The practical guide to fighting ransomware
Close your eyes for a second. Imagine you are in charge of an IT security team in an enterprise, where the headcount is measured in the thousands. Or, you’re the single security engineer in a startup that just hired its 100th employee.
Either way, you haven’t had it easy these last few months. WannaCry and Petya/NonPetya ransomware attacks caused you to spend hours on the phone and in meetings with your superiors, answering countless questions on the security of your infrastructure.
Who knows how many times you checked patch logs on your servers and client workstations, reviewed your firewall rules, and monitored antivirus updates during those stressful days? Fortunately, your organization wasn’t a target of those attacks, but many companies were. WannaCry alone caused an estimated damage of $4 billion.
At a post-mortem meeting, management congratulated you on your efforts, but they also raised a question you already had in mind for days after both attacks passed: How can you ensure that ransomware cannot hurt your company in the future?
Viruses evolve, change their shape, and utilize different security holes in hardware and software to cause more and more damage every year. Which risks should you mitigate in your environment in order to sleep peacefully when the next ransomware attack occurs?
Now open your eyes, and follow this list of the top risks facing your SMB or large enterprise infrastructure, along with practical recommendations on how to fight these risks.
Risk 1: Endpoint Security
As we saw with WannaCry and Petya/NotPetya malware, the endpoint is your first and last line of defense. These ransomware attacks were designed to enter your organization via a vulnerability in your operating system, but other viruses can also infect you via email, web sites, USB devices, or elsewhere.
No matter how reliable the security of your infrastructure, you always need to assume that the endpoint will be breached, typically due to users either opening infected emails or browsing infected web sites.
As you will see below, there are "quick win" measures to take to prevent or mitigate some of the more common attack methods, and others that will require a longer time for implementation.
Quick Wins: Able to Implement in 1 – 3 Months
Review email security. A study by IBM found that 40 percent of spam email contained ransomware. This means email is one of the main entry points of ransomware into your company, so be sure that your email servers are equipped with anti-virus scanner and spam filters, so the contagious content cannot even reach users’ mailboxes. As an extra security measure, endpoint security products should also have content inspection enabled, to monitor email clients of the staff members and provide another layer of security.
Restrict admin privileges. Ensure that end users are not local admins on their devices unless there is a business justification. Implement an admin account review process, then review who has admin access at least once a year or if the circumstances of the user change (ie. new role within the organization.)
Keep antivirus up to date. Is there a process in place that monitors the anti-virus levels across the managed devices? Are actions carried out in a timely manner if a device is out of date? Make sure there is a clear process and point-of-contact for this.
Operating System patching. Patches for security vulnerabilities are applied via an automated process within one month for all workstations, unless there is justification and risk acceptance as to why certain machines may not be patched. Implement a process to manage out-of-bound patching — for example, a major security vulnerability that needs to be patched within 48 hours. If machines are not patched, additional security controls should be applied to the devices to reduce the impact of being compromised. Don’t forget: all operating systems need patching, not just Windows-based systems.
Medium Term: Able to Implement in 3 – 6 Months
Enable firewalls on client devices. Firewalls will help reduce lateral movement within the environment and also reduce the attack surface. Centrally manage the firewall policy and follow industry best practices.
Commercial off-the-shelf application patching. Don’t just focus on the operating system. Applications also need patching. Be mindful of security vulnerabilities that traditionally occur in higher risk areas such as Adobe Flash, web browsers, Microsoft Office, Java, and PDF viewers.
Patch vulnerable open-source components. Due to the increased usage of open-source components, hackers have heavily targeting open source vulnerabilities in the last 18 months. Software Composition Analysis (SCA) tools detect vulnerable open source components and can even automatically block usage. In addition, these tools automate the entire process of selection, approving, and detecting problematic open-source components and therefore also significantly reduce operational management overhead, while increasing the development team’s productivity. According to Gartner, "SCA is becoming a critical or a mandatory feature of AST (application security testing) solutions, as open-source and third-party components are proliferating in applications that enterprises build."
Continuous vulnerability scanning. For servers and network devices, implement vulnerability scanning tools (like Tenable Nessus, OpenVAS or rapid7) that will scan them on a daily or weekly basis and identify systems outside of your baseline. Such tools will regularly notify you of discovered vulnerabilities in your infrastructure, ranging from critical down to low priority, along with suggested solutions for how to resolve those issues, making vulnerability scanners "a must" tool for both SMBs and large enterprises.
