through the sale of information obtained during the attack.
This process is complex and represents a challenge for any organization that wants to defend itself. If we analyze each step in detail, we can see that each and every one of them isuponen a specific defense strategy. Lateral movement, for example, requires a communication protection and control strategy between the different devices through a micro-segmentation strategy.
[MuySeguridad] One of the data that stands out in the report is the increase in threats to web applications. What does this mean for companies that are basing their digital transformation on a journey to the cloud or modernizing their applications?
[Federico Dios] Digital transformation poses a security challenge due to the exposure of a completely different attack surface and the use of platforms that are not the ones that have been used historically.
In the case of web applications and APIs, the attack surface is broader and our monitoring and Threat Research teams have detected a growing trend in LFI-type attacks compared to other types of more traditional injection attacks on web applications and APIs. .
The process of digital transformation of any infrastructure entails, in general, a movement towards decentralized architectures in which the use of APIs and computing based on micro-services is favored. This trend is coupled with the significant growth in injection attacks that we have seen from Akamai.
That is why we believe that an adequate security strategy must incorporate protection elements at the application level without forgetting the importance of correctly segmenting the different elements of the infrastructure.
[MuySeguridad] What are the main dangers presented by exploits such as Log4j and Spring4Shell and to what extent is this a concern for organizations?
[Federico Dios] One of the most important dangers in this type of vulnerability is data exfiltration followed by the possibility of executing remote code. Currently, information theft is one of the main security risks and one that can have the greatest impact on any organization. It is not only a direct economic risk due to extortion or fines for a breach of personal data, but also the reputational cost that it can have for any organization.
This type of vulnerability is a clear case of risk in the supply chain, but from a technological point of view. These libraries are widely used and, in many cases, are maintained by third parties that do not necessarily follow the same security criteria as the organizations that use them.
[MuySeguridad] Another interesting point is that commerce is the sector most affected by this type of attack. What do you think it is due to and what can they do to protect themselves?
[Federico Dios] The retail sector is one of the most affected in all types of attacks, but especially when the objective is the theft and abuse of credentials, theft of bank information such as credit cards and automated purchase tools, as is the case with campaigns to deplete stock and then sell it at a higher price. It is an industry with a significant economic impact and with a high movement of attractive information for criminals, which makes it a priority target.
For this type of organization, it is key to develop a strategy aimed at managing the abuse of credentials and advanced bot management tools that allow them to control the use made of their applications. Identifying and managing legitimate users and bots is one of the main challenges that security managers of companies in the retail sector have to face on a daily basis.
The security strategy must incorporate not only application firewall elements but also consider other types of attack vectors, such as anti-botnet controls such as those mentioned above.
Finally, it is important to also adopt a micro-segmentation strategy to avoid vulnerabilities that can be exploited by ransomware. The retail sector is also one of the most affected by ransomware campaigns through which victim organizations can be paralyzed, generating a serious operational problem for the business.
[MuySeguridad] Finally, what role does Akamai play in protecting businesses from these threats?
[Federico Dios] Going back to the ransomware scenario, we know that it is a complicated problem and protecting against it boils down to one basic principle: all traffic flows require inspection and control, regardless of endpoints.
For ransomware to do its job, it has to move. From the point where it originates, it must find a place where it can access and encrypt high-value data. This movement typically requires multiple hops between devices and servers.
Each hop is a traffic flow that could be north-south, ie between a user device and a server, or east-west, ie between servers. Blocking ransomware thus boils down to inspecting and monitoring each of these traffic streams to confirm that they are authorized and free of malware.
Akamai and Guardicore coming together now gives us the ability to put this strategy into action. With our combined technology, customers will be able to survey and control their business workflow, from north to south and east to west.
When we approach enterprise security, regardless of end user, location, and device, with the unifying premise that no flow of traffic can be trusted, an organization’s defenses are much stronger. A comprehensive Zero Trust approach that combines protection from both Akamai and Guardicore will make it very difficult for ransomware to ruin your day.