In this blog post
Common perceptions around what ransomware is, how it works and how it can be defeated are clouded by wrong impressions and incomplete information. When thinking of ransomware, many CISOs and security teams unfortunately take myths as reality. A summary of the facts around ransomware allows IT departments to visualize an achievable anticipatory response plan.
MYTH 1: SINCE WE’VE PAID FOR THE LATEST ENDPOINT PROTECTION PLATFORM (EPP), WE HAVE THE LATEST EPP
A common thought process among organizations is they are protected by the latest EPP as they have paid for the latest EPP platform. Many of the ransomware attacks are due to the negligence of the IT departments in using the recommended configurations for their EPP. They do not have the adequate support to deploy, support and maintain the full suite, thereby limiting the overall possible effectiveness of the platform.
Security teams need to configure and deploy the complete suite of the latest available EPP to broaden the delivery of protection as a coordinated and integrated use of all available system functions.
EPP solutions offer extensions, such as memory protection, to prevent malicious code injection into common processes, application whitelisting to only allow approved applications to operate on the system, isolation, system hardening, and vulnerability shielding (also known as “virtual patching”).
These solutions typically require a high level of security team management and daily maintenance They are best suited for security environments that have a high degree of maturity and operational process structure.
MYTH 2: YOUR EPP WILL PROTECT YOU FROM ALL THREATS
A prevailing myth is that ransomware exploits zero-day vulnerabilities. Attackers seek to exploit known vulnerabilities in a target organization’s technology to expand profit margins as best as they can. Attackers have hundreds of well-known and easily exploitable vulnerabilities to select as the starting point of an intrusion. Many of these vulnerabilities remain unpatched despite being well-documented and easily remediated.
Attackers are smart and technologically much more superior to the security personnel. The modus operandi is to make slight modifications to the ransomware and malware to evade the signature base anti-malware protection.
While most EPP anti-malware solutions incorporate some form of signature-based approaches in their malware detection, they also support non-signature-based approaches. Enterprises should imbibe contracts that provide yearly extensions based on the EPP capabilities, level of overall security program maturity and the organization’s ability to assimilate solutions that are of higher technical and operational complexity.
This insight stress on the significance on patching scheduling and updating common user programs, web browsers and applications by the IT departments on a regular basis.
MYTH 3: EDR GIVES YOU ALL THE VISIBILITY NECESSARY TO RECOVER FROM A MALWARE INFECTION
Current endpoint detection and response (EDR) solutions can detect security incidents by monitoring endpoint activities, objects, and policy violations, or by validating externally fed indicators of compromise (IOCs). They restrict the incident at the endpoint, allowing network traffic or process execution to be remotely controlled.
Some of them fix endpoint problems by reverting to the pre-infection state, triggering vulnerability remediation and system patching activities and other system management functions.
While relatively simple to deploy, EDR solutions remain complex to use, and require a well-trained staff to gain the maximum insight and effectiveness. The core of a ransomware incident response plan includes position monitoring and analytics.
IT security can include entity and user behavior analytics (EUBA) for added insight into atypical activity, such as users or administrators accessing data or applications beyond their normal behaviors.
MYTH 4: FIREWALLS, SECURE WEB GATEWAYS, SECURE EMAIL GATEWAYS AND OTHER PERIMETER SOLUTIONS ARE ALL YOU NEED
While the usual perimeter security solutions are vital to maintain a well-protected environment, EPP solutions require continuous maintenance to run on the latest software releases. They should also be configured with the latest best practice recommendations from the solution provider.
Many of the cyber ransomware attacks are due to the flat networks that are easily breached and allow malware to traverse across them. Its possible due to the weak perimeter security solutions and the web-facing applications that were exploited due to irregular patching and update practices.
Security teams should isolate critical areas and segment environments in high-trust, medium-trust and low-trust zones to minimize traffic flows between highly sensitive data environments and lower-trust entities.
They should use cloud-based secure web gateways for highly mobile laptop populations and to cost-effectively support globally distributed offices and commit to isolating critical areas from lower-trust network traffic.
MYTH 5: ADMINISTRATORS FOLLOW BEST PRACTICES ALL THE TIME, EVERY TIME
We expect IT administrators to follow the best practices in their regular activities. Burdened by heavy workloads, they try to be efficient, which can lead to potentially handing an opportunity to the hackers.
As domain administrator accounts and systems are the main targets for the attacks, that lead to easy installation of ransomware and other malicious software on file servers within the environment, establishing different access credentials for the various systems means the rest won’t be exposed when one server’s credentials are compromised.
MYTH 6: RANSOMWARE ATTACK IS SPECIFIC TO LARGE ENTERPRISES, AND NOT SMB’S
Ransomware attackers are known for their choice of victims. They do their research on the target organization’s financial position and ask for ransom amount which they can actually pay. Irrespective of the business size, the scope of damage that they can impart on the organization and the monetary value that is the result of this action is more important for them.
MYTH 7: AVOID SKETCHY WEBSITES TO PREVENT RANSOMWARE
Popular method for ransomware encryption attacks is through users unintentionally clicking on email links, downloading malicious online content or through cloud drop boxes. According to the Osterman Research Survey, users are twice more likely to be infected by clicking on links than by visiting an infected website.
Ransomware perpetrators are sophisticated in their attack, and are far ahead of the local authorities. Equipped with strong encryption methods such as RSA-2048 or AES-128, it is virtually impossible for the ransomware victims to recover their data with the support of local authorities. The best defense is to be proactive in protecting their data and maintain regular backup of data.