.png?width=400&name=SBSIWebinarsBundles_WebMenu%20(1).png)
What drives cybercriminals? Primarily, it’s the pursuit of money, data, and volume. These elements collectively fuel their primary objective — profit. Ransomware, known for its destructive nature, works to encrypt important files that are needed for everyday job functions or contain sensitive data.
Cybercriminals typically infiltrate networks by exploiting internet-facing vulnerabilities, such as unpatched Remote Desktop Protocols (RDP), or through employees interacting with malicious links or attachments in phishing emails. After residing in your network and collecting data for a while, cybercriminals will usually drop ransomware on their way out of a system. The attacker will then ask for payment to allegedly unencrypt the files and return them to a normal state.
Unfortunately, encountering ransomware often signifies just the beginning of an organization’s troubles. Since attackers can dwell undetected within a network for anywhere from 40 to 200 days, the threat extends beyond mere operational disruption. Today’s ransomware attacks often culminate in full-scale data breaches, posing a significant risk to organizational data integrity.
Mitigating the impact of a ransomware attack can be intense and stressful, so most organizations agree that it is better to stop the attack from happening in the first place. Below we'll explore six critical ransomware mitigation strategies designed to safeguard your organization's network and data against these invasive attacks.
1. Data Backup
It's important to understand that while backing up your network's data won’t prevent a ransomware attack, it can significantly mitigate its impact. It's been said that there are two types of people: those who back up their data and those who wish they had. Adhering to the 3-2-1 backup rule is a prudent strategy: maintain at least three copies of your data, store these on two different media types, and keep one backup off-site—preferably air-gapped. An air-gapped backup, isolated from the network, significantly complicates any attacker's attempt to corrupt your data with ransomware.
If you consistently back up your data, in a worst-case scenario, you can erase the infected devices and restore them using the backed-up data, thus minimizing disruption and data loss.
2. Endpoint Protection with Scripting Control
When evaluating today's antivirus or endpoint protection solutions, you'll find two primary types:
- Traditional, signature-based antivirus/endpoint protection solutions rely on a known "signature" to identify if a file is potentially malicious.
- Modern, behavior-based antivirus solutions analyze a file's code to determine the actions it will execute when launched.
While each has pros and cons, modern behavior-based antivirus solutions are superior in handling unknown and unidentified threats, not just those with known bad signatures.
A modern, behavior-based solution with advanced detection capabilities, including scripting control, is strongly recommended. Keep in mind that some providers claim their product has scripting control but consistently fail to detect PowerShell scripts running on your network. Applications without effective scripting detection are less useful when an attacker uses PowerShell to create scripts that automate attacks. Your antivirus solution should be configured to the highest level of security, alerting, and protection. These controls would be able to stop any scripts attempting to run without the user's permission. Modern, behavior-based antivirus solutions should also alert the user if any red flags (malicious behavior) are detected on your devices.
3. Multifactor Authentication
Multifactor authentication (MFA) is a critical security measure that requires users to provide two or more verification factors before gaining access to an application. These factors can include something the user knows (e.g., a password), something the user has (e.g., an SMS code, soft token, or hard token), or something the user is (e.g., biometric data).
Implementing MFA significantly enhances security by ensuring that even if a malicious actor obtains a user's credentials, they still need access to the second factor, typically secured by the user's personal device, to breach the account. This barrier is particularly effective against various cyber threats, including credential stuffing, business email account takeovers, and phishing attacks.
However, the effectiveness of MFA can be undermined by user error. A common pitfall occurs when users inadvertently approve MFA requests initiated by cybercriminals who have compromised their credentials. Educating users to only authenticate login attempts they have initiated themselves is crucial to preventing such breaches.
4. Security Awareness Training
Security awareness training is vital, as employees often represent the first line of defense against cyber threats, acting as the "human firewall." It is important to educate workers about potentially malicious email attachments, links, and other methods of spreading ransomware — including how to identify phishing emails and what to do if they receive or click on something in a phishing email. Phishing remains the primary method for delivering malware; thus, proper training in this area is crucial for reducing your organization's risk exposure.
Training should focus on awareness and practical behaviors, such as avoiding downloads from untrusted sources and not connecting unknown devices like USBs to secure systems. It is a great idea not only to train and educate employees but to test them, too. Providing workers with social engineering and phishing tests helps expose employees to potential cyber threats (in a controlled manner). The more familiar employees are with the signs of phishing and other deceptive tactics, the more likely they are to report suspicious activities, thereby bolstering your organization’s overall security posture.
