[BreachExchange] Back to basics: Ten Tips for Outsmarting Ransomware

[Audrey McNeil]

http://www.itsecurityguru.org/2018/06/18/back-basics-ten-
tips-outsmarting-ransomware/

Just one year ago, the WannaCry ransomware attack made global headlines
when it hit 230,000 computers, creating total chaos. A number of
high-profile organisations have continued to be targeted by this
ransomware, some quite recently. Just a few weeks ago, the Atlanta police
department fell victim to a ransomware attack which cost them the permanent
loss of years of video evidence. It’s part of a growing trend that has the
potential to impact large numbers of people, with devastating consequences.

Typically, a ransomware attack begins when an end user clicks on a link or
opens a file attached to a malicious email that is part of a phishing
(random) or spear phishing (targeted) campaign. Or, they visit a
compromised website and pick up a bug along with whatever they were looking
at or downloading. In either case, the malicious file is loaded onto a
vulnerable endpoint device that is connected to an open network, and its
payload spreads from there, locating other vulnerable systems and
encrypting their data.

All ransomware attacks have one thing in common: they almost always target
systems with known vulnerabilities that should have been patched. With
cybercriminals developing new attack vectors to exploit the expanding
attack surface created by digital transformation, organisations need to
develop a back to basics, methodical process to reduce the number of
possible attack avenues that they are exposed to. This includes:

1. Account for all devices: Organisations should maintain a live inventory
of what devices are on their network. This will be easier if their security
devices, access points, and network devices talk to each other. As IT
resources continue to be stretched, an integrated NOC-SOC solution is a
valuable approach to ensure that every device on the network is identified
and monitored.
2. Automate patching: The WannaCry breach, along with recent ransomware
attacks, have made it clear that unpatched systems continue to be a primary
channel for attacks and malware. As much as possible, organisations should
develop a process for automating their patching process.
3. Segment the network: Every organisation needs to ask themselves what
they will do when their network is breached. Because when (not if) it is,
they will want to limit the impact of the attack as much as possible.
Segmenting their network is the best first line of defence. Without proper
segmentation, ransomworms like WannaCry can easily propagate across the
network, even to backup stores, making the recovery portion of the incident
response (IR) plan much more difficult to implement. Segmentation
strategies, including micro-segmentation in virtual environments and
macro-segmentation between physical and virtual networks, allow
organisations to proactively and dynamically isolate an attack, thereby
limiting its ability to spread.
4. Track threats: Subscribing to real-time threat feeds allows
organisations to keep an eye on the latest attacks. Combined with local
threat intelligence through a centralised integration and correlation tool,
such as a SIEM or threat intelligence service, threat feeds help
organisations anticipate and respond to threats as soon as they begin to
emerge in the wild, rather than after they have fallen victim to an attack.
5. Watch for indicators of compromise (IOCs):When organisations can match
their inventory to current threats, they can quickly see which of their
devices are most at risk and prioritise either hardening, patching,
isolating, or replacing them.
6. Harden endpoints and access points: Organisations should make it a rule
that any devices coming onto the network meet basic security requirements.
They should also actively scan for unpatched or infected devices and
traffic.
7. Implement security controls: Applying signature and behavioural-based
solutions throughout the network enables organisations to detect and thwart
attacks both at the edge of the network as well as once they have
penetrated its perimeter defences.
8. Automate security: Once the organisation has locked down those areas it
has control over, the next step is to apply automation to as many basic
security processes as possible. This frees IT resources to focus on
higher-order threat analysis and response tasks that can protect the
organisation from more advanced threats.
9. Back up critical systems: The most important thing to do when dealing
with ransomware is to make sure that the organisation has a copy of
critical data and resources stored off-network so it can restore and resume
operations as soon as possible.
10. Create an integrated security environment: To make sure that all these
security practices are seamlessly extended into every new network ecosystem
brought online, organisations need to deploy security solutions that are
fully integrated as a security fabric to enable centralised orchestration
and analysis.

Even the most sophisticated emerging ransomware attacks are just the tip of
the spear. Cybercriminals are adopting new attack strategies, such as those
used by Hajime and Hand-and-Seek, to accelerate both the scale and success
of attacks. These new variants are transitioning away from traditional
ransomworm-based attacks, which require constant communication back to
their controller and replacing them with automated, self-learning
strategies, potentially turning malicious ransomworms into ransomswarms.
Future attacks are likely to leverage things like swarm intelligence to
take humans out of the loop entirely in order to accelerate attacks to
digital speeds.

As networks become more complex, so will the job of defending them. It’s
not a one-solution or even one-team job anymore. Automation can help
organisations to maintain basic security hygiene, relieving the burden on
their IT team’s for this and many other security best practices, ultimately
closing the doors to ransomware. What’s more, as malware evolves, the group
intelligence provided by a shared threat feed will help organisations to
know what to look for and how to address potential threats.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180622/876d060c/attachment.html>