[BreachExchange] Ten Best Practices for Outsmarting Ransomware
Audrey McNeil
audrey at riskbasedsecurity.com
Thu Jun 28 21:02:12 EDT 2018
http://www.jamaicaobserver.com/technology/ten-best-
practices-for-OUTSMARTING_RANSOMWARE_136881?profile=1470
Almost a year after WannaCry made global news headlines, a number of
high-profile organisations have continued to be targeted by this
ransomware, some quite recently. It is part of a growing trend that has the
potential to impact large numbers of people, and with potentially
devastating consequences.
Traditionally, a ransomware attack typically begins when an end-user clicks
on a link or opens a file attached to a malicious email that is part of a
phishing (random) or spearphishing (targeted) campaign. Or, they visit a
compromised website and pick up a bug, along with whatever they were
looking at or downloading. Recently, WannaCry ransomworm and SamSam malware
have been loaded onto a vulnerable end point device that is connected to an
open network and its payload spreads from there, locating other vulnerable
systems and encrypting their data.
Over the past several months, cybercriminals have become much more active,
targeting a wide range of organisations from healthcare and educational
institutions, to local governments. We have also seen successfully targeted
cloud-based, web hosting services in order to inject code into multiple
high-traffic web domains, rather than trying to do that one at a time.
Future attacks are likely to leverage things like swarm intelligence, to
take humans out of the loop entirely in order to accelerate attacks to
digital speeds. Real time communications allow individual attacks agents —
or swarmbots — to cluster together in coordinated swarms that are able to
more efficiently assess and target a wide array of potential
vulnerabilities. To defend your network from such multi-pronged attacks,
you need to develop a back-to-basics, methodical process to reduce the
number of possible attack avenues that your organisation is exposed to.
Fortinet recommends these ten best practices:
1.Inventory all devices: Discover and then maintain a live inventory of
what devices are on your network at all times. Of course, this is hard to
do if your security devices, access points, and network devices cannot talk
to each other. As IT resources continue to be stretched then, an integrated
NOC-SOC solution is a valuable approach to ensure that every device on the
network is identified and monitored.
2. Automate patching: The recent WannaCry breach makes clear that unpatched
systems continue to be a primary conduit for attacks and malware. This is
why, as much as possible, you should develop a process for automating your
patching process.
3.Segment the network: What will you do when your network is breached? This
is a question every security professional needs to ask, because when it is,
you want to limit the impact of that event as much as possible, the best
first line of defence is to segment the network. Without proper
segmentation, ransomworms can easily propagate across the network, even to
backup stores, making the recovery portion of your incident response plan
much more difficult to implement.
4. Track threats: Subscribe to real time threat feeds so that your security
systems can be on the lookout for the latest attacks. When combined with
local threat intelligence through a centralised integration and correlation
tool, such as a SIEM or threat intelligence service, threat feeds help
organisations better see and respond to threats as soon as they begin to
emerge in the wild, rather than after you have already been a target, and
even begin to anticipate them.
5. Watch for indicators of compromise: When you can match your inventory to
current threats, you can quickly see which of your devices are most at risk
and prioritise either hardening, patching, isolating, or replacing them.
6. Harden end points and access points: Make it a rule that any devices
coming onto your network meet basic security requirements and that you
actively scan for unpatched or infected devices and traffic.
7. Implement security controls: Apply signature and behavioural-based
solutions throughout your network in order to detect and thwart attacks,
both at the edge of your network as well as once they have penetrated your
perimeter defences.
8. Use security automation: Once you have locked down those areas you have
control over, apply automation to as many of your basic security processes
as possible. This frees your IT resources to focus on higher-order threat
analysis and response tasks that can protect you from the more advanced
threats targeting your organisation.
9. Back up critical systems: The most important thing you can do when
dealing with ransomware is to make sure that you have a copy of critical
data and resources stored off-network, so you can restore and resume
operations as soon as possible.
10. Create an integrated security environment: To make sure that all these
security practices are seamlessly extended into every new network ecosystem
you bring online, you need to deploy security solutions that are fully
integrated as a security fabric to enable centralised orchestration and
analysis.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180628/7d4c02c4/attachment.html>
More information about the BreachExchange
mailing list