How Penetration Testing can help prevent Ransomware Attacks
It is hard to believe, but ransomware is more than three decades old. While many would think that the ransomware mayhem started with the WannaCry attack of 2017, that is simply the most publicized example. Since then, dozens of ransomware strains have been utilized in a variety of cyberattacks.
According to a PhishLabs report, by HelpSystems, ransomware attacks are growing more than 100% year-over-year. The report further states that ransomware operators are vandalizing crucial systems and posting stolen data in record volumes, and companies that fall victim to an attack often feel powerless in finding a solution because the threat itself is in a continuous state of evolution. The price of ransomware attacks is also on the rise, with the average ransom demand reaching $220,298 in 2021, and associated recovery costs averaging $1.8 million.
For example, the fuel company, Colonial Pipeline, was attacked in May 2021 by ransomware cybercriminals. As a result, from rising fuel prices at the pump, to the ghost of an overall gas shortage and inflation, the United States was in a serious dilemma. Why? The answer was ransomware.
Security against ransomware threats is of paramount importance for almost all information security teams. It is a standard, brutal threat that can have devastating outcomes for the company. Yet, even if your company has robust protection in place, it is necessary to simulate a ransomware attack and assure that you actually are shielded. This is the reason why a penetration test is the most useful method to confirm that defenses and security procedures are functioning perfectly — and if not, to rectify them before it is too late.
What is penetration testing?
Penetration testing is an essential part of finding and recognizing possible critical vulnerabilities within your organization’s external network, internal network, applications, or systems. They deliver a useful understanding of how your business and human assets function.
Penetration testing is a dynamic security strategy. During a test, security professionals try to infiltrate or carry out a cyberattack against a system to find exploitable security vulnerabilities. In other words, penetration tests assess a company’s security methodologies and tools, aiming to find vulnerabilities in the environment. Unlike reactive security practices that come into motion when a data breach or security problem is found, penetration testing can help uncover security problems before attackers exploit them. By thinking like an attacker, penetration testers can find security holes and weaknesses that a firm would otherwise not be knowledgeable of.
Why is penetration testing essential for ransomware security?
A ransomware attack could stop a company from functioning properly, causing it to incur a loss of millions of dollars from lost productivity alone. Penetration testing embraces the criminal mindset to find cybersecurity vulnerabilities prior to a bad actor taking advantage of them. The idea of allowing someone with a criminal mindset to seek out weaknesses in an organization supports IT leaders who strive to improve the prevention standards to reduce the probability of such disruptive attacks. Just as a fire marshal is trained to assess the fire prevention status of a building, a penetration tester is hired to find and report on exploitable weaknesses, not to engage in disrupting the company as a proof of concept.
As technology evolves and grows, so do the methods utilized by cybercriminals. Therefore, companies need to keep up with this speed to defend their assets from such attacks. They also must revise their security strategies at this rate. This is a significant stake in a DevSecOps culture, in which companies execute preventive actions in the early phases of their evolution and operational procedures. This is known as “shifting left”, as it visualizes the early part of a development timeline, rather than the old method of bolting on security as an afterthought (which would be at the far right of the development timeline.)
Yet, it is typically challenging to understand which techniques attackers are utilizing. It is also hard for a non-technical person to envision how attackers could exploit them in an attack. By employing penetration testers, firms can become cognizant of, and work to update and remediate elements of their systems that are especially weak to current ransomware processes. Fighting a ransomware incident is all about how to prepare before an attack.
Ransomware penetration testing: An all-around approach
Ransomware often arises as a result of attackers leveraging vulnerabilities. To stop ransomware, it is important to recognize those vulnerabilities. The penetration testing methodology includes:
- Planning: the pentester develops a plan, specifying the extent of the test and the known attack vectors to exploit.
- Reconnaissance: the pentester utilizes various tools to pinpoint access paths, beneficial resources, and living vulnerabilities.
