10 Steps To An Effective Ransomware Protection Strategy
In light of the recent widespread takedown of NHS systems by Wanna Decryptor 2 ransomware, at the forefront of many CISO’s thoughts this weekend will be how to protect their enterprise data against falling foul of the many varieties of ransomware available in the wild.
Hacking is no longer the preserve of pizza eating cola-drinking kids looking to have a bit of fun! It is a growing business, and a big, very organised business at that. Buy your favourite variant of crypto-ware and you’ll receive not only the tools to bring your target to it’s knees, you’ll also receive unrivalled levels of support to ensure you get the malware to work effectively.
So, how do you protect your data from being turned in to mincemeat?
Like security in general, you should look at a layered approach. Investigate the ways you can be hit by ransomware, rate these in terms of risk, then take steps to protect these.
The ways in are many, including email and web drive-by etc, and almost all will leverage an end-user in your organisation to unwittingly infect your network with something nasty.
With this in mind, I’ve compiled a list of important and often overlooked parts of your overall security strategy:
- Staff: user awareness is so important. Regular lessons and reminders to be aware of what links you are clicking, what attachments you are opening, being sure the email you are responding too really is going to who they claim to be – staff are most likely your first and last line of defence: ignorance should not be an excuse in this day and age.
- Email: reduce the chance of phishing emails reaching your staff will obviously reduce the chances that any will be effective.
- Web: good layer-7 defence is now a must – block the malicious download should a link be followed; stop any bots talking back to the C&C servers.
- Patching: most attacks, once inside, will look to exploit a vulnerability either in the OS or 3rd party application – keeping systems and software up to date with security patches in an absolute must.
- Configuration: important as patching is, it is little use with insecure configuration. Consider your home: you have a hi-tech alarm, 10-lever mortices everywhere, and moat and an electric fence – all this is useless if the drawbridge is lowered, the fence is powered up, and the doors and windows are all open. Compliance scanning will reveal these holes so you can close them.
- Malware Protection: arm your endpoints against all types of malware activity. AV is no longer enough. Behaviour analytics and process sandboxing are the next-gen way-to-go.
- Internal network: IPS and IDS systems can monitor your network for suspicious internal traffic.
- Privilege escalation: protect your privileged accounts like your life depends on it. Decent PAM is now highly affordable and ensure everyone, including your systems admins, only use privilege escalation when necessary, and aren’t sat with elevated privileges to check emails and browse websites.
- SIEM: all these systems produce events, and these events can be correlated to highlight potentially unwanted behaviour before any damage is done.
- Backup: and of course, don’t forget to back-up! Replication is all very well, but alone may not protect against ransomware. After all, encrypted files will be faithfully replicated too! And don’t forget to regularly check your recovery systems – nothing worse than finding out your backups aren’t worth whatever media they are stored on.
So in summary:
- User training and awareness
- Reject phishing emails
- Block bad downloads and C&C traffic
- Patch security exploits
- Ensure configuration is in line with security best practices
- Protect endpoints wth next-gen smart solutions
- Monitor network traffic
- Limit access to privilege accounts and implement strong password policies
- Use log collection and SIEM to give insight in to suspicious behaviour across your environments
- Backup, backup, backup (and test your restoration plans)