Three Ways to Protect Against Ransomware
Cyber-attacks are more topical than ever in Australia. First there were the well-publicised ransomware attacks on Toll Holdings and Service NSW. Then Prime Minister Morrison held a press conference to announce that Australian organisations are being targeted by a sophisticated state-based cyber actor. He said the activity is targeting Australian organisations across a range of sectors, including all levels of government, industry, political organisations, education, health, essential service providers and operators of other critical infrastructure.
He made a great point that cyber security is a whole of community effort spanning government, industry and individuals. It is critical that everyone is aware of potential threats so that they can spot them and avoid falling victim.
One of the most prevalent types of cyber-attack is ransomware. Ransomware is a class of malware which restricts access to the computer system that it infects, and demands a ransom paid to the creator of the malware in order for the restriction to be removed. Some forms of ransomware encrypt files on the system’s hard drive, while others simply lock the system and display messages intended to coax the user into paying.
It is estimated that ransomware attacks demanded almost US$160 million from Australian organisations in 2020, the cost of which grew to US$1 billion when you take into account downtime. And this is just the attacks that we are aware of!
Two styles of ‘ransomware attacks’ have emerged:
- where the victim’s screen is simply locked (this is the more common type and usually less debilitating).
- targeted attacks that actually encrypt files on the target computer.
In the first type, criminals typically use an official looking logo to intimidate the victim (such as a local law enforcement agency or a government department) to trick victims into clicking on a link or opening file that unleashes malware that locks their screen so they cannot access their computer until a payment is made. It is a broad brush approach, distributed en masse with the hope that a portion of victims will pay the ‘fine’ or ransom demanded on the locked screen. This scenario does not typically encrypt any files on the victim’s computer (although early examples may have) and is more often just a form of malware, for which most security vendors have tools to assist.
The second type of ransomware is a more targeted and challenging concern. In this scenario, cyber criminals target a particular victim, typically a business or an organisation. The targeted computers are actually hacked and files on the computer encrypted. Without payment, files are inaccessible.
In both cases the malware is often unleashed as a result of phishing – a fraudulent communication disguised as being from a trustworthy entity that tricks the victim into clicking on a link or providing sensitive information such as usernames, passwords and credit card details. Therefore it is critical to educate employees, partners, suppliers and customers to be on the lookout for phishing attempts. But you also need a plan to minimise the impact of a successful ransomware attack.
3 steps to protect yourself and your organisation
1) Focus on the Basics
- Educate users – your people can be your weakest link in your security strategy or your greatest ally if they have the right education.
- Protect Malware entry points – including email, web and removable devices on endpoints. Use well regarded web and email filtering solutions and protect against advanced threats using user and network behaviour analysis, heuristics and other advanced techniques.
- Apply patches to manage vulnerability – just do it. Attackers search for, and exploit, unpatched vulnerabilities in your systems to spread and infect your IT assets.
- Segmentation – segment networks based on the criticality of information they house and the level of risk to them. Microsegmentation makes this easy and very practical without requiring major changes to the network or application infrastructure itself.
- Minimal user privileges – give users only privileges they require to perform their tasks.
- Incident response plan – bad things will happen. Have a robust and well-tested incident response plan that can be activated in the case of a security breach so that you recover easily and in a methodical fashion.
- Back-ups – run regular backups with the schedule based on the criticality of the systems.
- Protect against advanced threats – invest in technologies that detect and protect you against advanced threats and apply at all layers – including endpoints, servers, network, web traffic and email traffic.
- Limit remote access to your systems directly from the Internet
- Ensure secure remote access – use secure methods such as point-to-point cryptographic cloaked connections that require two-factor authentication.
- Strong authentication – at a minimum, enforce strong passphrase/password policies; ideally, use multi-factor authentication particularly for remote access; consider biometric based authentication to remove passwords easing the logon process and enhancing security.
- Privileged account management – ensure that you have appropriate controls to make unauthorised access to privileged accounts difficult.
- Application whitelisting – this is one of the most effective controls where particular application will not execute if it is not whitelisted, including malware.
2) Take an Attack-Based Approach
Think like a crim! Understand the stages of ransomware attacks so that you apply controls at each stage to protect yourself. Here is the typical attack methodology:
- Email or web based attack
- Malware download
- Local machine encryption
- Lateral movement
- Further infection
The following controls help stop this type of attack:
- Predict – systems, tools, policies and procedures that help detect vulnerabilities in systems and predict potential avenues of attack.
- Prevent – systems, tools, policies and procedures that prevent threats affecting your systems. Examples include the corporate firewall and microsegmentation.
- Detect – systems, tools, policies and procedures that give you the ability to detect threats that may affect your system. An example is an Intrusion Detection System.
- Respond – systems, tools, policies and procedures that allow you to respond to threats and contain / eradicate them. For example a Security Information and Event Management (SIEM) system and automated response and isolation techniques such as dynamic isolation.
Look at all the steps in the attack methodology and apply controls for each category of control for each step to help stop the attack. The simplest way of doing this is in a table whereby you map existing controls against each category of controls that protect against the relevant attack phase. Address any gaps urgently. As you do this gap analysis, do not forget controls for people and processes, physical security, disaster recovery and third parties. Mapping your controls to an adversary’s attack methodology, is the best way stop the attack.
3) Get Strategic
The above advice has been purely tactical. Threats will evolve and get worse. The only way to truly protect yourself is to conduct a robust risk analysis of your environment using standards such as ISO 27001, NIST, ISM, etc. and address the issues that are found. Start with a simple health check. Understand your vulnerabilities and address them methodically. Moreover, once you are done, rinse and repeat! The threat landscape and your environment will constantly change and evolve. In order to stay on top of new and emerging threats, you have to stay ever vigilant and reassess your risks regularly.
In addition, engage in intelligence-led security. This is having relevant intelligence about threats and vulnerabilities related to your environment and protecting yourself against them. Import this information along with your vulnerability information into your Security Information and Event Management (SIEM) tool to detect threats faster and much more accurately.
The traditional risk analysis approach looks at strategies from the inside out as you are primarily focused on control gaps inside your organisation. The intelligence-led approach looks at strategies from the outside in (from the attacker’s perspective). The combination of these two approaches can truly give you a well-rounded perspective to risks and threats affecting your organisation.
Read my paper Three Ways to Protect Against Ransomware for more detail on how to employ these three practical steps.