Ten best practices for outsmarting ransomware
Derek Manky, global Security strategist at Fortinet
The article below was written by Derek Manky, global Security strategist at Fortinet
Almost a year after WannaCry made global news headlines, a number of high-profile organizations have continued to be targeted by this ransomware, some quite recently. It's part of a growing trend that has the potential to impact large numbers of people, and with potentially devastating consequences.
Traditionally, a ransomware attack typically begins when an end user clicks on a link or opens a file attached to a malicious email that is part of a phishing (random) or spearphishing (targeted) campaign. Or, they visit a compromised website and pick up a bug along with whatever they were looking at or downloading. Recently WannaCryransomworm and SamSam malware are loaded onto a vulnerable endpoint device that is connected to an open network, and its payload spreads from there, locating other vulnerable systems and encrypting their data.
Over the past several months, cybercriminals have become much more active, targeting a wide range of organizations, from healthcare and educational institutions to local governments. We have also seen successfully targeted cloud-based web hosting services in order to inject code into multiple high traffic web domains rather than trying to do that one at a time.
Future attacks are likely to leverage things like swarm intelligence to take humans out of the loop entirely in order to accelerate attacks to digital speeds. Real-time communications allow individual attacks agents – or swarmbots – to cluster together into coordinated swarms that are able to more efficiently assess and target a wide array of potential vulnerabilities. To defend your network from such multi-pronged attacks, you need to develop a back-to-basics, methodical process to reduce the number of possible attack avenues that your organization is exposed to. Fortinet recommends these ten best practices:
- Inventory all devices: Discover and then maintain a live inventory of what devices are on your network at all times. Of course, this is hard to do if your security devices, access points, and network devices cannot talk to each other. As IT resources continue to be stretched then, an integrated NOC-SOC solution is a valuable approach to ensure that every device on the network is identified and monitored.
- Automate patching: The recent WannaCry breach makes clear that unpatched systems continue to be a primary conduit for attacks and malware. Which is why, as much as possible, you should develop a process for automating your patching process.
- Segment the network: What will you do when your network is breached? There is a question every security professional needs to ask. Because when it is, you want to limit the impact of that event as much as possible. The best first line of defense is to segment the network. Without proper segmentation, ransomworms can easily propagate across the network, even to backup stores, making the recovery portion of your incident response (IR) plan much more difficult to implement.
- Track threats: Subscribe to real-time threat feeds so that your security systems can be on the lookout for the latest attacks. When combined with local threat intelligence through a centralized integration and correlation tool, such as a SIEM or threat intelligence service, threat feeds not only help organizations better see and respond to threats as soon as they begin to emerge in the wild, rather than after you have already been a target, and even begin to anticipate them.
- Watch for indicators of compromise (IOCs): When you can match your inventory to current threats, you can quickly see which of your devices are most at risk and prioritize either hardening, patching, isolating, or replacing them.
- Harden endpoints and access points: Make it a rule that any devices coming onto your network meet basic security requirements and that you actively scan for unpatched or infected devices and traffic.
- Implement security controls: Apply signature and behavioral-based solutions throughout your network in order to detect and thwart attacks both at the edge of your network as well as once they have penetrated your perimeter defenses.
- Use security automation: Once you have locked down those areas you have control over, apply automation to as many of your basic security processes as possible. This frees your IT resources to focus on higher-order threat analysis and response tasks that can protect you from the more advanced threats targeting your organization.
- Back up critical systems: The most important thing you can do when dealing with ransomware is to make sure that you have a copy of critical data and resources stored off-network so you can restore and resume operations as soon as possible.
- Create an integrated security environment: To make sure that all these security practices are seamlessly extended into every new network ecosystem you bring online, you need to deploy security solutions that are fully integrated as a security fabric to enable centralized orchestration and analysis.
A Team Effort
As networks become more complex, so will the job of defending them. It's not a one-solution or even one-team job anymore. Automation can relieve the IT team's burden as well as the other security best practices, and thereby close doors to ransomware. In addition, as malware evolves, the group intelligence provided by a shared threat feed will help you know what to look for and how to address them.
By Derek Manky, global Security strategist at Fortinet