By Steve Mulhearn, Director of Enhanced Technologies, Fortinet
Just one year ago, the WannaCry ransomware attack made global headlines when it hit 230,000 computers, creating total chaos. A number of high-profile organisations have continued to be targeted by this ransomware, some quite recently. Just a few weeks ago, the Atlanta police department fell victim to a ransomware attack which cost them the permanent loss of years of video evidence. It’s part of a growing trend that has the potential to impact large numbers of people, with devastating consequences.
Typically, a ransomware attack begins when an end user clicks on a link or opens a file attached to a malicious email that is part of a phishing (random) or spear phishing (targeted) campaign. Or, they visit a compromised website and pick up a bug along with whatever they were looking at or downloading. In either case, the malicious file is loaded onto a vulnerable endpoint device that is connected to an open network, and its payload spreads from there, locating other vulnerable systems and encrypting their data.
All ransomware attacks have one thing in common: they almost always target systems with known vulnerabilities that should have been patched. With cybercriminals developing new attack vectors to exploit the expanding attack surface created by digital transformation, organisations need to develop a back to basics, methodical process to reduce the number of possible attack avenues that they are exposed to. This includes:
- Account for all devices: Organisations should maintain a live inventory of what devices are on their network. This will be easier if their security devices, access points, and network devices talk to each other. As IT resources continue to be stretched, an integrated NOC-SOC solution is a valuable approach to ensure that every device on the network is identified and monitored.
- Automate patching: The WannaCry breach, along with recent ransomware attacks, have made it clear that unpatched systems continue to be a primary channel for attacks and malware. As much as possible, organisations should develop a process for automating their patching process.
- Segment the network: Every organisation needs to ask themselves what they will do when their network is breached. Because when (not if) it is, they will want to limit the impact of the attack as much as possible. Segmenting their network is the best first line of defence. Without proper segmentation, ransomworms like WannaCry can easily propagate across the network, even to backup stores, making the recovery portion of the incident response (IR) plan much more difficult to implement. Segmentation strategies, including micro-segmentation in virtual environments and macro-segmentation between physical and virtual networks, allow organisations to proactively and dynamically isolate an attack, thereby limiting its ability to spread.
- Track threats: Subscribing to real-time threat feeds allows organisations to keep an eye on the latest attacks. Combined with local threat intelligence through a centralised integration and correlation tool, such as a SIEM or threat intelligence service, threat feeds help organisations anticipate and respond to threats as soon as they begin to emerge in the wild, rather than after they have fallen victim to an attack.
- Watch for indicators of compromise (IOCs):When organisations can match their inventory to current threats, they can quickly see which of their devices are most at risk and prioritise either hardening, patching, isolating, or replacing them.
- Harden endpoints and access points: Organisations should make it a rule that any devices coming onto the network meet basic security requirements. They should also actively scan for unpatched or infected devices and traffic.
- Implementsecurity controls: Applying signature and behavioural-based solutions throughout the network enables organisations to detect and thwart attacks both at the edge of the network as well as once they have penetrated its perimeter defences.
- Automate security: Once the organisation has locked down those areas it has control over, the next step is to apply automation to as many basic security processes as possible. This frees IT resources to focus on higher-order threat analysis and response tasks that can protect the organisation from more advanced threats.
- Back up critical systems: The most important thing to do when dealing with ransomware is to make sure that the organisation has a copy of critical data and resources stored off-network so it can restore and resume operations as soon as possible.
- Create an integrated security environment: To make sure that all these security practices are seamlessly extended into every new network ecosystem brought online, organisations need to deploy security solutions that are fully integrated as a security fabric to enable centralised orchestration and analysis.
Even the most sophisticated emerging ransomware attacks are just the tip of the spear. Cybercriminals are adopting new attack strategies, such as those used by Hajime and Hand-and-Seek, to accelerate both the scale and success of attacks. These new variants are transitioning away from traditional ransomworm-based attacks, which require constant communication back to their controller and replacing them with automated, self-learning strategies, potentially turning malicious ransomworms into ransomswarms. Future attacks are likely to leverage things like swarm intelligence to take humans out of the loop entirely in order to accelerate attacks to digital speeds.
As networks become more complex, so will the job of defending them. It’s not a one-solution or even one-team job anymore. Automation can help organisations to maintain basic security hygiene, relieving the burden on their IT team’s for this and many other security best practices, ultimately closing the doors to ransomware. What’s more, as malware evolves, the group intelligence provided by a shared threat feed will help organisations to know what to look for and how to address potential threats.