Are you currently experiencing an attack?

Are you currently experiencing an attack?

Ransomware Attacks: The Worst Cybersecurity Threat Today, Part 3

In the first article in this series on defending against ransomware, we discussed the nature of the threat, and why this already-severe problem is getting worse. In Part 2, we showed how many organizations are preparing for this threat incorrectly. In fact, many executives are relying on tactics that ultimately are putting their organizations at great risk in the current environment.

In this article, we conclude the series by discussing the correct measures to take. What are the best practices to defend against ransomware?

A Multi-Vector Threat

Ransomware attacks can be waged in a wide variety of ways. Compared to most other threats, ransomware attacks are difficult to defend against, because all potential vectors must be addressed.

Among the OWASP Top 10 Web Application Security Risks, eight of them are possible routes for a ransomware infection. In addition to these, there are several more commonly used by ransomware gangs. Although threat actors use some tactics more often than others, all of them must be defended against.

Furthermore, although most executives focus on trying to keep ransomware attackers out of their environments, this is not enough. Organizational leaders must also assume that a system compromise could eventually occur, and create firebreaks to minimize the potential damage. For example, even if all defenses were up-to-date, an attacker might use a zero-day exploit. Or perhaps a team member, despite having had extensive training on email hygiene, still opens a malicious attachment anyway. Thus, even though preventing breaches is of course vitally important, a full security posture includes preparations for the possibility that the preventative measures might fail.

For a robust anti-ransomware posture, the best practices can be organized into four categories: 

  • Keeping attackers out
  • Minimizing the blast radius if they get in
  • Surviving the worst-case scenario
  • Long-term planning. 

We’ll discuss each of these in order.

Keeping Ransomware Attackers Out

As mentioned above, attackers have many possible methods for compromising a system. To defend against them, these practices listed below should be followed.

Neutralize phishing attacks. The most recent report from the FBI’s Internet Crime Complaint Center (IC3) lists email phishing as one of the three most common means of ransomware infection. Cybercriminals send emails containing malicious links or files; when a recipient clicks on one, malware is deployed. 

This attack technique has been around for many years. Although its rate of success has declined somewhat (due to rising awareness of proper email hygiene), it still succeeds quite often. And techniques like spear phishing and voice phishing can increase its effectiveness for attackers.

To help defend against email phishing, technical solutions are available that can detect and filter malicious payloads from an organization’s email system. However, although these solutions can help, they cannot eliminate the threat completely. The most important countermeasure against phishing is to regularly train team members on how to avoid this attack, along with other forms of social engineering.

Lock down the Remote Desktop Protocol (RDP) and other remote-access capabilities: The FBI lists RDP as the second of the most common vectors for ransomware infections. It’s important to disable RDP and similar protocols everywhere except where they’re absolutely necessary. For more on this, see this white paper from the Center for Internet Security.

Keep systems up-to-date. Vulnerable and Outdated Components is listed as one of the OWASP Top 10 vulnerabilities, and it’s also one of the most common sources of successful ransomware attacks. 

Hackers monitor software vendors for announcement of patches, and the vulnerabilities that are being fixed. They know that many organizations do not install the updates right away, so they immediately begin automated scans for unpatched systems. When a vulnerable system is found, they exploit the vulnerability quickly. 

This makes it vitally important to monitor your vendors for updates, and whenever a patch is issued, install it right away. Obviously, a recommendation to “always install updates immediately” is nothing new. You might even feel exasperated to read it here, because you’ve probably heard it countless times before. Nevertheless, it bears repeating, because countless organizations are not doing it. We know this because software vulnerabilities are still among the FBI’s top three sources of ransomware infections.

Of course, ensuring that updates are always installed quickly can be quite difficult. Technical challenges, available resources, and even interdepartmental politics can all interfere with patch rollouts. Some organizations struggle to even maintain a current inventory of IT assets, which obviously interferes with keeping all of them up-to-date all of the time. Nevertheless, it’s crucial to make this a consistent practice throughout your organization.

Before moving on to the next topic, two final maintenance practices must be mentioned. First, don’t forget about dependencies. Plugins, libraries, modules, and frameworks can all have vulnerabilities too, and when any are discovered, they need to be patched. Second, don’t forget hardware devices either. In the last few years, ransomware groups have begun to focus heavily on hardware devices such as IIoT edge gateways, using them as the vector for initial system breaches. These devices should be inventoried and maintained along with other IT assets. 

Apply the principle of least privilege. This is another best practice that everyone knows about, but despite this, is often not implemented. Modern identity authentication and access management services provide the ability to limit access to resources on a granular level. Every user account should only have access to the resources it requires to do its job, and no more. 

Verify and enforce the principle of least privilege: Having a granular access and permissions hierarchy is not effective if accounts are not administered properly. Again, many organizations struggle with this. On the OWASP Top 10, Identification and Authentication Failures (where user identities are not correctly verified) is the seventh-worst vulnerability, while Broken Access Control (where users are able to act outside of their intended permissions) is at the top of the list. 

