Written by Tunde Odeleye
Director of penetration testing services for cloud and data centre transformation for Insight Enterprises
Being an IT security professional today is a hugely complicated job. Most attention is paid to simply keeping the lights on, as opposed to trying to anticipate what threats the business could be exposed to. But threat vectors are increasing, as is the scale and severity of cyberattacks. Among the concerns is ransomware.
Prevention is far less taxing than recovering from a security attack.
According to information provided by Emsisoft to the New York Times, 205,280 organizations submitted files that had been hacked in a ransomware attack in 2019 — a 41 per cent increase from the year before. The costs to respond to such an attack and the harm that can be done are difficult to quantify, but the impacts are profound.
It is important to remember that, in security, we like to say, “It’s not a matter of if, but when.” The key is minimizing the degree to which an attacker can move throughout your IT environment and cause damage that’s difficult to undo. When looking at what your organization can do to mitigate the risk of a devastating ransomware attack, there are several ways to make meaningful improvements.
This is basically ground zero. The endpoint is generally more important than your firewalls or your network, particularly given the prevalence of cloud and web application usage. Choosing an effective endpoint solution is critical. Not all endpoint security solutions are created equal. Take a look at publicly available ratings and testing criteria. Then, make sure the solution is properly implemented and being used to its fullest extent. Sometimes this requires engaging a third party to get the specific expertise you need.
Active Directory management
There have been countless examples of malicious actors leveraging group policies and other features within Active Directory to launch and scale a ransomware attack. An attacker can linger in your environment for weeks and months, using lateral movement to take down recovery controls, destroy your backups and wreak other forms of havoc. Monitoring password changes, group policies and anything related to privileged accounts are ways you can identify suspicious behaviour before things get out of hand.
If you look at general network communication, we typically have clients that could be workstations or servers talking to server resources and the cloud. So, the question is, is there ever any reason why clients should talk to each other, workstation to workstation? When attackers infiltrate an environment, patient zero is compromised, but the next thing the attacker is going to do is move laterally to exploit vulnerabilities from one workstation to another. By isolating the workstation, so that it only trusts server resources, you’ve removed the opportunity for lateral movement. This makes containment a lot easier.
One of the reasons why many organizations don’t use a technique like workstation isolation is because they’re worried about a lot of background protocols and don’t want to break anything. While this may certainly be true, understanding the network and how data flows through it is foundational for proper hardening, even when leveraging standards like NIST, CIS, or automated toolsets.
This is about more than identifying vulnerabilities. Ransomware prevention efforts are most successful when there exists a defined process for assessing vulnerabilities and remediating them on a continuous basis. This can be done relatively inexpensively, but the IT team has to be dedicated to it. Tasks include, but aren’t limited to, patching and configuration. At a higher level, vulnerability management can also play an important role in measuring the overall risk profile of a business. Such information can be crucial during merger and acquisition discussions, business valuation and strategic activities.
Multifactor Authentication (MFA)
Despite the fact that this technology has existed for many years now, a surprising number of organizations have not adopted it. Plenty of security solutions include it as a feature, but it may not be enabled and in use. Using MFA can go a long way in preventing the spread of a ransomware attack by restricting access to sensitive assets and systems. The general rule of thumb is: If it’s externally-facing and/or a Software as a Service-based solution, MFA should be in place for all users. CRM and email platforms should have MFA controlling access, as should any privileged account.