Last week’s news about cyberattacks was sobering. Cybercrime is rampant and notorious. “WannaCry,” “Jaff,” and “Cerber” - the names of the attacks that got the most publicity - read like names of gangsters from the days of Prohibition, with unique personalities, techniques that range from brutal to devious, and a lurid line-up of targets and victims. Only the wanted posters are missing.
The news was also a reminder that there is no silver bullet when it comes to stopping cybercrime and ransomware. That’s because there is no single threat. The bad guys are creative and diverse. WannaCry has its own modus operandi, so the techniques that stop Jaff and Cerber don’t work on it. And vice versa. On the surface, this sounds like a problem. In fact, it is the key to the solution. Specific defensive techniques and tools do work on specific threats. The art of the CISO is arraying them effectively.
Defense in depth is the rule. Layers matter. But the layers need to address specific threats and attack techniques with as little redundancy as possible. For example, if you have something that will prevent Jaff and Cerber every time (or Locky and Kovter ransomware), that’s great. But you don’t need two tools for this. What you need next is something that will protect you from WannaCry, which is a different animal.
In the case of Jaff and Cerber ransomware, Moving Target Defense prevents them by immunizing the OS against their attack techniques. The number and virulence of these and other zero-day, in-memory attacks are mounting daily and it is fortunate that deterministic prevention with Moving Target Defense is both effective and easy.
Stopping WannaCry is done differently: Modifying default ports of the SMB protocol, making sure your Antivirus is updated, enforcing policy-level blocking of e-mails with unwanted attachments. WannaCry ransomware is a unique attack and it requires a specific strategy. Some of the options are deterministic and others require detecting and responding to it. Patching must also be emphasized, especially in light of the fact that a patch for WannaCry has been available for over two months.
As a strategic matter, prevention is preferable to detection as the first line of defense. Moving Target Defense, prevents in-memory attacks, like fileless ransomware, and malware that uses evasive techniques. It eliminates the entire class of threats that leverage these methods.
For dealing with other, non-evasive threats and techniques, you need other controls and tools. Mistakes happen - that is attacks bypass defenses - when one security tool is used to do too many things or when too many tools are doing the same thing. There is no escaping a layered defense, so it is imperative to make sure you know which threat each layer is defending against, and that the strategy provides for prevention first.