In recent months ransomware attacks have undoubtedly picked up pace as well as impact. There have been high-profile incidents such as those on the Irish Health Service Executive (HSE), JBS Foods and IT management software firm, Kaseya. In fact, the attack on Kaseya was the biggest supply chain attack since the infamous SolarWinds breach. With threat actors increasingly looking to cause maximum disruption, including targeting company’s partners and customers, it would appear that no one is safe. In the third of a new series of live Cyber Threat Briefings, Adversary Simulation Lead, Aaron Dobie, and Risk Advisory Senior Director, Craig Moores sat down to discuss the best ways in which organizations can implement effective ransomware defence and response controls.
What are some best practices for defending against ransomware?
With ransomware so prevalent at the moment, our third cyber threat briefing session began with a warning – every company should expect this to happen to them. One of the first examples of best practices for defense is that it’s crucial companies have controls in place to stop the threat at multiple stages of the ransomware kill chain, not just at the perimeter. In other words, conducting threat modeling. This is understanding the types of attacks you might be susceptible to or subject to, and actively designing and implementing layered controls to stop those attacks.
There are a couple of ways to do it too. You can rely on industry published white papers from places like the National Cyber Security Centre (NCSC), or you can engage a threat intelligence provider, who will give you a report that incorporates their wider knowledge with data that they’re aggregating from attacks relating to the people that are targeting you. Then, you can understand the types of threat actors that would target you, the types of attacks they might use, and therefore, use that to tailor the controls you have in place.
Once you understand what the threats are, you can start implementing a defense-in-depth layered security model, which implements multiple stages of controls so that each stage could, in theory, mitigate an attack. Hopefully, by chaining multiple controls, even if several fail, one of them will enact effectively and block the threat.
Implementing the principle of least privilege
One of the key technical controls that you can implement is the principle of least privilege. Companies need to make sure that they have a model of access rights whereby users have appropriate permissions for their role, and no unnecessary extra permissions are applied to excessive numbers of people. If you have users that sometimes need highly privilege accounts, such as IT Administrators that also need access to emails, you should implement two separate accounts – one for performing those high privilege functions and another for their day-to-day activities. What’s that got to do with ransomware? Well, ransomware attacks usually start via a phishing email. If users have as few privileges as possible, it means that if an initial compromise does happen to a user via phishing, the attacker isn’t able to move laterally from that user’s endpoint to infect others on the same network.
The importance of having a plan
After looking at some of the best practices around defense, our session then moved to look at response. Having an effective response process is based around four key pillars. These are triage, containment, response and recovery, but are all fundamentally rooted in having a plan. Companies must have an effective response plan that has been appropriately tested, with users being aware of how to enact each stage and where they need to escalate. Be aware that response plans can go out of date, it’s a living document that you have to keep reviewing. There’s no point digging out a plan from four years ago when, in that time, you’ve migrated systems!
Key controls for prevention and mitigation
So, what are some of the key controls organizations should be considering to prevent or mitigate against ransomware attacks? Firstly, it’s important to remember that the first-place ransomware is likely to strike in your business, is via an end user. That’s because users are interacting with external websites and using emails every day, so they are more exposed to things that could be malicious.
Companies must make sure that the user workstations are appropriately hardened and are regularly tested. Also, it’s important to think like an attacker and make sure that the process of moving from a standard user permission set to gaining full control is as independent as possible – often difficult whilst also allowing people to complete their day-to-day jobs. Then you can move on to the user accounts themselves, making sure that, wherever available, multifactor authentication (MFA) is enabled and activated for user accounts. As an example, if you have a user that mistakenly logs into a phishing website with their username and password, those credentials must be as invaluable as possible, so that they can’t be used if you don’t have the second authentication factor.
These controls act to protect the initial endpoint that an attacker might land on. You can also go a stage earlier with things like mail filtering or web filtering. Neither of those will be a hundred percent successful, but if you can filter out 90% of the malicious emails that users receive, it will make it much easier for them to spot the things that they shouldn’t click on.
Let frameworks guide the way
When building a cyber strategy and defense-in-depth model, frameworks are the key. There’s a variety of different framework types that cover the full security ecosystem – processes, people, technological controls and techniques used by attackers. There’s a huge array that you can leverage. Fundamentally, you’re trying to build up a holistic security picture of the full organization to ensure that you have the right controls every step of the way.
Unfortunately, a number of those controls will sometimes fail. It could be that the attacker utilizes a new exploit that came out two days ago, and you haven’t had a chance to write a detection for it yet, or it might just be that the control didn’t work in conjunction with others quite as well as you thought it did in the tests. Leveraging frameworks to guide you in implementing security controls is key, rather than only implementing the things you can immediately see and potentially missing out crucial mitigations.
To learn more about the best practices when it comes to guarding against ransomware, including how to implement controls and stop lateral movement in more detail, you can watch the full briefing here.