Don’t forget to check out our eBook, Understanding Ransomware in the Enterprise, a comprehensive guide to helping organizations understand, plan for, respond to and protect against this now-prevalent threat.
In this post, we reproduce a sample chapter from the ransomware eBook on how to reduce your attack surface.
Ransomware attacks are not going away; in fact, the increasing diversity and total volume enabled by RaaS and affiliate schemes along with the low risk and lucrative returns only serves to suggest that ransomware will continue to evolve and increase in sophistication for the foreseeable future.
Examples like DopplePaymer ransomware employ lightning-fast payloads to perform over 2000 malicious operations on the host in less than 7 seconds. This means that legacy detection and response methods are failing to prevent infections and defenders response to ransomware often starts after the ransomware has achieved its objectives.
In order to become more effective in preventing ransomware, try to implement as many of the following recommendations as possible, where appropriate for your business environment.
How well do you know your attack surface? Prevention starts with intelligence on possible adversaries TTPs. Access to feeds and research powers your defences and helps you to understand and control your attack surface.
Highly organized crimeware groups such as Dridex and TrickBot have demonstrated success at scale utilizing ransomware as their primary attack vectors. Where they once relied primarily on banking fraud, their operations have noticeably shifted. This has attracted many new startup groups attempting to emulate their success. The proliferation of RaaS (Ransomware as a service) operations have undoubtedly wreaked havoc on many corporate networks.
However, there appears to have been an escalation amongst the groups struggling for dominance in the burgeoning ransomware services. The operators are no longer content with holding a network hostage. They are now seeking major payouts. The operators rifle through networks for days and weeks on end attempting to map the data points and find the juiciest data targets that will provide them with the best leverage for a payout.
Ransomware operators are now attempting to perfect their extortion schemes. Recent statistics put out by the FBI in the RSA presentation, attributed $61 million dollars to the group operating the RYUK ransomware. This figure accounted for operations conducted only between February 2018 and October 2019.
The operators of Maze and Revil (sodinokibi) are leveraging media and data leak sites in order to further threaten and humiliate victims into paying out their extortionist demands. Many groups such as DoppelPaymer, Clop, Netwalker, ATO and others have followed suit with leak sites. As the payouts continue, the attacks are not likely to go away anytime soon. The groups are now armed with substantial capital to further their attacks and further improve their products.
Discovery and Inventory
Ransomware criminals take advantage of the challenges and vulnerabilities created by BYOD, IoT and digital transformation initiatives using technologies like social, mobile, cloud, and software defined networks. Remote work forces demanding the ability to work from anywhere, any time whilst accessing company data and using cloud applications also create challenges and increase your attack surface. Visibility into who and what is on your network is crucial.
To control and take action, aim for continuous discovery and fingerprinting of all connected devices using active and passive discovery to identify and create a real time inventory of even intermittently connecting devices. This will help you to find and control rogue endpoints.
Software vulnerabilities allow attackers to use exploit kits to distribute ransomware. Supplementing endpoint discovery with an understanding of what operating systems, software and versions you have on which endpoints and servers is important to any patch management process.
Can you answer these questions?
- Which devices are connected to my environment?
- Which devices were connected in my environment?
- When was a device last seen or first seen in my environment?
- Which devices are unmanaged and unprotected?
- What is a device’s IP? MAC? Manufacturer? Type?
- Does this device have a specific port open?
- What information does the device report on this port?
- In which network (behind which GW) is it connected?
- What applications are installed on connected endpoints?
- Are there any unauthorized applications running in the organization?
Control Vulnerabilities And Harden Configuration
After you understand what devices are in your environment and what programs are installed on them, you need to control access, mitigate vulnerabilities and harden these endpoints and the software on them.
Centrally managing the evaluation and enforcement of device configuration and compliance is important to reducing your attack surface. Non-compliant devices should be reconfigured and hardened. Enforcing VPN connectivity, mandatory disk encryption, and port control will reduce the attack surface for ransomware.
Patch management is key, but with thousands of new vulnerabilities appearing every year, no organization is realistically going to patch every single one. Having a risk-based structured approach is best, but no approach is infallible.
Having centrally-managed application control allows security teams to control all software running within the endpoint environment and protect against exploits of unpatched vulnerabilities. It allows authorization of new software and prevents other, unauthorized, malicious, untrusted, or unnecessary applications from executing.
Control Human Vulnerabilities
Often with ransomware the weakest link is us, the human. The main entry vector is still email or visiting risky websites. Phishing, spear phishing and whaling are becoming more sophisticated and targeted, loaded with maldocs or ransomware links that tempt even vigilant users to click.
Having a programme of staff education and training is important to create a culture of suspicion and vigilance, sharing real world examples with staff and testing resilience is important, but even the best of us have the weakest of moments. You can reduce risk but you cannot eliminate it with training alone.
You can improve your email security with products that include features such as:
- Url scanning of inbound or archived email which does not allow clicks on target sites until the site can be checked for malware
- Detecting weaponized attachments in the mailbox and redirecting to a sandbox before delivery.
- Protection against impersonation, social engineering, typosquatting and masking
Ransomware only has rights to change and encrypt files if the infected user does. Controlling user access to critical network resources is necessary to limit exposure to this and ensure lateral movement is made more difficult.
Therefore, it is critical to ensure privileges are current and up to date and that users can only access appropriate files and network locations required for their duties.
Monitoring and controlling user behaviour on and off the network will allow alerts and actions to automatically respond to suspicious deviations to server, file share or unusual areas of the network. Recording data, credential usage and connections by endpoints can highlight productivity change or possible security breach signals. Tools like EDR are available to record every file execution and modification, registry change, network connection and binary execution across an organization’s connected endpoints, enhancing threat visibility to speed up action.
Improve Endpoint Security
Almost all organizations have endpoint security; however, to prevent ransomware, static detection and antivirus is no longer enough. Having advanced features in your endpoint protection and the ability to perform endpoint management and hygiene from a centralised management system is increasingly important.
Good endpoint security should include multiple static and behavioural detection engines, using machine learning and AI to speed up detection and analysis. It is also important to have exploit protection, device control, access control, vulnerability and application control. The addition of endpoint detection and response (EDR) into the mix, provides forensic analysis and root cause and immediate response actions like isolation, transfer to sandbox and rollback features to automate remediation are important considerations.
Having these features in one platform and one agent capable of protecting all devices and servers will ensure centralised visibility and control for your cyber security team across your entire endpoint estate.
How Can SentinelOne Help?
SentinelOne provides one platform to prevent, detect, respond, and hunt ransomware across all enterprise assets. See what has never been seen before. Control the unknown. All at machine speed.
Want to learn more about defending your organization against ransomware? Read the full eBook.