5. Email Controls
Implementing robust email controls such as email sandboxing, Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-Based Message Authentication, Reporting, and Conformance (DMARC) can significantly bolster your network's defenses against ransomware attacks.
Email sandboxing, which automatically tests links and attachments in an email in a secure environment before your users receive the email, adds a layer of security and lessens the chances of an employee clicking on a malicious link. An example of effective email sandboxing is Microsoft Defender for Office 365, which includes Safe Links and Safe Attachments features. This demonstrates how such tools can shield your organization from email-based threats.
- SPF, DKIM, and DMARC all help authenticate senders using an organization's specific domain.
- SPF prevents hackers from sending emails on behalf of an organization's domain.
- DKIM checks if an email was truly sent by the owner of that domain.
- DMARC uses both SPF and DKIM to determine the authenticity of the content of an email message.
- SPF, DKIM, and DMARC are free additions to your email system that can significantly impact the amount of junk or phishing emails your organization receives.
6. Egress Firewall Whitelisting with Geolocation IP Blocking
Egress firewall whitelisting examines all outbound traffic from your network to the internet (at the firewall level) and only allows information to leave the network if your organization's IT administrator's requirements are met. Egress firewall whitelisting works best with geolocation IP blocking, which blocks activity to IP addresses associated with geographical locations where your organization does not do business or wants to block intentionally (like certain foreign countries known for cybercrime).
This dual approach serves as a vital control mechanism by blocking traffic to and from these regions while scrutinizing outgoing traffic. It prevents unauthorized data exfiltration and alerts your organization to potential ransomware activities unfolding, thus allowing for immediate remedial action.
Ransomware Attack: What Steps to Take
While implementing robust controls significantly reduces the likelihood of a ransomware attack, no system is infallible. If a ransomware scenario happens, every company should have a well-prepared incident response playbook outlining specific steps to handle ransomware effectively.
1. Preparation
Organizations must implement certain controls to prepare for any cyberattack. Some great controls an organization can consider are listed above, but for additional information, check out SBS's article on the Top 5 Most Common Incident Response Scenarios. It details the most common incident response scenarios and how to protect, detect, and respond accordingly.
2. Detection
A vital question for all organizations is whether they would be aware of an unauthorized presence within their network. Detecting an incident can be one of the biggest challenges for organizations. It is important to identify key risk indicators (KRI) and indicators of compromise (IoC) that can focus your attention on crucial alerts associated with ransomware or a network compromise. KRIs and IoCs are the key to learning what level of traffic is normal for the organization versus what is abnormal.
3. Containment
The initial response to an attack should focus on containment. Denying the attacker access to the network prevents further data compromise. If egress firewall whitelisting has not been implemented before detecting an incident, the best thing you can do is deploy this control immediately to contain the incident. Doing so will allow you to examine the data leaving the network, confirm that data is supposed to be leaving your network, and ensure that your data is sent to the appropriate locations/IPs.
4. Eradication
This phase aims to eliminate the attacker’s foothold in your network. To do so, ensure your organization implements host-based intrusion prevention with scripting control. If scripting capabilities can be detected and prevented on your devices, the ransomware attack can be stopped or even blocked.
5. Recovery
Post-attack recovery involves reinforcing your network's defenses to prevent future incidents. To recover from a network compromise or ransomware attack, implement controls that were discussed earlier in the article, such as MFA, country code blocking on firewalls and cloud resources, and email sandboxing with SPF, DKIM, and DMARC.
6. Lessons Learned
The final and critical step following an incident is conducting a lessons-learned review. Assemble your organization's IT committee and incident response team to review the details of the event. Go through what vendors were contacted, what problems the team(s) encountered, and what the organization can learn from this experience. Continuously update and communicate any new controls, ensuring ongoing vigilance and improvement in your cybersecurity posture.
Cybersecurity is a continuous cycle of prevention, monitoring, response, and improvement. Start by implementing controls to prevent attacks and monitor your network to ensure all traffic falls within normal levels. When red flags arise on your network, the incident response process begins. By treating cybersecurity as a fundamental component of business strategy, organizations can not only withstand current threats but also anticipate and mitigate future vulnerabilities. Remember, proactive engagement and continual improvement are your best defenses in digital security.
Ransomware Mitigation
When an incident occurs, there's often uncertainty about the severity and potential impact on the organization.
Read More
This service will identify and exploit vulnerabilities, assess the effectiveness of security controls, and provide recommendations for improvement.
Read More