31 Aug Ransomeware – Is your company protected?
The rapid and devastating proliferation of yet another high profile ransomware attack “Petya” in late June emphasises that many organisations are still not adequately prepared for such incidents. Following hot on the heels of the Wannacry Malware attacks, the interesting observation that we have seen is that lessons are not being learned quickly enough – and mass disruption is likely to continue unless major steps are taken to improve not only defences, but also processes and procedures that are required to protect an organisation against the next wave of attacks that are of a nature unknowable both in method and effect.
Looking back at 2016, we saw a huge surge in ransomware activity with a reported 638 Million instances of attacks. Comparing this to 3.8 million in 2015 highlights the significant challenge the industry faces and demonstrates what a lucrative attack vector ransomware has become.
Undoubtedly 2017 will continue to see further increases in this type of attack and businesses large and small are going to continue to have their data held for ransom. Recently the Cyber Threat Alliance, cited CyrptoWall v3, as having cost users worldwide more than $325 million to date. Interestingly many industry experts now believe that the latest ransomware attack (Petya) was not in fact intended to generate revenue by holding data to ransom, but in fact cause disruption and destroy data – with no intention of offering to restore it.
These types of incident have finally led to cyber security receiving the board-level exposure and focus that it warrants however the level and volume of “noise” coming from the cyber security market place will continue to increase with an ever growing number of vendors and solution providers claiming to offer the answer to our prayers. Understanding how confusing the market place has become for end users, Blue Cube Security has endeavoured to review the differing approaches being offered by the industry to provide best practice advice on what procedures to follow to protect your organization from being subject of an attack.
There can be no doubt that organisations need to take steps to stop malware from entering their environments, executing, and spreading – while also attempting to manage the impact if an outbreak does occur, and recover after the event. So, what steps should you take?
Every business should have a cyber security program that protects its physical & digital assets. Organisations need to understand what and where these assets are, who has access to them, and what their business objectives are in order to build a relevant and effective cyber security programme. The cyber threat landscape is constantly evolving and remaining vigilant will ensure objectives will align with new information about business priorities.
Humans are notoriously exploitable and the soft centre of the most secure networks. It has become increasingly important to ensure that a security awareness training programme is provided to employees, to combat not just the Ransomware threat, but more broadly all cyber-threats.
Ransomware attacks depend on the current state of your network insecurity. Be aware of where your vulnerable systems are located. Patch early, patch often to ensure your business has a proactive and comprehensive system configuration and vulnerability management program.
Legacy systems are a prime target for ransomware. Classify these systems as business-critical legacy devices and isolate within the network.
Limit user privilege and network connectivity to the minimum essential for job requirements and monitor access. Make sure you configure servers and workstations to be secure – and monitor for change.
A significant amount of ransomware is distributed via malicious email attachments or hijacked websites, detect and protect against attacks by utilising layered defenses crossing both email security and web security gateways.
Do not enable macros as a significant amount of ransomware document infections rely on the user enabling macros. Microsoft Office 2016 allows finer control over documents with Macros with a new policy option block macros from running in Office files from the internet.
Antivirus and anti-malware software are universally recommended. Consideration must also be given to a multi-layered approach to network security. Security solutions can be great individually but even better when they work together in a security fabric or framework. Legacy Endpoint protection solutions are often dismissed as yesterday’s news – however such technologies can provide protection from legacy threats, many of which are still prevalent.
Complementing “legacy” endpoint security solutions with advanced Endpoint Protection Platform (EPP) solutions, and anti-exploit capabilities will provide a strong foundation at the endpoint.
Ideally, you want to immediately detect ransomware file access behaviours and quarantine the impacted users before ransomware spreads to your network file servers. Behaviour-based anti-malware systems can spot the exploits and techniques used by ransomware to spot it even if it’s brand new. Some are even able to notify network defences to prevent infected endpoints from spreading the ransomware.
If an attack gets into your network, especially from a device you don’t control, like BYOD kit, that’s where deception technology comes in. This approach consists of using strategically planted, hidden (decoy) systems to identify ransomware when it spreads the attack across your network.
A comprehensive disaster recovery strategy is vital to ensuring organisations are not held to ransom by Cyber criminals. A ‘dry-run’ disaster recovery exercise including restoring your backups is best practice to help understand the cost of resource and time from a Ransomware attack.
Develop a security incident response plan – Ransomware attacks are often time critical with organisations facing operational and statutory deadlines. It is vital to have a security incident response plan in place detailing the steps required from impact to recovery in the event of a ransomware attack. Blue Cube Security suggest that you never pay the ransom unless it is absolutely necessary for data recovery. Having a regular full backup facility gives you an inherent advantage here as it may enable you to decide to restore from that rather than pay a ransom.
We have already seen a number of high-profile malware outbreaks in 2017, the Wannacry incident caused havoc across a wide range of industries and at the time was unprecedented in the scale and size of serious infections. The key question is – what did businesses learn from this to ensure that future attacks were detected and contained more quickly and effectively?
Within our customer base we saw an immediate priority evaluation of ransomware awareness at a senior level – with many business accelerating projects focussed areas such as patch and vulnerability management. However the outbreak of Petya would suggest that many organisations did not learn their lessons and were still not fully prepared for such an outbreak. The problem appears to be that while the awareness was raised it may only have kept the attention of Senior Management for a short period of time – additional one of the key foundations of security, patch management, is not sexy and can be complex in its delivery which has inevitably led to a situation where it STILL may not received the attention it requires.
Secondly, there are a plethora of Next Generation Endpoint Security technologies on the market, which use advanced capabilities such as AI, Behavioural Analytics etc to provide a more effective approach to stopping infections as they attempt to execute. The vendors in this space have been quick to highlight that they could have stopped malware such as Wannacry and Petya, however it is clear there is still a great degree of debate over which solutions are the most effective – whether they would have substantially improved defences. The answer is probably yes, however it is important to understand that this is not a silver bullet, and layered defences – as well as robust policies and procedures are still required.
Blue Cube Security is an Independent IT/Cyber Security Solution Provider, with over 17 years’ experience in the Cyber Security arena, so we are able to leverage our experience and expertise to recommend best fit solutions and services for your company. Within our portfolio we have identified a number of solutions that will assist in the protection against advanced malware and ransomware attacks. There is no “one-size fits all” approach that will automatically protect against a rapidly evolving threat landscape however by following the steps outlined within this document, and deployment solutions as “controls” to complement this approach, we can assist our customers in improving their cyber security posture.
A final point is that despite, best efforts and intentions, future issues are almost inevitable. Our research has demonstrated that many organisations still do not have a comprehensive Incident Response plan – and even those that do have have admitted that they rarely test their plans and processes to assess whether they would be adequate in the event of a cyber attack. There is an old adage that says ‘fail to prepare – prepare to fail’ and this could not be more relevant in today’s increasingly threatened security landscape.
With the much hyped EU GDPR on the horizon, responding to and reporting on any breach will become an increasingly important issue for Companies and organisations of all sizes.
For further details of how Blue Cube Security can assist you in any of the areas discussed, or for an independent consultation please contact us at Blue Cube Security Ltd.