Attackers often employ zero-day vulnerabilities, near zero-days, or attacks that do not rely on known vulnerabilities to compromise their victims. These stealthy attack vectors can bypass many defensive measures.

Such attacks may involve tricking a user into executing malicious code (payload), stealing credentials to gain access, or exploiting a vulnerability before defenders have had the chance to patch it—or even before a patch becomes available.

Adding to the challenge is the attackers' proficiency in using short attack chains and techniques like on-foothold ransomware and remote ransomware [1]. On-foothold ransomware does not require accessing other hosts because the initially compromised host already contains sufficient valuable data to exfiltrate for ransom. Remote ransomware, while similar, allows for network access to other hosts to exfiltrate and encrypt data. Often, these attacks are executed on unprotected endpoints, circumventing many layers of security.

Chronic examples of on-foothold ransomware occurred in the 2020-2023 Managed File Transfer (MFT) attacks, where MFT software such as Accellion, Fortra, and MOVEit were exploited. In these cases, the important files located on the initial victim's machine itself were valuable enough that attackers did not need to move laterally at all.

Many of these attacks involved zero-day exploits to gain access, used minimal-length attack chains to reduce the likelihood of detection, on-foothold ransomware, and no ransom note nor encryption on the endpoint. After all, why risk moving laterally when there are sufficient valuable files on the initial foothold device to secure payment?

This mirrors the supply chain attacks seen from 2020 onward, where trusted software carried out most of the attack, making them very hard to defend against.

The outcomes of each situation are the same: a persistent state of uncertainty about when the next attack will succeed, a lack of confidence in defenses, and a reactive posture whenever a new vulnerability or attack is discovered.

Turning the Tables – A Defender’s Advantage

To turn the tables, it is important to provide defenders with the attacker’s perspective and enable them to assess their actual defensive posture before attackers can strike.

To illustrate the proactive posture enabled by CyTest, consider an example from 2024 where a healthcare provider was compromised by an authentication bypass in ScreenConnect, followed by the deployment of BlackCat ransomware that compromised essential patient data and disrupted health continuity.

The attack began on February 13, 2024, when ConnectWise was notified of a vulnerability in its ScreenConnect software. However, the victimized healthcare provider would not become aware of the vulnerability until February 19. By February 21, the healthcare provider announced that it had been a victim of a cyberattack involving BlackCat ransomware.

The aftermath included weeks of downtime, disruptions to patient care, and possibly demands for two separate ransoms.

From the perspective of a CyTest user, one would need to look back about seven months to July 20, 2023, when proactive coverage was assured.

Test:

In July 2023, defenders using CyTest would have conducted a ransomware attack surface assessment, and understood which gaps ransomware could leverage and remediated the most important ones. They would have specifically tested their systems using ransomware encryptors and exfiltrators developed by CyTest Engineers who have replicated the evasive techniques employed by ransomware to ensure robust behavioral protection rather than relying solely on ephemeral static signatures. The tests would have included evasive techniques used by the ransomware group BlackCat.

Fortify:

All unprotected endpoints would have been secured. Defenders would have updated their runbooks to integrate streamlined elements of investigation and responses. Their detection engineering teams would have deployed additional coverage as needed.

Trust:

CyTest users would implement continuous automated testing across all endpoints. Defenders could be confident that, even if all other measures failed, their ransomware defenses were solid across all endpoints and their runbooks were thoroughly tested and ready to rapidly respond to protection notifications, effectively mitigating potential damage.

Outcome:

Calm confidence would have replaced weeks of losses post-compromise. 

Figure 1. CyTest users know they were protected more than 6 months before the attack.

Proactive Confidence Through Continuous Security Validation

In fact, a similar problem arises with many generic detections. To reliably utilize much of today’s security technology, one must understand its inner workings, failure modes, and capabilities. The end user must grasp these nuances to fully appreciate the efficacy of these technologies. It is a lot to expect from a team presented with a black box security product containing ever-changing content.

CyTest cuts through this noise by enabling defenders to understand their true coverage against next-generation threats. Security teams can analyze their attack surface from the perspective of ransomware attackers and continually validate their security controls to ensure optimal protection. They can also gain insights into what attacks are likely to look like on their consoles and prepare ahead of time rather than be blindsided by an attack.

[1]  “remote ransomware: leveraging an organization’s domain architecture to encrypt data on managed domain-joined machines.” https://news.sophos.com/en-us/2023/12/20/cryptoguard-an-asymmetric-approach-to-the-ransomware-battle/