Maintain robust web security. Incoming HTTP traffic can contain a wide variety of threats, including potential system breaches via code or command injection, serialization attacks, and other methods. A solid web security solution is a must, to filter incoming requests and block malicious activity—not only for sites and web applications, but also for APIs. (Note that many solutions do not fully protect APIs; if yours is among them, find another provider.) 

Adopt DevSecOps as much as possible. Security Misconfiguration is the fifth vulnerability in the OWASP Top 10. Often, it occurs from human error or negligence. DevSecOps can help with this; it allows you to harden your SDLC and automate the processes. For example, when new environments are created, they should be secure, with unused ports closed, unnecessary services disabled, default accounts/permissions changed, settings set to secure values, etc.—and this should apply to all environments, whether dev, qa, or production. 

Minimizing the Blast Radius

As noted earlier, most organizations tend to focus only on preventing hackers from penetrating their perimeter. Although it can be very uncomfortable to consider what would happen if this prevention fails, it still needs to be done. Here are some recommendations. 

Set up effective logging, monitoring, and reporting. System monitoring is a vital, but often neglected, area of cybersecurity. If a system compromise occurs, the attackers need time to take advantage of it. So it’s important to intercept them immediately and take countermeasures, to minimize the potential damage that could result. Watch for privilege escalation, remote management connections, usage of tools like PsExec, and other unusual events that could indicate a breach is being attempted. 

Conduct regular pentests. Many people think of pentesting as a method for revealing vulnerabilities. This is true, of course, but it can also be used to test the effectiveness of a system’s monitoring and reporting. 

Surviving the worst-case scenario

Now we’ve arrived at the most uncomfortable topic of all. Here you assume that not only did your defenses fail, but your monitoring failed too. Attackers have taken over your system, encrypted your data, and sent you a ransom demand. What do you do now? 

This is the worst-case scenario. As noted in Part 2 of this ransomware article series, many organizations don’t bother preparing for it. They figure that if this situation ever arises, they will just pay the ransom, recover their data, and then file a claim with their insurance company. But as was discussed in Part 2, there are many problems with this approach.

Here are the correct practices to follow, in order to minimize the impact of this scenario.

Create backups regularly, and verify them. This is the foundation for all else that follows. If your current data gets encrypted by ransomware but you have a full and recent set of backups—ideally, a set that is stored and isolated from the primary systems, so that an attacker can’t delete or corrupt it—then the ransomware incident could be merely a mild and temporary inconvenience.

This is another recommendation that you’ve heard plenty of times before. Nevertheless, it bears repeating, because many organizations have backup policies, but don’t follow them consistently.

Create a system restoration plan, and rehearse it. Again, most organizations have backup policies. But the number that follow the policies, and verify the integrity of the backups, and practice restoring their systems from backups, is far smaller. Unfortunately, many of those that don’t will eventually regret their lack of diligence.

Here’s a question to consider: if you were hit with a ransomware attack tomorrow, how much confidence do you have that your team could reset and restore everything in short order? 

If the answer is “not much,” then now is the time to rectify this.

Plan for the Long Term

This is the last of our four categories of topics. All of the recommendations above are reactive; reacting to the threat environment, and planning how to react if a successful attack occurs. This category is for looking ahead, and making long-term changes that will harden your organization and make your systems much more resistant to attack overall. 

Adopt zero-trust architecture: The traditional approach to security is castle-and-moat, where the perimeter is guarded heavily so that threats are excluded. However, once users make it through, they are implicitly trusted. This approach is outdated and flawed, because if attackers ever penetrate a perimeter, they can move and act through the system with few restrictions. 

The modern approach is to replace castle-and-moat with zero trust security. Here, every user has a limited and granular set of permissions, and every action must be authenticated and authorized before it is allowed. A zero-trust architecture makes it much more difficult for attackers to successfully deploy malware within a system, even if they were to somehow gain access to it.

Of all the recommendations in this article, zero-trust is the most difficult to implement. It requires an organization to undergo a technical transformation, and often a cultural one as well. However, moving to a zero-trust architecture will create an inherently robust security posture throughout the entire system.

Conclusion: An Important Part of Ransomware Defenses

In this three-article series, we have discussed the nature of the ransomware threat, why it’s getting worse, why many organizations are not preparing properly, and what they should be doing instead.

As mentioned above, web security is an important part of an anti-ransomware security posture. It is not the only part of an effective defense, but it is a key requirement for it.

Reblaze offers an all-in-one web security platform that includes not only a next-generation Web Application Firewall (WAF) solution (which protects against system breaches), but also other modules such as DDoS protection and mitigation, advanced bot management, behavioral analysis tools based on Machine Learning, Account Takeover (ATO) prevention, API security, and much more. It protects sites, services, applications, and APIs, and supports a variety of architectures: cloud, hybrid, serverless, service meshes, and more. For more information, contact us here.

Get your price quote

Fill out your email below, and we will send you a price quote tailored to your needs

This website uses cookies to ensure you get the best experience on our website.