It seems as though ransomware is constantly being discussed on the news. It also seems there have been more news stories about ransomware in the past few months than in the past few years. All this attention is good for the cybersecurity industry, however, it is important to be prepared to answer tough questions about how to mitigate the impact of successful ransomware attacks because it is simply a matter of time until attacks become more widespread.
Ransomware formerly targeted individuals rather than major organizations. Attackers typically extorted hundreds of US dollars from individuals in exchange for their data. In the past, the standard answer to how to mitigate ransomware was to have good backups. Having good backups, unfortunately, is no longer good enough. Attackers are now implementing a 3-pronged approach, which includes:
- Encrypting data and backups
- Exfiltrating said data
- Launching denial-of-service (DoS) attacks
Now, an adversary only has to say, “If you do not pay the ransom, we will release your data to the public, never provide you with the decryption key and launch a DoS attack to crash your systems.” This can be avoided by protecting organizations with multiple controls as part of a defense-in-depth strategy, which means implementing good cybersecurity practices and designing systems accordingly. Fortunately, there are countermeasures that organizations can implement to combat this ongoing threat.
Keep Systems Up-To-Date
When cybersecurity vulnerabilities are fixed by the vendor, the attacker community starts reverse-engineering the updates and develops cyberattacks. The adversary understands that it is difficult and time-consuming to patch systems and counts on being able to exploit unpatched vulnerabilities to gain or maintain a foothold into the organization.
Implement Whitelisting Technologies
Using whitelisting technologies1 raises the bar significantly for the adversary and may help an organization avoid being compromised. These technologies only allow approved software to load on systems, which helps stop malware such as ransomware from being installed on systems, as the malware is not on the approved whitelist.
Implement Email Security Technologies
Attackers email phishing campaigns to their targets so that an employee can unknowingly infect their own organization’s systems. However, organizations that have email security technologies can detect imbedded malware or inspect links. Unfortunately, some attackers redirect malicious links via Google to fool systems into thinking that the link goes to Google and is not malicious. Although email security technologies may not be foolproof, they are yet another layer of security that adversaries must break through to compromise an organization’s systems. An organization must also ensure that executables are blocked within email systems.
Have Updated Malware Scanners
Malware scanners can help an organization avoid being compromised. Although it is a cat-and-mouse game between the attackers and the malware vendors, the latter are good at updating their malware scanners.
Implement Multifactor Authentication for Admin Access
Securing administrator accounts with multifactor authentication (MFA) is another layer of protection. Service accounts can also be attacked, so it is important to ensure that passwords are very difficult to guess and the use of said accounts should be monitored.
Implement Good Access Controls
It is important to ensure that strong access controls are implemented in your organization. If users have access only to what they need, then it ensures that 1 compromised account will not be enough for an attacker to meet their goals of encrypting data and/or backups with their ransomware and exfiltrating your organization’s data.
Segment Networks
Implement firewalls and strong access controls (including MFA access) into more sensitive parts of the network. This makes attacking systems more difficult and gives security teams more time to detect a compromise.
Have Good and Secure Backups
Ransomware can and does infect backups, especially real-time or Cloud backups via persistent synchronization. That said, an organization should have physical backups as well.
Follow the Data
All this security or segmentation provides little value if data are stored in multiple unsecured locations, such as network shares, that the adversary can compromise. One can only secure what they know about, so networks should be scanned and the data should be followed.
Implement Cyberdeception Techniques
Utilizing honey pots/tokens/accounts can help detect an attack in progress, since attackers are naturally curious. Remember that it is your network and that you should have the advantage of knowing the network better than the attackers.
Ensure You Can Detect the Adversary
Security teams must be able to detect the adversary (see cyberdeception above). Even if deception techniques do not work, teams still need to be able to see data being exfiltrated. If systems are connecting to Internet Protocol (IP) addresses outside of the organization’s business hours, that access still needs to be able to be stopped. If exfiltration occurs during office hours, security teams need to be able to find it. Most organizations do not detect cyberattacks until months or years later (if at all) and that is unacceptable.
Detection can be the difference between hundreds and thousands of compromised records that make the news. Look for IPs that your systems are connected to for unusual periods of time, receiving high volumes of data or making unusually large amounts of connections. Security teams should also look for any performance issues on the network. Those are indicators that something is wrong.
For example, one organization had a slow network, which is usually an indicator of compromise. It turned out that the domain controller was connected directly to a compromised IP at one of the organization’s vendors (the adversary used an IP of a well-known vendor within the United States). The adversary was removed from the network, but the damage had already been done. The security team stakeholder could not believe that such an attack could happen to his midsized organization, but it can—and it does. Fortunately, the enterprise does not have much regulatory data, as it is part of the manufacturing industry. That attack should have been detected long before the slow network issue was identified and fixed.
Conclusion
Everyone needs to do a better job of detecting the adversary. Protecting organizations against ransomware requires a disciplined approach designed to make the adversary’s mission much more difficult. While there are actions that can be taken to better protect organizations, it should still be assumed that an organization will be compromised and organizations should be able to detect the adversary before significant damage is done. This can be the difference between a breach that does not make the news and one that costs millions of US dollars—or cripples a network.
Endnotes
1 National Institute of Standards and Technology, Special Publication 800-167: Guide to Application Whitelisting, USA, October 2015
Jesse Fernandez, CISA, CISSP, GCED, GCIH, GPEN, GSEC, GSLC
Is a senior IS auditor with more than 18 years of technical experience in security, risk management, communications and network security, and identity and access management. He has been a speaker for major industry associations such as the Institute for Internal Auditors (IIA), ISACA®, Information Systems Security Association (ISSA) and SANS Institute. Fernandez also researches cybersecurity threats and provides organizations with professional cybersecurity services as a consultant with http://www.PurpleCy.com. He specializes in identifying cost-effective solutions for both large enterprises and small businesses.