I am increasingly learning of people being affected by ransomware, and often the damage inflicted could have been easily stopped or at least limited by implementing some good practices. In this blog post I will review some of my top tips.
- Please note that this isn’t an extensive list and if you would like to talk about the appropriate protection for your business, please reach out to us for a free discussion.
The Weakest Link – User
As we all know, these attacks often start with the user and not uncommonly these types of attack will start with some form of a phishing attack via email.
- User education is one of the areas that I recommend businesses invest in when it comes to cybersecurity. Increasingly these attacks aren’t technical in nature at all and start with social engineering and gaining confidence with their victims. Solution: One way that I have found particularly successful is simulated phishing attacks with the necessary training to ensure lessons are learnt. At ComputerWorld we have found Barracuda Phishline is particularly effective at this.
- As mentioned above, one way we see these attacks being engineered starts with an email being received by the targeted victim. This will then elicit some kind of behaviour that encourages the user to give up their password or download some software. Solution: I would recommend looking at the tools you have in place for email cleansing, spam and malware protection. Again at ComputerWorld we recommend the Barracuda Essentials products for protection against email-borne cyber threats. But whatever solution you have in place, ensure you have configured and are using all of the features available to you. More often than not, a solution is in place that could stop an attack but the feature has not been deployed.
- As a final line of defence around the user, you want to ensure you have a strong next-generation anti-virus deployed on the user’s machine. Solution: AV has come a long way, and you want to ensure that the solution you are using today doesn’t rely on virus signatures and that it has the ability to recognise attack patterns to protect fully against zero-day threats. At ComputerWorld we recommend the BitDefender or Carbon Black solutions depending on your needs.
Administrator Permissions
One of the most common ways I see ransomware proliferating a network is by exploiting administrator permissions. There are three specific areas I would like to address here.
- Global Administrator Permissions – Unfortunately, the entry point for these types of attack can be by exploiting an account used by someone in the IT department. If a user with a high level of network permissions on the account they use daily gets their account compromised and not only does the attacker have access to their device but potentially to the whole network. Solution: No one’s user account that they use on a daily basis should have any form of network administration rights. Users who require higher level permissions should have an alternative account with the required privileges that is only used for these specific activities. This will still enable you to connect to undertake the tasks you require but do so from a more secure posture.
- Local Admin Permissions – Often a ransomware attack on a local machine is only possible if the user has local admin permissions. Very few users should need to have local admin permissions on their own machine. Solution: Ensure users do not have local admin rights to their machine, where they do require local admin rights to consider an approach of elevated rights. There are several ways to achieve this, including using various third-party software solutions like LiquidWare ProfileUnity. But wherever possible, ensure users should not have local admin rights.
- Local Admin Account – You will want to consider your approach to local admin accounts when building new devices. If someone is able to infiltrate just one of the PCs on your network and then brute-force a local admin account that you use on all device builds they will be able to deploy their ransomware attack. Solution: There will be a number of solutions to this problem, initially ensure that any local admin accounts used during the build process use a highly secure machine-generated password that is safely secured in a password manager for use only by the appropriate people in IT.
Network Protection
If ransomware does take hold within your network, you want to ensure that where ever possible you limit where it may be able to infiltrate to.
- Wherever possible, I would recommend segmenting your network to ensure only the relevant protocols and people can pass through boundaries such as subnets configured between VLANs and VPNs.
- Consider implementing a zero-trust approach to user-facing networks, effectively ensuring that devices placed upon these networks have no ability to communicate with each other. Where possible, they have limited and secured access to other network resources such as applications servers. Effectively the ideal scenario is your user-facing LANs are effectively just internet connections allowing you to connect securely to the relevant resources the same way as it would if they were working from home.
Data Protection & Recovery
You need to work to the basis that you will at some point be affected by a ransomware attack. As such, it is highly critical to consider how you are going to be able to recover.
