Inspecting the future of ransomware threats with Vectra’s CTO

By Oliver Tavakoli Vectra Chief Technology Officer

In the last few years businesses and security leaders have been zeroing in on how to better manage and secure cloud infrastructure amidst a wave of change, as enterprise cyberattacks evolve and proliferate.

Recent studies have revealed that 80% of Australian organisations were hit with ransomware in 2021, up from 45% in 2020. Vectra’s own research found that 57% of ANZ respondents feel it is possible or likely they have been breached whilst being unaware it is happening, 75% have experienced a significant security event that required an incident response effort, and 9% are not fully confident their security tools would protect against sophisticated attacks.

As CTO for Vectra, a big part of my focus is the future, creating ‘thought experiments’ to determine the best ways to protect our critical data and systems. With planes back in the skies, I was delighted to be speaking at the Australian Cyber Conference this month to discuss and debate some of these so called ‘experiments’ with others in the industry.

Ransomware remains as significant a topic of debate among cybersecurity professionals in Australia as it does elsewhere in Europe and the US. The other consistent issue is related to supply chain attacks, including traditional on-premises products as well as services delivered via the cloud.

Within Australia, migration to cloud and SaaS, and the inability to source experienced talent that understands the security implications of clouds, are also connected issues. There is real tension between businesses wanting to go agile through cloud adoption, and security teams trying to gain visibility and implement security in those environments. In a perfect world, that tension is resolved in a balanced manner, but we don’t live in a perfect world and often the business imperative to rapidly roll out new services outstrips the ability of organisations to do so securely.

Not so long ago, on-premise networks were wide open to attackers and so this has been our focus. Now, employee traffic is predominantly accessing applications across the internet, so we neet to be looking at logs in cloud platforms such as Amazon Web Services (AWS), Azure and Google Cloud Platform (GCP), cloud identity systems such as Azure AD and Okta and collaration applications such as Microsoft 365 and Google Workspace.

Highlighting how businesses are being inundated with cyber criminals looking to capitalise on vulnerabilities, the Australian Cyber Security Centre (ACSC) reported it received one cybercrime report every eight minutes over the 12 months to June 30, 2021. On top of this, the ACSC stated that Australia experienced a 13% jump in cybercrime over the year, with about one incident in four targeting critical infrastructure and services as working from home during the pandemic made more people vulnerable to online attacks.

A common story is that the pandemic drove businesses to move into multi or hybrid cloud setups, not through a grand strategy but because of a pressing need. Services such as Microsoft 365 or ecommerce platforms were implemented quickly, without consideration for how this impacted infrastructure or security. On top of this, different business units or departments often evolved in different directions, adding layers of complexity. Now we find ourselves at a point of reckoning, where we must understand the reality of the situation and how to fix it.

The move to cloud has left gateways for attackers to leverage and gain a point of entry, and they are beginning to take full advantage of this. On-prem, if a cybercriminal wants to encrypt a business’s data, they must go through the laborious exercise of connecting to a server, pulling all data across the network, encrypting it and writing it back to the server – and finally deleting the original copy. Ransomware operators try and get their hooks into as many places as possible, and encrypt as much as possible, to be successful.

In the cloud, ransomware operators can leverage serverside encryption provided in the cloud platformas, allowing them to encrypt data much faster and without heavy lifting.

At Vectra, we look at a cloud like AWS or Azure as having two different attack surfaces. There's the traditional attack surface where attackers go through the network to attack a workload running in the cloud, escape the workload, and then steal data. And there's the management plane or the control plane of a cloud platform which represents a more potent and less well-understood set of controls. Recognising this, Vectra has solutions to cover both attack surfaces. We work to protect customers being attacked from the network, and we work to protect businesses being attacked at the control plane of their tenant in a cloud. The inbound initial vector can be incredibly complex and varied, but once it lands and establishes some foothold in the environment, we help the business find and stop the incursion before it does actual damage.

We know that as customers’ valuable data is moving to the cloud, and so will ransomware. We are asking questions such as, what does the combination of cloud and ransomware look like, how quickly will attackers become cloud-capable, and what measures should we take now?

This was the focus of my presentation at the Australian Cyber Conference in Canberra and many of the surrounding conversations. Highlighting the early harbingers that exist, I looked at how we can protect ourselves against ransomware in cloud systems, and why this is substantially different to the defensive measures required for on-premise.

By discussing such issues, I hope to encourage CISOs to bridge the worlds of security and business so investments can be prioritised and our infrastructure can be protected.

About the Author Oliver Tavakoli is Chief Technology Officer at Vectra. Oliver is a technologist who has alternated between working for large and small companies throughout his 25-year career. Prior to joining Vectra, Oliver spent more than seven years at Juniper as chief technical officer for the security business. He is a technologist with experience managing larger (100+ member) teams, but with a bias towards leading small teams of smart technical individuals. His specialties include networking architectures, systems software design, computer security principles, organisational design.

WATCH NOW

Oliver Tavakoli is Chief Technology Officer at Vectra. Oliver is a technologist who has alternated between working for large and small companies throughout his 25-year career.

Oliver will be visiting Australia at the end of May and discussing how Ransomware will be coming to a cloud near you. Oliver points to this concept as a thought experiment on what to expect next.

Ransomware and software supply chain attacks have dominated the cybersecurity news feeds and have certainly also captured the attention of mainstream media. While supply chain attacks have already shown a clear appreciation for target organisations’ cloud footprints and have leveraged that understanding to pull off some of the more impressive attacks, almost all ransomware attacks have continued to focus primarily on traditional on-premise IT estates. This is because tools to attack these environments (Metasploit, Cobalt Strike, Bloodhound, etc.) have been available for more than a decade and that many hackers have great familiarity with these tools and that there continue to be many organisations whose environments are insufficiently hardened to withstand an attack by a moderately skilled adversary.