Ransomware readiness 1 of 3: Prevention
There is so much interest in ransomware at the moment that it almost feels like it’s the only cyber security problem we have to solve. While that certainly isn’t the case, there is undoubtedly a renewed importance in being able to deal with this increasingly debilitating threat.
Much time has been spent, as is often the case in cyber security, looking intrinsically at how to detect it. Mostly considering the network and end-point to detect host or session activity for indicators of compromise. Of course, you want to be able to detect a ransomware attack. But wouldn’t it be better to try and prevent it in the first place?
In a series of posts (this one being the first of three), we will look initially at ways to prevent ransomware attacks in the first place. Then we will move on to how to limit and contain their effects, if you do get infected. Finally, we’ll look at the recovery options if things just don’t go to plan.
Prevention is better than cure
In the vast majority of cases, ransomware attacks start in one of two ways. If you can cover both these bases there is a good chance that early “patient zero” infection can be avoided:
- An attacker getting direct access to an environment to deliver ransomware.
- An attacker getting a user to access, read or trigger a web page, email or attachment.
When we analyse these vectors, we can see that had better controls been in place, the attack could well have been evaded completely. The good news is that with little more than a handful of operational security controls these points of ransomware entry can be protected effectively.
From the cases we’ve seen (including here) and other research (such as this) there are six really good anti-ransomware defences to prevent attacks. In many cases these are focussed on stopping the initial malicious payload the attacker is seeking to deliver. You can, of course, add in more controls but these are the ones that are generally recommended to limit your risk of attack:
1) Tightening up user application configurations
The settings for user applications, particularly Internet facing ones such as browsers and email clients, can often be a major point of weakness and often also the easier things to set in a central policy (assuming that it is then universally applied).
The most obvious and pertinent examples are the ability for emails and web pages to run active local code – Java/Flash etc. Removing this can sometimes lessen website functionality but importantly, it prevents attacks that enable a user to run local code.
In short, limiting what external content is able to do on a user’s system when it is accessed from a web page or an email.
2) Limiting application installation and execution
Most malware is received as an attachment or a download or at the end of a link, and will seek to self-install and run various bits of code. One way to prevent this is to control users’ abilities to install and execute their own software. This is not dissimilar to the types of policies that are often put in place anyway to prevent the installation of unlicenced software, or random applications that could expose data (for instance cloud storage applications).
If “normal users” cannot install and run other applications, then neither can the malware sender/ransomware creator either. The result is that the attack is stopped in its tracks – even if the user is “deceived” into opening a malicious attachment in the first place.
The value of this control is increased further by its ability to limit the many data theft attacks that rely on installing software, possibly the cloud storage type mentioned above, or other file transfer utilities.
Preventing installation and execution of ransomware is a big enough reason to control applications and software in this way.
3) Patching applications
It is important to make sure OS patches are applied although often, in the case of ransomware, we have seen that OS level vulnerabilities are more commonly used to spread, rather than allow entry to the malware in the first place.
Applications, however, are the more likely point of attack for ransomware attackers.. The reason is that when content arrives (email, web browser, document, PDF file) it is an application that loads it.
One example is Adobe Reader and PDF files, which have proven time and time again to be a common way in which malware is introduced. So closing this route of attack pays real dividends.
If applications have vulnerabilities that are not patched, there is a real danger that they can be exploited by any malicious file or document to allow ransomware to gain a foothold in your enterprise.
4) Controlling macros
As with active code/embedded malware in web pages and emails, another vector for ransomware infection and ingress is from within document files – Word documents, Excel spreadsheets etc. These applications can contain macro code which can be turned against a user who has unwittingly opened an innocent looking word document or spreadsheet. This can happen easily and so Microsoft applications should be configured to block all but “trusted” macros.
Preventing macros (i.e. code) running within applications is another very good way to limit the risk of ransomware, and other forms of malicious content entering your environment.
5) Educating staff
Cyber security awareness programmes are acknowledged as an important driver of cultural change and as a result are becoming more common. While they vary in quality, approach and even style of delivery, their ability to raise the level of cyber security knowledge is well-established.
The challenge with staff awareness, however, is that people can still be lured into making mistakes, and skilled social engineers can often entice quite capable people to do things they would not otherwise do. Adversaries can persuade even recently educated staff to believe that a malicious payload is in fact benign. Telling people to avoid clicking on suspicious links or unexpected and suspicious attachments only goes so far. If the attacker can induce the victim to click on a link or attachment, security teams need to rely on other technical controls as part of the defence in depth strategy.
Cyber security awareness programmes matter, but they are not a silver bullet. Refresher programs are necessary, but they also need to be accompanied by other controls. You need a mitigation strategy in place to address the absolute likelihood that someone will click on a link or allow an attachment to open and execute.
6) The network perimeter
Lastly, or firstly depending on your point of view, is the network perimeter. Defence of the perimeter is a vital enforcement point as it is where access attempts are often targeted– as in the case of Travelex (out of date VPN devices) or Colonial Pipeline (single factor authenticated access). They can also be equipped and configured to control the types of content users see.
If you have the ability to control access and prevent administrative users accessing the web, or if you can maintain a list of addresses with malicious content/bad reputations and filter the content or URLs that people access, then you can prevent a significant number of ransomware attacks.
Collectively these controls are highly effective. Of course, you want to detect ransomware, but preventing it in the first place is a better outcome. Putting up these barriers (which often only cost the time it takes to configure them) is a vital line of defence.
As with any risk management strategy, you must plan for the fact that sometimes defences like these will fail. This is the very essence of defence in depth and why, in the second blog in this series, we will look at how to deal with that circumstance when it occurs.
Once you have a set of controls in place, you can monitor these to ensure that they are working and correctly configured to provide an effective defence. This assurance is vital and forms a key part of a cyber security risk management process that will strengthen your oversight of your internal network as well as those of your 3rd party suppliers. Furthermore, cyber insurers are increasingly expecting organisations to have these basic “cyber hygiene” controls in place with evidence of their operation before taking on risks or paying out on policies.
As a starting point, these six preventive controls are simple, effective and widely recommended to assist in the fight against ransom