- Configure SAN Snapshots! – Often business-critical data will be stored in some way on a SAN, whether this is in the form of a virtual machine or stored directly within a volume on the SAN itself. As such, the first point of protection that we should consider is SAN-based snapshots. Most modern SAN devices will allow you to configure regular snapshots of the data with no performance loss and very little increase in the used capacity. Consider what your snapshot schedule should look like and how many iterations of the snapshots you wish to keep. I would recommend taking snapshots at regular intervals (every 30 mins maybe) and ensuring you keep snapshots for a period of up to two to three days where ever possible. This will allow you to recover quickly with minimal data loss even if a ransomware attack goes unnoticed over a weekend.
- Protect your backup server – One of the common scenarios we always see is that when a ransomware attack occurs the backup repository is often encrypted itself. Now point 3 below will take this scenario into consideration, but we should do whatever we can to ensure the backup server is protected. First of all ensure that your backup server isn’t named Backup server or Veeam server or similar, protect it via obscurity make it difficult for the attacker to find the server in the first place. Next, ensure that it isn’t accessible to any user-facing networks and anywhere possible as restricted from any other infrastructure servers. IN addiiton to this you should also configure application whitelisting to ensure that only the backup application can run on this server.
- Think About Air Gaps – You will want to ensure that as a minimum you keep at least one copy of your data off-site with wherever possible some form of air gap between the production networks, backup server and your off-site copies. This can be achieved by having a copy of your data on a tape, however, the recovery times from tape are less than ideal in the modern world and therefore I would recommend using a solution like Veeam Cloud Connect which allows a copy of your backup to be replicated to a cloud-based provider.
This video illustrates how easy it is to replicate your Veeam data to a Veeam Cloud Connect Provider. This video is based upon an older version of Veeam but the process is much the same in the newer versions.
Visibility and Response
The final element I want to discuss in this blog post is visibility and response, being aware of what is going on within your IT environment and knowing what to do if an attack occurs.
- All too often there may have been an infiltration into your network without your realising. An attacker could be in your network now planning how to best undertake their attack. Solution – You will want to ensure you have tools available to you that give you visibility of what is going on within your environment. These take many forms, but importantly you want to ensure they are easy for you to use and help you rather than overwhelm you with unnecessary information. A tool such as Netwrix Auditor will give you an insight into what is going on within the servers within your environment, highlighting worrying activity like repeated failed logins and changes happening on desktops and servers. For a more focused threat detection solution, I would recommend looking at Secureworks Taegis™ XDR Previously Red Cloak™ TDR. This platform will allow you to detect threats across your environment as well as giving you the ability to investigate and respond to the threats with the support of SecureWorks specialist teams.
- If the worst has happened and users are reporting devices are becoming encrypted across your network you need to know what to do within that moment of panic. Solution – Prior to being in the situation above, you will want to ensure you have fully considered and documented how you would respond to such an attack in the form of a cyber response plan. What is right for your organisation will differ depending on your unique requirements, but below are some basic principles that I would take into consideration.
- Isolate and take control – You will want to consider how you can isolate the attack as soon as possible. If it is just affecting one user or a couple of users, I would disconnect these devices from the network and consider even shutting down that section of the network. If you believe it could be wider, I would consider disconnecting all external connectivity to the organisation to limit the effect of an attack that is being controlled from an outside source and where ever possible shut down all devices that you believe may have been affected to reduce the effect of possible encryption that may be on-going. The above could have massive implications for your business but so could the effects of an out of control ransomware attack, as such thinking about how you will make these decisions and who will be involved in this process needs to be considered in advance.
- Investigate – When you have things under control, and you have isolated the relevant areas, you will want to investigate what has happened and how it happened. Use the tools available to you along with Windows logs to understand where the attack started and how they were able to infiltrate your network. This will hopefully allow you to ensure you close all gaps and further isolate affected systems before even thinking about recovery.
Conclusion
Hopefully, you have found this blog post useful and managed to find at least one or two areas to help you further tighten security or respond to an attack more effectively. We typically find that when an attack has occurred one or more of these areas have either led to the attack happening in the first place or have resulted in the data being lost with no recovery option available. If you would like to discuss your organisation cyber-security posture with a security professional with no cost or obligation, please complete the form below.
Leave a Reply