Ransomware attacks are not only becoming more common, but they're becoming more creative. This advanced malware...
that once targeted users directly is now being deployed via different attack vectors. Rather than a ransomware infection spreading through traditional phishing attacks, it's now exploiting unsecured servers, infiltrating vulnerable Remote Desktop Protocol connections and conning all parties involved via malvertising. These more modern and highly complex threats are targeting corporate assets and resources every day. Ransomware has come of age.
In addition, given the chaos surrounding the COVID-19 pandemic, more and more soft targets, including hospitals and other healthcare organizations, are falling victim to ransomware. Criminal hackers executing these ransomware attacks are also threatening to release sensitive data obtained during the infection process, as seen in the recent Maze extortion attempts.
So, what can enterprises do to protect themselves from an initial ransomware infection? If ransomware gets into one system, how can enterprises stop it from spreading to other parts of their network and business? It all comes down to common sense. The ransomware threat is no different than any other threat; there's a vulnerability, and criminals want to exploit it for ill-gotten gains. The methods and underlying technologies evolve, but the threats and vulnerabilities themselves need to be handled in the same manner as any other threat or vulnerability.
Follow along here to learn five ways enterprises can approach this security challenge and protect the network from ransomware.
1. Acknowledge that you don't know what you don't know
The sign of a truly wise security professional is admitting that many things on the network are unknown. Systems, applications, users and information make up a group of assets that are often unaccounted for and, therefore, undersecured. This means they're currently at risk to ransomware.
Another key indicator of a smart security pro is the presence of a plan to make things better. This might come in the form of a more strategic security plan with specific goals set forth for minimizing the ransomware risk. It might also come in the form of a well-thought-out incident response plan that provides specific steps for responding to a ransomware infection in a streamlined and methodical fashion.
2. Acquire support from management and users
Before anything can get off the ground in security, management needs to politically and financially back it, and they need to do so on an ongoing basis. Assuming the security team is able to get management on board with its plan for fighting ransomware, it will also need to get users on board with policies, ramifications of bad choices and the overall setting of expectations on "this is how things work here."
Rather than taking the common approach of beating down users with security rules and then publicly shaming them when they mess up, it's best to talk to them as peers. Every user on the network represents both a threat and an opportunity. Those users who are not considered part of the security team -- either in their own minds or the minds of technical staff -- are threats. Those who are on board and looking out for the best interest of the business represent opportunities to make the business better so that it can have a more resilient network environment. Do what it takes to improve security awareness and training initiatives. The payoffs can be tremendous.
3. Deploy the proper technologies or tweak your existing setup
The heart of strong malware defense is well-designed and properly implemented technologies. If a network is to stand up against a modern-day ransomware infection, it needs the following:
- First and foremost, patching needs to be under control. Many businesses struggle with this, especially with third-party patches for software such as web browsers and PDF readers. Even outdated Windows patches provide a direct attack vector on many networks today -- the criminals seeking ill-gotten gains love this. Unless and until software updates are deployed in a timely fashion, the organization is a sitting duck. The network is just one click away from compromise.
- Effective malware protection is also a necessity. Steer away from traditional antivirus programs, and look more toward advanced malware tools, including nonsignature and cloud-based antimalware, whitelisting, and network traffic monitoring and blocking technologies. Endpoint detection and response, as well as security orchestration, automation and response tools, are key to protect the network from modern ransomware threats.
- Data backups are critical. Organizations' systems -- especially the servers that are at risk to ransomware infections -- are only as good as their last backup. Discussions around backups are boring, but they need to be well thought out to minimize the effect of the ransomware that does get through and encrypts critical assets.
- Network segmentation is another important part of ransomware protection, but it's only sometimes deployed properly. Keep in mind that virtual LANs -- the most common segmentation technique -- aren't secure if an internal threat, i.e., ransomware, can still reach other internal network segments.
- Ensure endpoints are properly locked down. Enabling controls such as Windows Defender Firewall and disabling the server message block version 1 protocol can go a long way toward locking things down. Additional best practice security controls are offered by organizations such as the Center for Internet Security and various OS vendors.
- Use separate credentials -- ideally, via a separate directory service -- for network storage to prevent ransomware from spreading to critical network-attached storage and storage area network systems. Similarly, critical network storage systems should use a file system that is unique from the main network.
- Finally, security assessments can help protect enterprise networks. Stop pen testing for the sake of checking a regulatory compliance box, and start performing comprehensive security assessments that look at all moving security parts, both technical and operational. If the security team keeps malware in mind when it looks at its internal network from the internet, it will find a slew of weaknesses that are currently facilitating the ransomware threat. Document these findings, and present them to management for the necessary support.
4. Monitor and respond
A security team can't secure -- or respond to -- the things it doesn't acknowledge. Most enterprises have a half-baked monitoring, alerting and incident response program. Security teams need to do what needs to be done: monitor servers, workstations and the overall network for anomalies. Teams need to be prepared to take quick action and do what's necessary to respond to the current event and prevent it from reoccurring.
5. Fine-tune to get better
Many people -- both in management and in IT and security -- view security as a one-time deal. The assumption is that you invest, you deploy, you assess and everything else will take care of itself, but this is hardly the case. IT and security teams are pressed for time because they're constantly having more projects layered on top of what is still left undone. Then, there are the daily fires that prove to be a big distraction. Figure out a way to fix the time issue. It may be in terms of time management, different processes or hiring new full-time employees. Whatever it is, fix it.
The security solutions to the ransomware infection problem are not endpoint-centric, nor are they network-centric. They're holistic. It's a little bit of everything -- in various parts of the organization -- working together to create barriers to entry and exploit. Sound familiar? It's the same tried-and-true approach to infosec that's been known about for decades, yet organizations continue to struggle with it. The technical understanding is there, but security is often impeded by politics and a wayward culture. This must not be the case if a strong infosec program is to be created and maintained over the long haul.
An organization might not be able to overcome the human aspects of infosec, but it can at least try to make the criminal hacker's job as difficult as possible. Ransomware is not an insurmountable threat. In fact, when all the essential security components fall into place, resilient enterprises will remain just that.