16 May 2017

Ransomware: A Wakeup Call


The unfortunate recent ransomware attack that affected mission critical services around the world highlight the growing threat all organizations face. One thing we know for sure about this attack is that it will not be the last one. Another thing we know: it should serve as a wakeup call for all of us.

Synack works with some of the most sophisticated organizations in the world when it comes to security, yet through our proprietary crowdsourced model that combines the creativity and diversity of a global network of ethical hackers with machine learning, we consistently find a significant number of high severity vulnerabilities left undetected by the other solutions they have deployed. These previously undetected vulnerabilities often include the most damaging kind that could result in data exfiltration and account takeovers, exactly the class of vulnerabilities hackers hunt for when deploying similar types of attacks. In 2016, 35% of the vulnerabilities found by the Synack Red Team (SRT), prioritized and reported by Synack to our clients were considered high severity (CVSS greater than 7.0). Note, Synack consistently delivers an average of 12 high severity vulnerabilities per asset tested.

Distribution of severity (CVSS) of Synack reported vulnerabilities in 2016

Running Operations for Synack, I have a front-row seat to our clients’ security programs and the vulnerabilities we report to them. I am consistently amazed that no matter how good an organization is at security, it is never good enough. They can have the best coding practices, the best tools, the best internal training, the best methodology and the latest software deployed and yet they still fall short when an adversarial, asymmetrical approach is taken to penetrate their defenses. By asymmetrical, I mean the opposite of a checklist-driven test that many organizations use to check the compliance box. Hackers don’t obey a methodology that has been signed off by CREST. The closest you can possibly get to the real adversarial perspective you face every day, is to regularly deploy a large number of ethical hackers that use the same unpredictable techniques and methods that the adversary would take.

Asking a global network of hackers to hack you can understandably be uncomfortable. It seems risky to invite unknown actors in. It is for this reason that Synack has carefully grown a trusted network of the world’s best security researchers through an intensive selection and vetting process. This process begins with highly targeted recruiting, followed by extensive onboarding which includes a thorough review of skills and work history, mandatory background checks, identity verification, behavioral interviews as well as meeting demanding testing requirements. Once the researcher passes all of these steps, they are then monitored for quality before achieving status as an active SRT member. Fewer than 10% of applicants make it through this process. In addition to the best proven ethical hackers, all testing activity is controlled through Synack’s proprietary technology that provides full packet capture of all network traffic from our researchers to our clients’ systems. Not only does this offer direct control (clients can shut off all researcher traffic at the push of a button), it also provides complete visibility to where the researchers are testing and what types of attacks they are attempting. All of this activity is surfaced through a real-time dashboard to the client.

To (over) state the obvious, these attacks are not going away anytime soon. Having a global network of ethical hackers continuously on your side is the closest you can get to seeing your defenses through the adversary’s eyes. No security strategy is complete without it.