[BreachExchange] Defending Against the 4 Stages of a Ransomware Attack (Industry Perspective)

Audrey McNeil audrey at riskbasedsecurity.com
Thu Aug 24 21:53:36 EDT 2017


http://www.govtech.com/opinion/Defending-Against-the-
4-Stages-of-a-Ransomware-Attack-Industry-Perspective.html

Cybersecurity threats, like ransomware, are a growing concern for the
government sector. While the recent Petya ransomware attack hasn’t impacted
the U.S., there are plenty of reports of ransomware attacks against police
departments across the U.S. and local government municipalities.

Ransomware is a cybersecurity threat where the attacker seeks to make money
by unlocking data held hostage only if victims pay a hefty fee.  Let’s take
a look at each stage in the ransomware attack cycle and what you can do to
protect and defend your network.

STAGE 1: TARGETING

At this phase, attackers zero in on their victim(s) and decide on their
method of attack. They will send realistic looking emails to your staff
disguised as phishing attacks, buy an ad on a highly trafficked public site
(this is called malvertising) or upload an exploit kit to a vulnerable
WordPress site. Their goal is to get your staff to click on a link for them
so they can start to do their dirty deeds.

The best way to protect your organization at this stage is by being aware
of these types of attacks and educating your users about phishing and
malware, including ransomware.

Conduct regular security training organizationwide to explain the dangers
of ransomware and phishing, what these attacks look like, and how employees
can report potential threats. With a process in place, you enable employees
to become front-line defenders, an important layer of protection many
organizations overlook.

Because human error and oversight can and will happen, you should also
ensure that your email provider performs phishing and spam filtering, along
with having a malware protection solution that can automatically be on the
lookout for intrusions from all sources.

STAGE 2: DISTRIBUTION

Next, the attacker will attempt to get the malware onto your machine(s).
When users open a phishing email, the action they take runs malware on
their system. Clickless threats, a new technique that’s emerging, do not
require users to do anything in order for the malware to install itself.

Despite sophisticated new methods, there are still ways organizations can
effectively protect themselves.

First, it’s critical to patch software vulnerabilities. This means keeping
applications and operating systems up-to-date, and even automating these
updates if possible so they are not forgotten. This is basic information
security hygiene.

Next, by using Web filtering, your organization can interrupt this
distribution phase so employees never visit those malicious sites and the
malicious code never lands on their machines.

STAGE 3: ENCRYPTION

Once ransomware is on a user’s machine, its goal is to encrypt the files
and hold the data and systems hostage until you pay up.

Malware protection, such as antivirus software, is paramount at this step.
Once the ransomware makes it this far, you’re living in the danger zone.
This is your last chance to protect yourself by disarming the ransomware
and preventing it from completing its final step. If the malware is
successful at this point, you’re going into expensive recovery mode.

STAGE 4: RECOVERY

The attacker has you cornered. They already have your data and are
demanding you pay a ransom in exchange for getting your organization back
online. If the attacker does get to this point, you have two options: pay
up or refuse to pay and instead restore from a backup (if you have one).

While many sources recommend just paying up, we actually recommend against
this, because it’s what keeps these criminal operations in business. Not
only that, but knowing that a victim is willing to pay up makes them a more
attractive target in the future. Attackers will often take it so far as
demanding a second ransom before returning your files because they know
most organizations will do it — or they’ll hit you again a month later.
What’s to stop you paying up a second time?

To counter this, we encourage people to take a more proactive approach by
developing a comprehensive incident response plan in advance of a
ransomware attack. Three steps you need to do to prepare for a ransomware
attack include identifying files and systems critical to your organization,
backing these files up every day and testing the restore process at least
once a month.  When investing in malware protection, make sure you
investigate how the solution neutralizes threats like ransomware, if
employee devices are locked down and how much time you need to spend on
cleaning up any infections.

YOUR RANSOMWARE PROTECTION PLAN

While it becomes increasingly difficult (and expensive) for attackers to
get past each stage in the ransomware attack cycle, it also gets more
expensive for your agency to respond the further along the attacker gets.
That’s why we encourage you to implement detection and protection at every
step, particularly in the public sector, where funds are often limited. By
taking a proactive stance against ransomware, both through employee
education and automated tools and processes, you can be better prepared
against these ever-present cybersecurity threats.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170824/f1b65f35/attachment.html>


More information about the BreachExchange mailing list