The threat and proliferation of ransomware have many organizations on high alert. With so many examples of these attacks and the fallout, preventing them has become a priority for businesses across many industries. Avoiding becoming a headline requires an offensive security strategy; one tenet is enterprise vulnerability assessments.
This post will review the latest ransomware threat landscape and how vulnerability testing can reduce risk.
The Ransomware Landscape
Is ransomware the biggest threat in cybersecurity? The numbers build a strong story for this concept. In 2022, there were over 493 million ransomware attempts. One of the most popular verticals to attack was healthcare, with one in 42 organizations impacted by them. As a result, 70% of healthcare entities said they led to longer hospital stays and delays in procedures.
Ransomware attacks are an incredible risk for any company. They can be costly. A cyber claims study noted that the average incident cost was $865,000. It was the leading cause of loss in 2023.
Analysis of the ransomware risks includes the vulnerabilities that enable them to happen. A 2023 report on this topic found:
- There were 365 vulnerabilities at the root of ransomware attacks (with 131 of these previously unknown).
- Vulnerabilities associated with ransomware increased by 19%.
- Popular vulnerability scanning tools did not detect at least 20 vulnerabilities.
Thus, there are still considerable gaps in defenses against this method. While attaining a risk-free environment is impossible, taking a proactive approach to detecting and fixing vulnerabilities must be part of your cybersecurity strategy.
What Is an Enterprise Vulnerability Assessment?
In your arsenal of offensive moves in cybersecurity, enterprise vulnerability assessments are constant. They describe the process of testing, scanning, and evaluating every network asset for vulnerabilities. Those are often in these categories:
- Misconfigurations
- Missing patches or updates
- Bug or code flaws that are exploitable by hackers
- Gaps in security procedures
- Inadequate or a lack of internal controls
NIST (National Institute of Standards and Technology) defines these as exercises focusing on finding security weaknesses within a system. It notes that the assessment can use manual or automated techniques.
In this context, the descriptor “enterprise” means a company-wide assessment of networks, applications, and hosts.
Three main categories of enterprise vulnerability assessments correlate to different layers of cybersecurity.
Types of Enterprise Vulnerability Assessment
- Network-based: This test reviews geographically distributed applications and machines. The objective is to identify security gaps within a network or communication system. It also involves the analysis of devices on the network and will search for compromised passwords. It determines how well a system can withstand a common attack too.
- Application-based: In this scenario, testers look at application layers to find any vulnerabilities or misconfigurations. The aim is to understand the security robustness of the application.
- Host-based: This assessment concentrates on machines as the target. It tests workstations, network hosts, and servers. Most of the time, the framework is a manager/agent structure. The goal is to discern if systems align with enterprise security protocols and standards.
Regardless of what type of assessment, they all classify risks by severity.
Enterprise Vulnerability Assessment Classifications
- Critical: This category includes vulnerabilities that are the most urgent and need remediation immediately.
- High: This description denotes urgency. These get attention after you address the critical ones.
- Medium: These vulnerabilities are not as dire and have less exposure. However, there are still items to fix.
- Low/informational: This designation is cautionary or informational. You may not need to act now, but you should keep these on your radar.
So, how does each weakness earn its classification? Those testing your network use three different criteria. First is how likely a hacker would be able to exploit it. The second is the severity of the issue. The third is what the weakness provides to a cybercriminal regarding leverage.
Vulnerability assessments have six steps, which expand on the premise described above. In these steps, you can see how these tests can be a key tool in preventing ransomware attacks.
Enterprise Vulnerability Assessment Steps
These are the six steps that a cybersecurity firm will take to complete the evaluation:
Step 1: Asset Discovery
The assessment begins with you and your testing firm agreeing on what to scan and review. It depends on your intent, concerns, and goals. In the case of using these to thwart ransomware, you’d want to look at the entire network, leaving nothing uncovered. Depending on your industry and the type of data you store, there may be other considerations to discuss. In this discussion, you would want to talk about the most common ransomware attack vectors, such as:
- Exploitable vulnerabilities within software and applications: 48% of ransomware cases began with this root cause.
