At RSA this year, Kristi Thiele sat down with Tom Clavel from ExtraHop to talk about strategies and tactics to prevent ransomware attacks. They discuss threat hunting, remediation practices, considerations for cloud environments, and why it's critical to have the right level of visibility into your network traffic.
Listen to other Navigating the Cloud Journey episodes here.
Kristi: Welcome to the next episode of our podcast. We're gonna talk about stopping Ransomware before it stops you. But I really don't think you can do that. So today I have Tom Clavel with me from ExtraHop. I'm not Jim, but I'm Christie Thiele from Gigamon. So, we're gonna talk a little bit about Ransomware. Welcome.
Tom: Thank you Christie. Nice to be here.
Kristi: Yep. Great to have you. So, Ransomware, that's a hot topic in security these days, isn't it?
Tom: It is. It's getting worse and worse actually. It looks like every year has its new lot of Ransomware. And last year was actually one of the worst years ever.
Kristi: Yeah, absolutely. So, I would imagine most of the security professionals in the audience out there know what Ransomware is. Do you want to just remind people what that is just in case they maybe are new to what Ransomware is?
Tom: Absolutely Ransomware. I mean, there's not one Ransomware. Ransomware is really a series of attack to be able to take control of your information on your network and whether it be your files or your information systems and so on. And usually what those attackers do is that once they take control of this, they either encrypt it or exfiltrate them. And, and actually over last year we've seen a new trend where they've been doing both and they hold those files for ransom. So, if you don't pay to get the files decrypted, they have the files because they've exfiltrated them, and now they can use them against you. So, it's even worse than just saying you've been breached.
Kristi: Yeah, absolutely. That's a, that's a huge, huge risk for companies. Is there a particular market or segment that's more vulnerable or more at risk of being attacked?
Tom: So, there are some segments in the market that are riskier than others. I would say that the bigger the harm they can make on you and your customers, the more likely they're gonna go after you.
So, we've seen a lot of Ransomware in the healthcare system. We've seen a lot of Ransomware also in the financial systems and so on. So, all of these sectors where you have a lot of critical personal information that companies are holding. Those sectors are more prone to Ransomware.
Kristi: Gotcha. So, is there anybody that's completely immune from being attacked?
Tom: No. No. In reality, we see everybody being attacked at some level. And it's gotten worse in the sense that when you go back five years ago, Ransomware was really going after mom-and-pop shops. Because larger companies were seen to be out of reach. But nowadays those Ransomware groups are becoming more sophisticated, more evolved. And now they're going after those big organizations because that's where the money is.
Kristi: Right. Right. So, it's not a matter of if it'll, it's more when.
Tom: Exactly. We've seen different tactics that companies have taken to protect themselves, and unfortunately most of these tactics have failed. For instance, there was a, a Phishing test where a company trained their employees for one year, thousands of employees for one year against phishing, do not click that link. And after one year they did the test again, and still 4.8% of employees were still clicking the link. So yeah, as you said, it's not a matter of when, it's a matter of when you're gonna be breached.
Kristi: Yeah, Because at the end of the day, it's still humans. Right. And we're a little flawless. We're a little flawed, aren't we?
Kristi: So, are, what are some strategies or tactics that organizations should take in order to you know, protect themselves from the exfiltration or from having their data held ransom?
Tom: So, there are the tactics that we keep hearing about, which are very important, and I definitely do not wanna diminish this. Tactics like hygiene, having good practices inside the company, having good intrusion prevention capabilities. That's still very critical, very important.
But there's another tactic that's also very important that everybody is really underestimating the importance to have security inside your network.
Kristi: Inside the network. Okay, tell me more.
Tom: So, what happens is that, as you said, it's not a matter of if, it's a matter of when you're gonna get breached. And so, we know that no matter what level of security you have on the perimeter of your network, you're gonna be breached.
It's the. You know, it's the defender's dilemma. You have to be right a hundred percent of the time if you wanna keep them outside of the network. But if they are right once they can get into your network. So, what you have to do if you wanna defend yourself against that, you have to bring your security inside the network.
You have to be able to monitor the network and control what's happening on that network. That enables you actually to flip the script because, because once the attacker is inside your network, they need to execute a series of activities such as command and control, lateral movement and so on. And, and each time they're executing something inside your network, it gives you one more opportunity to catch them. So, they have to be right 100% of the time, but you can, as long as you detect them once, you're gonna detect them and you can stop them.
Kristi: I understand. So, if I heard you correctly, the perimeter's great. But we accept the fact that humans are humans. And the attackers are gonna find some way to get in. Once they get in, we need to make sure we have defenses inside to detect their activity, right? Whether it's lateral, whether it's that east-west.
Kristi: So, there's a lot of discussion around public cloud and moving workloads and applications to public cloud. How does that change the defense mechanisms or the awareness when it comes to protecting or detecting Ransomware?
