Defeating Ransomware Attacks With Security Chaos Engineering - Part I
Note: This blog post is based on the talk given by the author during Conf42 Chaos Engineering 2022. The video recording is available via this link .
The rate of ransomware attacks has rapidly increased in recent times to an alarming 105% so much that the last two years are dubbed “The Golden Age of Ransomeware Attacks”. Ransomware is a type of attack in which attackers compromise a system, limit legitimate access to it, and request ransom as a condition for restoring access to the system. Ransomware is not a new attack, however, its orchestrating techniques have recently grown in sophistication and frequency due to several factors.
One of the major factors in the prevalence of Ransomware-as-a-Service (RaaS), a model that has drastically lowered the cost and effort required to launch ransomware attacks. Also, cybercriminals leverage the anonymity possibilities provided by cryptocurrency (e.g. Bitcoin) to render investigations to reveal their identities practically impossible. Another factor for the increase in Ransomware attacks is the COVID-19 induced digitalization, especially the rapid adoption of cloud services.
Cloud Ransomware
A very serious misconception is that cloud infrastructure is immune to ransomware attacks. This is not only wrong but potentially introduces attack opportunities for cyber-criminals. Nowadays, attackers target cloud infrastructure to launch Ransomware e.g. by compromising and encrypting AWS S3 buckets, backups, and instance images. Due to the Shared Responsibility Model of cloud providers, companies using the cloud are responsible for implementing measures against these types of ransomware aka cloud ransomware.
Successful cloud ransomware leverage a combination of several attacks e.g cloud misconfigurations, unpatched vulnerabilities, and weak access control mechanisms. Therefore, preventing cloud ransomware requires the implementation of a holistic cloud security posture.
Impact of Ransomware
The impact of a successful ransomware attack could range from a few corrupted files to a huge cost that accrues millions of Euros. In the aftermath of a ransomware attack, victim companies spend huge amounts of money investigating the attack to understand the root causes. Such investigations are also crucial for ensuring the attackers are not still in the systems and backdoors have been installed. Similarly, the victim companies might be fined by regulatory institutions and also dragged into legal procedures initiated by both regulators and customers. The heaviest backlash is usually the damage that the ransomware attacks smear on the company's reputation, repairing the reputation might never be possible or might take a lot of resources and efforts.
Leveraging Security Chaos Engineering
There are several ransomware countermeasures, e.g. conducting ransomware simulations or exercises and implementing runbooks. Whilst these countermeasures are helpful, they are quite insufficient and not well fitted for cloud-native infrastructure. Simulations are useful for providing a feel of actual ransomware scenarios so that all stakeholders (security teams, DevOps etc.) can exercise the necessary action in the case of a real ransomware attack, e.g. incident response. However, most simulations employ static scenarios, which used to be sufficient for the traditional, on-premises environments. Such static simulations are barely effective for cloud-native infrastructure. Due to the highly dynamic and ephemeral nature of the cloud, traditional simulations quickly become obsolete and convey unrealistic, outdated benefits to stakeholders. Furthermore, the scale and magnitude of cloud-native infrastructure require highly automated approaches that can easily generate appropriate ransomware scenarios, regardless of the complexity and magnitude of the cloud environment.
Security Chaos Engineering tackles the above-mentioned challenges by leveraging automation and deep integration to the cloud infrastructure to compose ransomware scenarios that are realistically aligned with the real-time state of the cloud environment. The gains are obvious, the security and DevOps team are exercised using current information and since these scenarios are updated constantly, they gain a better feel of real attacks scenarios. This drastically improves the quality of readiness of these teams and eventually provides higher guarantees for detecting and defending against ransomware attacks.
Conclusion
Ransomware has become one of the most challenging and prolific attacks due to several reasons including the anonymity possibilities provided by cryptocurrency (e.g. Bitcoin), the emergence of Ransomware-as-a-Service, and COVID-19 induced digital transformation. It is critical to understand that cloud infrastructure is not immune to ransomware, however, the cloud provides several countermeasures if well harnessed. Furthermore, most successful ransomware attacks consist of multi-stage attacks that exploit cloud misconfigurations, unpatched vulnerabilities, and weak access control mechanisms. Therefore, preventing ransomware requires the implementation of a holistic cloud security posture.
Mitigant’s Continuous Security Verification platform provides effective countermeasures against cloud ransomware. Mitigant automatically detects cloud security issues such as misconfigurations and security vulnerabilities and provides automated security game day exercises. Mitigant is a pioneer of security chaos engineering, which is an effective approach for conducting ransomware exercises using security game days.
The second part of this blog post will provide details of how Mitigant's Continous Security Verification platform is used as a countermeasure against cloud ransomware. Please stay tuned to be informed, you can also subscribe to get a notification right in your inbox.