Phishing and Ransomware: Connecting the Dots!
Phishing and ransomware. Ransomware and phishing. The two are inextricably connected and are now often chained together as the most potent exploit tools in a cybercriminal’s arsenal. When these exploit tools are used effectively, cybercriminals can programmatically steal your credentials, perform a privilege escalation to take control over your mobile device or laptop, execute a lateral movement onto your company’s network to find and exploit other connected endpoints, and then encrypt and block access to your critical personal and company data. Cybercriminals leverage already developed and highly successful ransomware tools in a Ransomware as a Service (RaaS) subscription model, selling to lesser skilled cybercriminals to extort cryptocurrency from their victims. Nation state funded advanced persistent threat (APT) actors also use the same machine learning and artificial intelligence models that the good guys employ to detect threats. These models are used by bad guys to discover new victims, penetrate defenses, and evade threat detection! My cybersecurity newsfeeds are often filled with stories of successful ransomware attacks almost daily against healthcare providers, schools, and government agencies.
You might think, “Ehh, that can’t happen to me!” Think again! The sad reality is that being the victim of a phishing attack that can evolve into ransomware is greater in the Everywhere Workplace without the proper mobile management tools and security controls. According to the Verizon Mobile Security Index 2021 (MSI) report, 79% of respondents saw remote working increase in their company. Some companies are allowing employees to work exclusively from home or have implemented a hybrid work and home workplace policy. The report also mentioned that 71% of the respondents surveyed said that mobile devices are “very critical to their businesses” while 97% consider remote workers to be more at risk than office workers. It’s a tough balancing act for the company CISO to allow remote mobile devices, laptops and bring your own device (BYOD) policies while keeping these endpoints secure so critical personal and company data are safeguarded from cybercriminals.
What is phishing?
Humans are the weakest link in the cybersecurity kill chain. Threat actors have been known to easily deceive individuals into divulging their credentials using sophisticated social engineering tactics. C-level executives are often targeted, and even seasoned security practitioners can fall victim to these quickly evolving and morphing attacks. According to the same Verizon MSI 2021 report, what was the attack vector of choice by these cybercriminals? Phishing. A 364% increase in phishing attacks was reported from 2019 to 2020, and 1 in 25 apps downloaded from the public app stores leaked your personal credentials. It’s hard to see these numbers dropping any time soon as remote work continues to be the norm. Unfortunately, as companies and employees become comfortable and more relaxed their cybersecurity hygiene could be put at risk.
The most common phishing attack tools are delivered through email, attachments, text and multimedia messages, and malicious advertisement networks. These can all be used to persuade you to tap onto a hyperlink to a website that looks legitimate. That link will actually redirect you to a malicious website to harvest your user credentials, and then potentially drop, install, and execute a malicious exploit script onto your mobile device or within running random access memory (RAM) used by fileless malware.
What is ransomware?
Ransomware is malware whose sole purpose is to extort money from you. Once your user credentials are stolen via a phishing attack then threat actors can grab additional valuable information on your mobile device. From there they can escape the device and move laterally onto connected network nodes in search of additional critical data to steal. Afterward, they can block or encrypt your data before sending out a ransom note usually expecting payment in cryptocurrency to unblock or decrypt your data.
The threat actor must be correct only one time to be successful, but the CISO and their security team must be correct 100% of the time!
How can you and your company fight back?
A multilayered threat defense solution that is part of a company’s zero trust security framework is warranted to have a fighting chance against today’s cybercriminals. First, if your company does not have the ability to discover all endpoints and determine their health and posture, then the likelihood that rogue devices and malicious exploits already living inside your corporate network undetected is high. Ivanti’s Neurons for Discovery can find all your company’s connected assets and determine their health state. Then a unified endpoint management (UEM) platform is used to securely manage and provision your identity credentials to your work email and collaboration apps, and configure WPA3 Wi-Fi security and remote access VPN profiles to ensure your network connection from home to work resources are protected.
I no longer consider mobile threat defense and endpoint protection an added insurance policy. These tools are now mandatory where an always-on threat detection and remediation engine running on your endpoints and augmented by a cloud-based URL lookup service that uses machine learning to protect your entire device and its contents are now required. Cloud-based databases employ multiple real-time crowdsourced phishing feeds and are updated frequently to immediately block the more than 5,000 known malicious domains and websites that get spun up every day by cybercriminals.
Additionally, assign DNS servers via DHCP to network-connected endpoints that automatically block malicious domains and websites using their threat intelligence sources. Public DNS servers from OpenDNS, Quad9, Cloudflare, and Google provide this capability. In fact, the Chrome browser enables safe browsing by default. Chrome, Edge, and Firefox browsers also have phishing protection capabilities that can all be pushed by UEM and silently installed onto your managed mobile devices and laptops.
Ivanti’s mobile phishing protection is part of Mobile Threat Defense (MTD). MTD provides additional protection from app threats like browser-based attacks, leaky apps and malware. MTD also provides protection from network threats like IP, TCP, or UDP reconnaissance scans, connecting to risky Wi-Fi, and Man-in-the-Middle attacks. Finally, MTD protects against device-level threats like jailbreaking and rooting, as well as elevation of privilege exploits like remote code execution (RCE) or local privilege escalation (LPE) attacks against vulnerable firmware, apps or operating systems.
The benefit of the Ivanti solution is the on-device threat detection engine is built into the unified endpoint management (UEM) client within a single app that is automatically enabled and starts protecting the device after successful enrollment to MobileIron Core or Cloud! This single app solution achieves close to 100% user adoption, as opposed to requiring a second app that must be downloaded, installed, and then activated to the threat defense portal. Those solutions achieve around 27% user adoption success rate.
MobileIron UEM and the intelligent access gateway with Zero Sign-On can also deploy and enforce multi-factor authentication (MFA) without passwords employing live scan biometrics and one-time time-based tokens as two or more authentication factors. No passwords mean no credentials can be phished!
The MobileIron Tunnel or Pulse Connect Secure client can also be configured and deployed to managed mobile devices for per-app VPN. Per-app VPN removes the threat of users being redirected to malicious websites and unknowingly downloading drive-by malware. Split-tunnel VPN deployments allow the mobile device user to connect to the corporate network and surf the insecure internet at the same time via that split-tunnel connection. Per-app VPN solves this by only allowing the specific corporate approved app (as opposed to malware) and its associated content through the secure tunnel and connection to the VPN gateway, and then finally to the on-premises, data center, or cloud-based corporate resource.
User privacy is also particularly important. Ivanti’s MobileIron UEM platform, by default, does not track your location or store your location data, and does not look at or store your browsing history. Ivanti also does not share personally identifiable information (PII) with third parties and strictly adheres to GDPR and CCPA guidelines.
The adversary has become more sophisticated and well-funded with seemingly an omnipotent set of attack tools and tactics at their disposal. Cybercriminals leverage the same machine learning AI that the good guys use to take down even the largest and most sophisticated cybersecurity companies and government agencies. In the Everywhere Workplace, to have a fighting chance to safeguard your mobile endpoints and their contents it’s imperative to place as many robust impediments in front of these cybercriminals like Ivanti Neurons, MobileIron UEM, MTD, ZSO, and Pulse Secure Connect or MobileIron Tunnel VPN solutions.