Ransomware readiness 2 of 3: Containment
In a previous blog, we talked about the rising threat of ransomware, how many solutions and approaches are geared towards detecting it, and how there are key things organisations they can do to prevent a ransomware attack.
We spoke about some recommended prevention controls and their prospect of success. We also, however, cautioned that there are no silver bullets and that no defence on its own is perfect. It’s for that very reason that it is wise to make plans and have controls in place to ensure that if ransomware does get through, its spread and effect is limited. It’s all about the defence in depth that can be gained through the deployment of multiple security controls. Clearly, one infected workstation is bad, but a thousand is undeniably worse.
All “Four” one…
“Containing” ransomware (in fact any attack or virus) is about limiting its ability to spread or to infect other systems and data; sometimes referred to as lateral movement. The four approaches below have been found to be the most useful defences against ransomware, if you have been unlucky enough to find it on an infected system.
In many respects they too are preventive controls, in that they are intended to limit the extent of an attack, but for this family of threats they are often containment countermeasures for “stage two” or “propagation” of an attack.
1) Restrict admin privileges
This comprises two aspects, first to minimise the number of people that have access to administrative accounts – and/or the amount of time they have access to them (e.g. for the duration of a change or a maintenance window). This is good practice – the principle of “least privilege”.
Secondly, limit the potential exposure to malware that people with admin accounts might have. This means turning off the most dangerous features and disabling the riskiest accesses that can be performed by those with admin credentials. For example, don’t give admin accounts an email address – if they need to use email, use their standard account. Don’t allow admin accounts to access the Internet, browse the web or access social media.
Admin accounts should only be required when access for maintenance is needed; so if that’s the limit of its use and someone using an admin account does stumble upon something malicious, it can’t penetrate the network using the very high level access rights of an administrator.
Limit the use of administrator accounts as much as you possible to reduce the risk of ransomware spreading across your systems.
2) Patch operating systems
Typically for ransomware the initial vector of attack is a direct network connection or via a malicious attachment, email or web page containing the initial payload.
Once that initial infection has activated and self-installed, ransomware typically seeks to spread across the network from its initial point of entry. It doesn’t spread by sending follow-up emails to all the other people in the organisation; more likely it will try to connect from system to system directly – from one host to the next, unbeknownst to the users. This can occur through several means, but if there is an unpatched operating system vulnerability that the code can identify across multiple hosts, it is relatively easy, and likely to work on every system.
If the first host and system gets infected, ransomware can quickly propagate across the network by exploiting OS vulnerabilities on adjacent interconnected systems on the same network. Maintaining patched operating systems is therefore a very effective defensive control.
3) Use multi-factor authentication
Multi-factor authentication (MFA) means that an attacker requires something other than a single stolen password, compromised account or other set of credentials to move the ransomware laterally from system to system or to gain escalated privileges. For normal users MFA can be a challenge with an operational overhead. Some systems may not support MFA at all.
When taking a risk-based approach, however, multi-factor authentication is a very effective way to protect more exposed access points such as remote access/VPN gateways (Colonial Pipeline was compromised using a single factor remote login at one such access point). MFA is invaluable for system administration accounts where the usage pattern is less frequent, but the impact of compromise can be significant.
Using MFA to protect sensitive or exposed access points and to control admin access puts operational barriers in the path of a ransomware attack.
4) Have anti-virus and end-point protection
Anti-virus and end-point protection may seem like the place to start for ransomware attacks, however the reality is that all these controls are baseline or foundational controls. Anti-virus and endpoint protection is key, but as with anything else, it is not a silver bullet – there are numerous accounts of successful attacks involving code/exploits/malware that have occurred despite that protection being operational.
Obviously, endpoint and anti-virus solutions should be current but even then, some malware and ransomware attacks seek to circumvent or disable the detection capabilities of anti-virus solutions; and it’s not unknown for attackers to undertake direct intrusions into the network, rather than seek to use malware code to gain access to a target.
Anti-virus solutions at the gateways and endpoints, however, provide significant protection against the spread of ransomware and other forms of viruses and malware. They must be regularly updated to be fully effective, and there are now emerging technologies that watch for suspicious behaviour on workstations as well as specific cases of known virus code.
Anti-virus solutions and end-point protection limit the intrusion and spread of malware of all types, and therefore they are another pivotal defensive against ransomware propagation.
The four controls described in this blog are the major components of the containment controls needed to limit the spread of ransomware.
In the first blog of this series we looked at the ways organisations could defend themselves from the initial stage of attack and then, here, we have canvassed the ways that an attack can be contained. Of course all 10 of these controls act in concert to prevent and limit the spread of ransomware – but businesses need to defend patient “zero” as well as patient “one” onwards.
As we said in the first blog, having controls that you can trust and making them measurable and effective is key. A ransomware attack will highlight at least one of the weaknesses in your cyber security posture, but you need to find them all, preferably ahead of time, so you can avert potentially catastrophic losses.
It’s important to remember that auditing and assessing your security controls are regular and on-going processes. Every vulnerability, every patch, every new admin account or newly provisioned server could introduce the weak link that allows access to a ransomware attack. Depending on the size and nature of your business operations, annual or even quarterly assessments may not be frequent enough to secure yourself in such a rapidly changing risk environment.