Avoiding the Ransomware Epidemic
Avoiding the Ransomware Epidemic – Ransomware attacks are at an all-time high. Just in the last few months, we’ve seen the Colonial Pipeline attack (which interrupted almost half of the gasoline supply for the US East Coast for a week), the JBS USA shutdowns (which disrupted about 20 percent of the US meat market), and the Kaseya attack (which affected hundreds of businesses across five continents).
When a ransomware attack occurs, the target is faced with an ugly dilemma. If the ransom is not paid, the victim must somehow wrest control of their data and systems back from the attackers and undo the damage that was done. Unfortunately, this is not always possible.
The alternative – paying the ransom demands – is not an attractive option either. As the FBI notes in its 2020 Internet Crime Report, “Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Paying the ransom also does not guarantee that a victim’s files will be recovered.”
Ransomware has become one of the worst threats in cybersecurity today. In this article, we’ll discuss how your organization can avoid becoming a victim.
A Three-Layered Defense
In today’s threat environment, ransomware requires a defense in depth. Broadly speaking, there are three layers of protective measures:
- Preventing threat actors from penetrating the security perimeter.
- If a successful penetration occurs anyway, threat actors should be prevented from deploying ransomware.
- If a successful deployment occurs anyway, threat actors should be prevented from successfully exploiting it.
The first and most obvious defense against ransomware is to keep threat actors out of your networks. If they can’t get into your environment, they can’t infect it.
However, the bad guys can get in using a variety of different techniques. So, keeping them out requires a variety of different countermeasures. Let’s discuss them.
Robust web security: On today’s Internet, web application and API servers are in an extremely hostile environment, with near-continuous attacks. Meanwhile, the growing complexity of modern services and web apps also means that most organizations have large attack surfaces.
A robust next-gen WAF is essential for filtering incoming traffic. There are countless WAF products available today; however, in today’s threat environment, many of these are insufficient. For example, the major cloud providers offer free security tools, including WAFs; however, most of these tools require the users to configure and maintain their own security policies. Most users can do this adequately for basic threats but doing this correctly for advanced threats is very difficult.
In addition to the native cloud tools, there are many third-party security services available. Here too, prudence is required. In today’s threat environment, organizations need complete protection against all web threats: this requires not only a WAF, but also additional security technologies such as account takeover prevention, advanced bot detection, UEBA (User and Entity Behavioral Analytics, which helps to prevent zero-day exploits), and more. Many commercial products are not comprehensive; as for the ones that are comprehensive, most of them only provide full protection when users pay for multiple upgrades and ongoing subscriptions.
The best services will offer sophisticated, comprehensive security technologies in a fully managed, all-in-one platform. It is worth the time and effort to find them.
Remote Desktop Protocol (RDP) vulnerabilities: RDP is one of the most common vectors for ransomware infections. Organizations need to disable RDP everywhere except where it is absolutely necessary, and ensure that wherever it is available, that it’s secured properly. For a good overview of this, see the white paper entitled Exploited Protocols: Remote Desktop Protocol (RDP) from the non-profit Center for Internet Security.
Email scanning: Email is a common vector for network breaches, and a successful breach often results in a ransomware infection. To prevent this, there are a variety of email scanning solutions which can detect and block emails containing hostile links and files.
Security training: A complex threat such as ransomware requires more than fire-and-forget technological solutions. The human element is just as important; team members must be trained on email hygiene, social engineering awareness, and other practices that are necessary for a robust security posture.
Software updates: Whenever a patch or update is issued for an Internet-facing system, it should be installed immediately. This recommendation might seem too obvious to mention, but system vulnerabilities are still one of the most common vectors for ransomware infections.
Even if your organization seems to have perfect perimeter defenses, so that no attacker could ever get through, it would still be inadvisable to rely upon them exclusively. You should still maintain a second line of defense: one that hinders ransomware deployment inside your network even if attackers somehow gained access.
For most organizations, this is the area in which their defenses are the weakest. There are two best practices here: zero-trust architecture and continuous monitoring/reporting.
Zero-trust architecture: The traditional castle-and-moat security paradigm is outdated and inadequate; if attackers can penetrate the perimeter, they can wreak havoc throughout the system.
In contrast to this, a system based on “zero trust” principles does not implicitly trust any users or accounts. Every action taken by every user must be authenticated and authorized before it is allowed. In a zero-trust system, attackers have much more difficulty doing any damage, even if their initial penetration of the perimeter is successful.
Implementing zero trust is probably the most difficult recommendation in this article, because it requires large-scale changes throughout a system. Nevertheless, it’s an important best practice for protecting against ransomware and other hostile activities.
Monitoring and reporting: Most of the worst system breaches went unnoticed for long periods of time (sometimes, several months), which gave the attackers free rein; if the victims had maintained continuous monitoring of their systems, they would not have suffered the consequences that they did. The lesson is that even if your security measures seem to be bulletproof, it’s still important to know everything that happens within your system, and to investigate any anomalies immediately. Doing so can greatly mitigate the damage from cyberattacks.
The third layer of defense is often the most uncomfortable to contemplate. Let’s say an attacker has compromised your system, successfully deployed ransomware, and encrypted your data and locked up your system. Now what?
This is when your data and system recovery protocols become vitally important. Ideally, you could completely neutralize a ransomware attack by resetting your systems if necessary, and then quickly restoring your data from recent backups.
Of course, this assumes that backups are done frequently, and that your team has the ability to reset some or all of your systems. Most organizations have these protocols in place. Unfortunately, many of them do not regularly confirm the integrity of their backups, or require their team members to practice system resets.
If your organization is among the latter, consider implementing these practices. Yes, they are tedious and inconvenient (which is why they are often neglected); nevertheless, the day might come when they convert a potentially disastrous ransomware attack into a short-term interruption.
Avoiding the Ransomware Epidemic – Ransomware is one of the worst threats on the web today. Organizations should take this threat seriously and implement best practices to create a defense in depth against it. Judging by the current epidemic of attacks, it’s possible that your organization will need these defenses in the not-too-distant future.
Avoiding the Ransomware Epidemic