Long Term: Able to Implement in 6 – 12 Months
Application whitelisting. Deploy application whitelisting that will stop unauthorized executables, scripts, and software libraries from being executed. When selecting your approach for application whitelisting, first carry out a proof of concept, as some tools can be complex to manage.
Hardened operating system build. Develop a secure build for your servers and clients to help with developing the secure build utilize information available from the manufacturers, security organizations, or from the government. For example:
- Microsoft’s Security Compliance Manager provides ready-to-deploy policies based on the security industry’s best practices.
- Center for Internet Security baselines, vendor-neutral security baselines, provide security baselines for most operating systems.
Risk 2: Network Security
Ransomware can propagate very quickly within the internal network, as seen with the recent WannaCry ransomware outbreak which spread through the Server Message Block (SMB) protocol. This protocol is typically used by Windows machines to communicate with file systems over a network. If a network has not been secured and machines have not been patched, an organization may very quickly find the majority of their systems affected. Of course, you want to prevent breaches, but you also want to be prepared should there be a breach, so that you limit lateral movement within the environment.
Quick Wins: Able to Implement in 1 – 6 Months
Secure admin access. Attackers often utilize pass-the-hash attacks, which is where the password hash is used to gain administrative access to other systems. To address this, introduce a process to manage admin access within the environment. For instance,
While these can be complex to introduce to an existing environment, they can always be deployed in phases.
Multi-factor authentication. Deploy multi-factor authentication for remote access, accessing sensitive data, or when performing privileged actions. This is especially important for any admin portals used to manage cloud-based services, such as an AWS portal.
Long Term: Able to Implement in 6 - 12+ Months
Implement segmentation and traffic filtering for the internal network. Avoid having a flat network. Use VLANs to segment the environment into logical sections and carry out traffic inspections as the traffic leaves the VLAN. The aim of segmentation is to reduce the attack surface and to make it more difficult for unauthorized lateral movement. This measure is optional for SMBs with less complex network infrastructures, but mandatory for large enterprises with a dedicated network engineering team operating dozens of firewalls, routers, L2/L3 switches, and other network equipment.
Network Access Controls (NAC). NAC is a policy-enforcement mechanism designed to authenticate and authorize systems attempting to connect to a network. It is a key network security control which requires skilled veteran IT engineers for implementation, making it an administration and overhead nightmare in smaller environments lacking dedicated personnel.
Cloud Security Access Brokers (CASB). If your organization utilizes a lot of cloud services, deploy an inline CASB to provide inspection and protection of data going into or out from cloud-based services.
Risk 3: Backup Security
Within the backup landscape, there has been a move towards using disk-to-disk backups. This can leave backups vulnerable to ransomware as they seek out data hosted on the services within the environment they are attacking. To contain the impact of a breach, deploy these quick-win and long-term security controls to help mitigate some of the more common attack methods.
Quick Win: Able to Implement in 1 - 3 Months
Test the backup process. Perform regular full restore tests, restoring not just files, but also databases and application data to test the ability to recover in the event of failure. Often, organizations don’t carry out any backup validation, and when they go to use the backups in a real scenario, they find the backups don’t work.
Long Term: Able to Implement in 6+ months
Protect the backups. To secure the backup data for years to come, consider implementing disk-to-disk-to-tape mechanisms. With this approach, the data is backed up to tape for retention. The tapes are then rotated and stored offsite. This offers protection from a ransomware attack, but it also has a high administrative overhead.
Also, don’t forget to secure your backup environment: If encryption and other controls are applied to the datastore, access to the data is highly restricted to designated accounts only. Think about replicating your data to the cloud. Maintain a cloud-based copy of the data, isolating the data from the on-prem location. This provides a high level of resilience and redundancy.
An organization's security posture can be increased by applying the recommendations discussed in this article, but while following this practical advice: Don’t neglect your users. Remember that not everyone from your staff is a technical person, and with ransomware evolving on a yearly basis, it’s important to continuously educate and train your users. Don’t just gather them once a month in a room to lecture about new viruses and security procedures; work with them daily and teach them about phishing, security on the web, and principles of how security products work, such as antivirus or anti-spam filters. This new, practical knowledge will be beneficial for them, since they also need to protect their personal devices at home, such as PCs, handheld devices, and even smart home appliances.
There is still no such thing as 100 percent secure, but by targeting the right areas, you can make a considerable difference to the security of your organization and be prepared for a new wave of ransomware attacks.
Rami Sass is CEO and Co-Founder of WhiteSource , the leading open source security and compliance management platform. Rami is an experienced entrepreneur and executive with vast experience in defining innovative products, leading technology groups and growing companies from seed level to business maturity.