Designing security to mitigate growing ransomware threats
Ransomware has become a top-of-mind security concern for many organizations. High-visibility ransomware attacks have disrupted supply chains and inspired an Executive Order on Cybersecurity in the United States.
This is not surprising given that ransomware is a such a common and costly threat costing organizations millions.
IT Security Best Practices for Ransomware Prevention
Ransomware groups have an array of methods they use to deploy and install ransomware. By following and implementing the security best practices outlined in this article, organizations can dramatically improve their protection against ransomware attacks.
1. Firewall and Service Configurations
Modern ransomware attacks are known to target externally facing services such as the Remote Desktop Protocol (RDP) and Service Message Block (SMB) protocol to gain initial access to corporate networks. Once inside, they leverage services such as Windows PowerShell and the Windows Scripting Engine (WSE) to execute arbitrary commands and avoid detection.
Organizations should revise firewall settings to ensure that services such as SMB, RDP, and other administrative services are not externally accessible. In addition, it is recommended to block IP addresses showing malicious activity along with disabling services such as PowerShell and WSE if not in use (or restricted based on least privilege).
2. Patch Management
Exploitation of unpatched vulnerabilities is another common tactic used by ransomware groups. Recently, ransomware groups began exploiting and leveraging the Log4j vulnerability present on external networks to gain initial access to corporate environments and deploy ransomware. These attacks take advantage of the fact that many organizations patch vulnerabilities long after they are publicly reported, leaving a window for exploitation.
Organizations are recommended to revise or implement patch management solutions to ensure patches are being applied on operating systems, applications, and third-party software. This is essential to protecting against ransomware and overall cybersecurity attacks. If possible, organizations should also use threat intelligence to learn of vulnerabilities and common attack vectors being exploited by attackers in the “wild” or other network environments.
3. Least Privilege Access
Ransomware operators commonly exploit excessive permissions in their attacks. For example, an attacker may use elevated permissions to move laterally through the network to critical systems or gain the necessary access to execute their malware.
Organizations should implement the principle of least privilege, which states that employees should only be granted the access and permissions required by their job role. Additionally, those employees that require administrator accounts should only use those accounts for tasks that require them. For other tasks, these users should have user-level accounts with appropriately restricted permissions.
4. Network Segmentation
Network segmentation is another best practice for protecting against lateral movement by ransomware. Ransomware moves laterally through the network from its initial access point to encrypt systems and resources. Network segmentation can help minimize the impact of an infection by preventing the spread of ransomware.
Network segmentation can be performed based on critical infrastructure, function, and/or data type. Ideally, all critical infrastructure should be segmented and/or air-gapped to reduce the likelihood of cyberphysical attacks that can cause physical harm. IT systems may be segmented based on function (e.g., human resources) or data type (e.g., sensitive information).
5. Defensive Technologies
Properly configured defensive technologies can provide robust protection against ransomware attacks. Endpoint protection systems and intrusion prevention systems (IPS) can help to detect and block malware infections, while SIEM solutions provide crucial visibility and support rapid incident response. SIEM solutions should be configured to collect data from the firewall, endpoint protection system, IPS, web proxy, DNS servers, operating systems, and any other security solution maintained in-house.
Managing the Ransomware Threat
As ransomware attacks become more common and sophisticated, any organization can be the target of an attack. However, by implementing IT security best practices, organizations can dramatically reduce their exposure to ransomware threats.
Jonathan Broche is Director of Penetration Testing, MorganFranklin Consulting