Combatting ransomware with a few easy threat mitigation steps

Ransomware is a variant of malware that is so easy to use that it has become the choice tool of malicious script kiddies and wannabe hackers. The plug and play aspect of this astonishingly simple to use adversarial mechanism has wreaked havoc on organisations of all sizes and genres with devastating results. Of course, amidst the gloom and doom of recent ransoming success there are charlatans and faux experts venturing to capitalise on the sheer chaos and palpable fear plaguing computer users across the globe. These swindlers will make promises of ‘silver bullet’ solutions that can thwart everything from malware and viruses to drive by downloads and malvertising; however, their promise, like their product is only an empty simulacrum of a solution.

The truth is, the only real cyber defence is a layered defence. No amount of administrative, physical, or technical controls can prevent a breach from happening if the adversary is persistent and well resourced. Instead, a layered defence allows your organisation to detect and respond to threats rather than assume that your systems are immune to attack. Consider your organisational Internet of Things as if it were a medieval castle. The various layers of defence would be a sprawling expanse to allow visual surveillance of the surrounding area, a moat, archers around the fortified wall, a heavily constructed drawbridge and of course the robust construction and layering of the outer walls. As the adversary breaches the perimeter, your stalwart defences raise the alarm and engage pre-established procedures to thwart the attack and defend the critical assets. The coordinated systems function in an efficient concert to slow and counter the advances of the threat and to fortify vulnerable areas of the system to diminish the adversarial foothold. There are multiple fail-safes in this example just as there should be with your company’s cybersecurity strategy. Security centric cyber hygiene must become part of the cultural DNA of any organisation aspiring to minimise its attack surface and thwart threat. Like electricity and water, attackers follow the path of least resistance. They attempt to exploit the network where it is least defended. Consequently, your personnel, the least trained and yet most vital resource of the organisation, are both your strongest and your weakest link. If they make a mistake, then your organisation has made a mistake. If they fail to rebuke an adversarial advance, then the organisation has failed to resist the adversary’s influence.

The most profound component to any corporate cybersecurity strategy is the introduction of an information security team, separate from your IT team, whose sole purpose is ongoing, all-encompassing cybersecurity of all systems and personnel. First and foremost, this team will run a risk assessment in order to identify vulnerabilities and to identify critical assets. After all, network defence is a blind gambit if you do not know where to focus your efforts and what to protect according to its value. The team will enumerate and map the network and restrict changes to the network and network devices. They will update and patch applications as threats emerge, audit technology vendor contracts for language demonstrative of security maintenance throughout the lifecycle of the device, and they will audit vendors who have virtual access to the company’s network to confirm vendor cyber hygiene is up to par with the new direction of theirs. The infosec team will notify employees of the latest threats while providing ongoing cyber hygiene training on prominent attack vectors such as: spear phishing, watering-hole attacks, drive by downloads, malvertising and social engineering defense. The security team will also introduce and monitor automated technology that detects abnormalities in user and network behavior. User Behavior Analytics and intrusion detection/prevention systems should support a whitelisted firewall to detect and deny suspicious activity such as remote system access, escalation of user privilege, abuse of the principle of least privilege, or connection to Tor or I2P traffic. Finally, the team will implement the most important cybersecurity strategy to mitigate the catastrophic outcome of a successful ransomware attack. Critical systems and data will be regularly and automatically backed up, protected in real-time, and encrypted in transit and while stationary. These backups will be segmented from the rest of the network to remain immune to adversarial corruption and critical systems will be supported by redundancy systems to ensure that the organisation has continuous access to its data. In short, the information security team will act as battle commanders in maneuvers against the adversary by shoring up systems and personnel to ensure that the confidentiality, availability, and integrity of the network remains constant.

This very foundational cybersecurity strategy will be expanded upon and built upon as the infosec team adapts to the industry genre and niche and the latest threats. Breach anxiety is wasted energy that could otherwise be spent on proactive threat mitigation. Why worry about the potentially infinite number of external threats when you know that your organisation has information security that has ensured internal defence? The hyper-evolution of technology in the last decade, compounded by the emergence of the vulnerable IoT attack surface and the rising ubiquity of credible cyberthreats, means that cybersecurity vigilance must be a fundamental cornerstone of corporate culture and decision making. There will always be a ‘latest’ threat distributed along some novel and stealthy vector by a foreign, invisible adversary. However, cyber hygiene, a security-centric corporate culture and the perpetual efforts of a stable information security team will provide the layers of protection necessary to mitigate threats, defend the network, and recover from crises.

James Scott, Sr. Fellow ICIT

Image Credit: Ton Snoei / Shutterstock