- Brute-force credential attacks: These are trial-and-error attempts to gain access to an application or system. It’s an old but effective method that you can protect against by ensuring effective multifactor authentication and access controls.
- Social engineering and phishing: Unfortunately, human error is a leading cause of ransomware, as employees may believe the phishing attempts are legitimate. They may give up their login information to hackers.
- Internal threats: Not all risk is on the outside. Those with access to your systems and protected data could be the culprits.
Step 2: Scope Development
Once you discuss assets and the specific attack vectors associated with ransomware, you’ll define the scope and assessment type. In this step, you define your goals, timelines, and expectations. In the realm of using the vulnerability test to be prepared for ransomware, you’ll again consider the threat types and likely need to execute all kinds of assessments.
Step 3: Scanning and Testing
Next, the actual assessment begins. There’s comprehensive scanning of the entire network and its assets, layers, and applications. Automated scanning tools will complete the first pass. They should not be the only means for evaluation. Manual scanning by professionals should also occur, as automated tools often have many false negatives and positives. It’s not fully reliable.
In relation to ransomware, testers are looking for things like missing patches that make software vulnerable or identifying compromised passwords.
Step 4: Risk Analysis
After completing the scanning and testing, your provider will do a deep analysis of what they discovered. They’ll calculate the classifications of critical, high, medium, or low. In addition to this, the report would detail remediation efforts to fix these issues so they are not a weak link for ransomware attacks. The more complex they are, the more support you may need.
Step 5: Reviewing the Report
Your vulnerability assessment firm delivers the report to you for discussion. Key things the report would include are as follows:
- What devices they tested
- The vulnerabilities detected and their priority level
- The techniques that testers used during scanning (automated and manual)
- Remediation recommendations
You and your partner will then get into the details of how these vulnerabilities could lead to ransomware attacks. You’ll work to begin the process of remedying all these as quickly as possible.
Step 6: Reassessing
The last step is planning for future assessments. You should be conducting these regularly to continue your offensive cybersecurity strategy. Each assessment leads to risk identification and remediation, helping you be more resilient and secure.
Recent Examples of Ransomware: Could a Vulnerability Assessment Have Prevented Them?
Let’s review some recent ransomware attacks.
City of Dallas
The City of Dallas experienced a ransomware attack that decimated operations, from libraries to police to courts. Their defensive move was blocking and quarantining city devices to prevent the spread. The city did not specify the vulnerabilities, only that the breach was due to stolen accounts and was Royal ransomware. They also announced $8.5 million for the restoration of services.
CISA (Cybersecurity & Infrastructure Security Agency) issued an advisory on Royal ransomware, stating that phishing was its most successful vector.
We can hypothesize that phishing was the root here, and vulnerability assessments would have been beneficial in finding these weaknesses. It’s unknown if the City of Dallas used assessments or other cybersecurity best practices.
TimisoaraHackerTeam (THT) Targets Healthcare
HHS (U.S. Department of Health & Human Services) issued a notification on TimisoaraHackerTeam, a ransomware threat group. Its attack method is to employ CVEs (common vulnerability exploitations) against vulnerable VPNs. They then can gain access and begin encrypting servers and locking users out. They seek out weaknesses to gain administrative-level credentials. Using enterprise vulnerability assessments could enable an organization to find those vulnerable VPNs before hackers do.
Washington State Public Bus System
Pierce Transit, a public transit system in Washington state, suffered a ransomware attack, which disrupted some services. The cybercriminals had a strategy to impact operations as a means of leverage. Reports named LockBit ransomware as the method. It’s unique in that it spreads on its own, and the initial entry involves looking for weaknesses in software and social engineering. Again, there is a direct connection between unknown vulnerabilities and exploitation.
To prevent ransomware attacks, you must use many tactics and strategies and continuously improve and evolve. Enterprise vulnerability assessments should be on your list.
Find an assessment partner that understands the risks of ransomware to support these efforts. Learn how that can be us by requesting a discovery session.