Tom: Tremendously actually, there's a major impact on Ransomware for multiple reasons. Public clouds, first of all, most of the traffic is encrypted in public clouds. And we know that even nowadays on the internet and in the enterprises we have about 70 to 80% of the traffic being encrypted. In the public cloud, it's almost everything that's encrypted at some level. And so, that makes it much harder for people to have visibility into the public cloud unless they establish the right security and the right visibility into that public cloud. And so, at the end of the day when you have public cloud and you are concerned about Ransomware, you need to have decryption capabilities. You need to have your security inside the public cloud as well to monitor what's going on.
Kristi: Gotcha. So, public cloud you is encrypted probably close to a hundred percent and you still need visibility. And so, if the attackers are also using encryption, how do, how do you know the difference between the good traffic and the attackers?
Tom: That's where you need to have good security tools. You need to be able to capture the packets and route them to the proper security tools to analyze the traffic. And so, decryption helps you. Also, behavioral analysis, ETA Encrypted Traffic Analysis helps. And having a good AI to analyze the traffic and the behavior is very important.
Kristi: Gotcha. It's very interesting. So, the cloud definitely makes it more challenging, doesn't it?
Kristi: So, are there some trends or some things that you are continuing to hear that continue to surprise you from a security perspective?
Tom: Yes, they are a couple. I've been hearing a lot about other security technologies like EDR, for instance. and CM and SOAR. And there's an assumption that once you have one of these you are safe and you're secure. And that surprises me because. We know that every security tool has its flaws and its weaknesses and its blind spots. And so, we know that you don't just need one security tool or one technology, you need to stack them up: it's the security stack. And in your stack, as I was mentioning before, in your stack you need to have security on the network, not just on the end point, but you need to look into what's happening on the network.
Tom: And, and there's one thing we keep saying at ExtraHop, and I'm sure you guys say that as well. At Gigamon. We say the network is the "ground source for truth", which basically means that no matter the devices you have connected, or you have secured with EDR. No matter whether they are covered by an agent or they have the right OS for your EDR for instance, you can still secure those devices if you monitor and secure the traffic because any device on the network generates and receives traffic.
Kristi: So, so you brought up SOAR, and I've talked to some folks because you know, humans are flawed, right? Sometimes humans are the reason why we get Ransomware because they click the link after a year of training, not to click the link, right? But from a remediation and threat hunting, that the human is really important for that, right? You can't automate that. I wanted to get some of your thoughts on that perspective as well.
Tom: Yes, absolutely. You can't, and that's where that that's why it's important to have the right automations, but also the right tool for the security person. For your tool to surface the alerts and the security person to be able to quickly react to these activities.
Kristi: Right and so to have the great tools that are in place that can help highlight the most important things, right? We always talk about security, automate the things that you're gonna do all day long, right? That the things that are known remediation. But the complex things you need good tools that really show you all the information and then allow that human to, to go look into it more, correct?
Tom: Absolutely. And our philosophy is really that the Security Analyst has to be in control. But they have to be helped in the sense that you can't just throw alerts at the Security Analyst. You can't send them to multiple security tools and have them figure out what needs to be done. You have to bring up those alerts in a way that's consumable and that in a way that the Security Analyst can quickly react. And that's where a lot of companies are talking about integration and security stack. And, and that's where this really matters.
Kristi: So, going back to the fact that Ransomware, they're gonna get in, they're gonna try to do things, but if you're able to detect that little move, right? Whatever they're trying to do, reaching out to command-and-control lateral movement. They attempt to exfiltrate. The security controls in place need to allow that analyst to quickly know, hey this is something you need to pay attention to.
Kristi: So, from Ransomware, what would you recommend for somebody that's trying to kind of get a baseline protection in place. What are some of the first things they should really take a look at? Because I'm hearing that there are organizations that aren't prepared. So, if there's an organization that's not prepared, what are some of the first steps or first recommendations you would give them?
Tom: Absolutely. So there, there are multiple things. And I would say baseline is make sure you have all the tools. Make sure your network is covered and not just the end devices, that's super important. Because very often what we see is we see security professionals consider an attack from their perimeter perspective, they get blocked there. But if the attack gets through, then it's a Hail Mary. It's all hell gets loose, you know? And its, they go straight to paying the ransom.
But if they have the security on the network, then they can intervene and they can stop that on its track. And, and that's where, you know, that's the, the title of, of, of our show here. It's you have to stop the Ransomware before it stops you before you get to the extraction and the ransom. And you can stop them if your security is present in the network.
Kristi: Sounds good. So, if I understand you, you've gotta have good security tools. You need to have visibility into everything, the perimeter and especially inside, and the Cloud. Because otherwise you're gonna miss that one time the attacker has to be right. Once they get inside.
Tom: Yes. And just to summarize, so good hygiene, good perimeter defense, but don't rely too much on this. Have visibility inside, and be able to quickly react, for what's going on inside the network.
Kristi: Awesome. Any closing remarks today for our podcast?
Tom: No. That was great talking to you and absolutely I'm looking forward to hearing more from you and seeing more what's going on with Gigamon.
Kristi: Absolutely. And thank you again for your time and the partnership we have with ExtraHop. So, thank you all for joining us today. I'm Christie Thiele. This was Tom Clavel from ExtraHop.
Thanks for listening. Have a great day.