- Exploitation: the pentester tries their attack, generally utilizing a variety of social engineering, generally known attack vectors, and emerging attack vectors.
- Study and analyze: the pentester develops a report describing their attack, what they accomplished, the possible damage to the business, discovered vulnerabilities, and suggestions for eradicating them and enhancing security procedures.
- Remediation: the company must determine the crucial conclusions from a penetration test and develop a plan to mitigate or remediate the findings.
Pen tests also deliver an understanding of which channels in your company are most at stake and thus what sorts of new security tools you should invest in. This approach could assist to uncover various significant system deficiencies you may not have even guessed about.
You will notice that the job of the penetration tester stops at detection. Just as the fire marshal will not install fireproofing to a building that is being inspected, the penetration tester, unless otherwise explicitly directed, is not to alter an environment. In fact, one tenet of testing is that if a tester discovers a problem that requires an immediate resolution, such as finding an active attack underway, all testing must stop, and the correct company personnel must be notified.
How can penetration testing help?
Penetration testing is mainly created to exploit possible faults before real attackers do, and there are numerous advantages to periodically performing these tests. Here are some of the core reasons to perform ransomware penetration testing:
- Vulnerability Identification. Penetration will assist companies to find vulnerabilities that could otherwise remain unseen.
- Cyber Defense Testing. You’ll also get a feeling of your company-wide cyber defense capability, threat alert abilities, and reaction times.
- Firewall Inspection. More precisely, you’ll see how useful your existing firewall software and configurations are against possible attacks.
- New Threat. The hired penetration testers will usually utilize the latest attacker tactics, tools, and techniques, allowing you to understand if your defenses are sufficient against creative threats.
- Regulatory Compliance. Penetration testing generally supports your cyber defenses to adhere to regulations that pertain to your industry or business practices.
- Downtime Devaluation. When an attack does happen, pen-testing assures that your security teams understand exactly how to react to restore the system to a normal state as quickly as possible.
- Risk Prioritization. After executing a pen test, you’ll have a sounder view of the risks to the company’s data and systems and how to prioritize your resources in reducing those risks.
Let’s take a more intimate look at how a penetration tester might execute a test for ransomware exposures. The following examples are only some of the few attack cases, and the penetration tests will inherently utilize innovative approaches to demonstrate various exploits.
The end objective of the penetration tester is to infiltrate the company, simulate the deployment of ransomware, and delineate the affected target.
Some attack vectors
The pentester will generally try to infiltrate the target system utilizing one of the following attack vectors:
- Phishing email: the pentester can design an email connected to a mocked website or include a weaponized attachment. Threat actors will try to fool at least one administrative employee to click the link or attachment to demonstrate their susceptibility.
- Remote Desktop Protocol (RDP): if the company utilizes RDP or an equivalent remote access protocol, the pentester can compromise a user’s RDP login data and utilize it to acquire remote access to a machine in the business network. The pentester can then run a harmless program to show that file execution would be possible.
- Immediate infection: some ransomware can circulate instantly to vulnerable machines. For instance, WannaCry used an SMB vulnerability in older versions of Windows. The pentester can monitor machines on the network, recognize those with the vulnerability, and utilize it to show that the machine could be a target for ransomware.
Conclusion
Every business should incorporate penetration testing into its security strategy. Functioning closely with a penetration testing partner will assist you to streamline the procedure, efficiently pinpointing vulnerabilities, and offering guidance to execute risk mitigation technologies against ransomware attacks. Using an external penetration testing organization also adds more reliable objectivity to the test.
About the Author: Prasanna Peshkar is a cybersecurity researcher, educator, and cybersecurity technical content writer. He is interested in performing audits by assessing web application threats, and vulnerabilities. He is interested in new attack methodologies, tools and frameworks. He also spends time looking for new vulnerabilities, and understanding emerging cybersecurity threats in blockchain technology.
Twitter:@sqlinterstellar
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire, Inc.