Combat ransomware with security essentialsBy Ben Azvine,
Every organisation can learn lessons from increasingly sophisticated cyberattacks executed by criminals who run their operations like global businesses. However, it’s important to be pragmatic about what you can and can’t do because you can’t cover every eventuality.
You can never ensure an employee won’t click on the wrong link. Or that a third-party in your digital ecosystem won’t accidentally expose a vulnerability. But you can revisit security fundamentals and get the essentials right. You can think about which threats pose the biggest challenge to your organisation and what you can do to protect your most valuable asset, whether that’s customer data, financial information or company IP.
In the case of ransomware, there are three distinct challenges: preventing an intrusion in the first instance if possible, detecting those that cannot be prevented before a breach, and then containing a breach if one happens.
Enemies at the gates
In the last year, we’ve seen criminal gangs work together and combine DDoS (Distributed Denial of Service) with social engineering. This is like lighting a fire at the front of the house as they break in through the back door. Distracted by high volume network attacks, IT teams might miss a phishing variant that catches out employees and lets criminals inside.
The fundamentals here are network security and monitoring systems that pick up IP addresses associated with DDoS attacks and identify traffic anomalies. Preventing employees from being the entry point to ransomware is about a combination of policies, training and endpoint security. It’s about embedding a culture in a company and getting to a point where employees are on their guard from the moment they open their inbox.
Backup and disaster recovery plans are pivotal. Not just having robust solutions in place but ensuring they’re tested regularly and meet recovery time objectives (the time it takes to get the business back up and running, which has to be appropriate to the business need). Taking three weeks to restore a backup for a transaction-driven business is not going to work.
The pandemic saw a huge spike in phishing attacks as cybercriminals targeted remote workers. With employees expected to move between home and office more regularly in the future,
Endpoint Detection and Response protection (EDR) tools become even more important. Organisations have to double down on device and identity management now that more people will be working outside the traditional office environment.
Dealing with intruders
A hard fact of life is that most organisations will experience a breach at some point – and they might not even know it. Hackers are patient and will lay low. They will take on other identities and permissions to access more valuable data gradually. They will use exfiltration techniques, compressing and encrypting stolen data, to avoid detection as they remove it.
To find out if your systems have been breached, try and trap bad actors with a honeypot. Place these decoys in your production systems. Make them look and act like other services to entice cybercriminals to make a move and expose their presence. Use it to simply study malicious behaviour or make it function as a trap to stop malware from spreading. You should also deploy threat monitoring systems to detect early signs of an attack before it spreads.
Containing a breach
Containing the impact of any malware is critical, along with finding the vulnerability that was exploited in the first place. Infected hardware has to be isolated to prevent spread across the organisation. Networks and applications should already be segmented to make it more difficult. Inspection points can be set up to detect malicious traffic with a control point that will close down an attack after it’s detected.
Layers of protection around identities and account credentials will stall their progress and alert the security team to suspicious activity. Logs and event management techniques that draw on threat intelligence can help identify anomalies more quickly. The scale and breadth of BT’s global networks, and the information we monitor through our Global network of Security Operations Centres, provide a high-level view of the threat landscape, which helps us protect our customers against the latest DDoS and phishing attacks.
There is no such thing as fool proof cybersecurity, but there is plenty you can do. And there is plenty that we do with our clients at BT to mitigate the risk and improve an organisation’s security exposure. If you have any concerns about vulnerabilities that might expose your organisation to ransomware, please get in touch here.