In the age when I have to communicate with my kids via social media to get their attention, it’s no surprise that social engineering bore our most contemporary digital threat, phishing, as the lure for the high-profile cybersecurity threat of ransomware.
In a ransomware context, phishing attacks attempt to trick users into taking an action, such as opening an attachment or clicking a link, which results in ransomware being downloaded onto their computer. Phishing and ransomware are usually associated with email but can be delivered by other methods, including fake links on social media posts.
Ransomware is a type of malware that either locks you out of your computer or encrypts your data. It usually looks to spread itself to other machines, as the infamous WannaCry attack that impacted the NHS in 2017 did. Once the damage has been done either a message to contact an anonymous email address for instruction or a link to a website to directly make a ransom payment will be given. Payment is usually requested in the cryptocurrency bitcoin, which once paid, results in instructions of how to unlock computers or decrypt data.
To form an effective defence against ransomware, we need a multi-layered approach. To help, here’s a checklist of 5 things to address to equip yourself.
- Protect your Users
All users will already run anti-virus software that will have real time and scanning methods of detecting and handling threats. Don’t fall into the trap of thinking that this is all you need though, as most anti-virus technologies work on identifying known signatures – so far are less effective against unknown signatures, which could be new attacks or long-term attacks that have yet to be identified.
Automating patching of desktops is key to your defence, as many attacks will leverage known vulnerabilities to install and spread ransomware undetected. Making sure that you are continually fixing known vulnerabilities by patching will help close these back doors into your environment.
User tasks that could result in ransomware infection can also be addressed, including incoming and outgoing email communications and user web traffic. Email security scans all incoming and outgoing emails and to detect malware and phishing content in real time and isolates detected threats. Web security services verify that target web pages are safe before enabling users to load them.
- Protect your Data
Ransomware attempts to encrypt data, so having a solution that continually scans your storage in real time to detect and mitigate threats is key. Advanced storage protection solutions can also automate isolating end user devices attempting to encrypt files from the network. These solutions form yet another layer of defence against ransomware.
We know that backups are key to recovering from a ransomware attack if all other defences have failed. Unfortunately, the bad guys know this too and will target encrypting, modifying or deleting backup files as part of an attack. You can partially mitigate against this by using a 3-2-1 approach and having older backups stored in a different location (data centre or cloud) – but this comes with the trade-off of reduced RPO and RTO. Typically, you want to be able to quickly recover from ransomware and lose as little data as possible, so the use of immutable backups for the most recent backups on disk helps here. Immutable backups are effectively read-only, they cannot be modified or deleted, even by a user with admin rights – including a multi-step ransomware attack that has phished for user account credentials with admin privileges.
- Protect your Infrastructure
The threat with ransomware is not limited to a single device, the nature of many attacks is to spread as much as possible. We want an infrastructure that is capable of isolating threats before they can spread or find additional infrastructure targets to attack. The use of micro-segmentation on the network enables us to contain this threat and even dynamically isolate infected devices. Micro-segmentation is a function of a software-defined network and is automated through the use of connection policies.
As with end user devices, the infrastructure also needs regular or automated patching, to close any operating system or firmware vulnerabilities that might be open to exploiting by malware, including ransomware.
To prevent compromised user accounts from being used to make malicious changes to the infrastructure, zero trust should be used. In the context of ransomware protection this means using two-factor or multi-factor authentication on all infrastructure management or controller platforms – from compute to storage to network to data protection. This means that secondary identification will be required to gain access to management and controller platforms, such as passcodes or biometrics on mobile devices – mitigating against compromised passwords.
- Educate your Users
The simplest and most effective way to combat ransomware is to train your users how they need to act differently to avoid being duped by phishing attacks and getting infected with malware or ransomware. All users should be trained on the impact of an attack, how to spot and flag phishing communications.
In addition, simulated phishing attacks are a good and safe way to test the understanding of your users and identify those that need further training.
- Plan for an Attack
Finally, and most importantly, whatever measures you put in place you need to have a security incident response plan so that everyone knows what to do when an incident occurs. Simulations can be run to ensure that all key people know how to identify infections, isolate and stop them and then mitigate and report them by following pre-determined procedures documented into playbooks.
The best form of security defence is to be multi-layered like an onion and make it as hard as possible to get through each layer. These 5 steps give you a yardstick against which you can assess your own security maturity and ability to protect your users and data from ransomware.
Logicalis has packaged solutions and services in each of these areas, so if you need assistance in assessing your current posture or filling any gaps in capability then contact us - and should the worst happen and you become infected, we also offer security incident response and forensic services to help manage and resolve the situation.