cancel
Showing results for 
Search instead for 
Did you mean: 

Mitigating Ransomware

Level 11

Malware is an issue that has been around since shortly after the start of computing and isn't something that is going to go away anytime soon. Over the years, the motivations, sophistication, and appearance have changed, but the core tenants remain the same. The most recent iteration of malware is called ransomware. Ransomware is software that takes control of the files on your computer, encrypts them with a password known only to the attacker, and then demands money (ransom) in order to unlock the files and return the system to normal.

Why is malware so successful? It’s all about trust. Users needs to be trusted to some degree so that they can complete the work that they need to do. Unfortunately, the more we entrust to the end-user, the more ability a bad piece of software has to inflict damage to the local system and all the systems it’s attached to. Limiting how much of your systems/files/network can be modified by the end-user can help mitigate this risk, but it has the side effect of inhibiting productivity and the ability to complete assigned work. Often it’s a catch-22 for businesses to determine how much security is enough, and malicious actors have been taking advantage of this balancing act to successfully implement their attacks. Now that these attacks have been systematically monetized, we're unlikely to see them diminish anytime soon.

So what can you do to move the balance back to your favor?

There are some well-established best practices that you should consider implementing in your systems if you haven't done so already. These practices are not foolproof, but if implemented well should mitigate all but the most determined of attackers and limit the scope of impact for those that do get through.

End-user Training: This has been recommended for ages and hasn't been the most effective tool in mitigating computer security risks. That being said, it still needs to be done. The safest way to mitigate the threat of malware is to avoid it altogether. Regularly training users to identify risky computing situations and how to avoid them is critical in minimizing risk to your systems.

Implement Thorough Filtering: This references both centralized and distributed filtering tools that are put in place to automatically identify threats and stop users from making a mistake before they can cause any damage. Examples of centralized filtering would be systems like web proxies, email spam/malware filtering, DNS filters, intrusion detection systems, and firewalls. Examples of local filtering include regularly updated anti-virus and anti-malware software. These filtering systems are only as good as the signatures they have though so regular definition updates are critical. Unfortunately, signatures can only be developed for known threats, so this too is not foolproof, but it’s a good tool to help ensure older/known versions/variants aren't making it through to end-users to be clicked on and run.

The Principle of Least Privilege: This is exactly what it sounds like. It is easy to say and hard to implement and is the balance between security and usability. If a user has administrative access to anything, they should never be logged in for day-to-day activities with that account and should be using the higher privileged account only when necessary. Users should only be granted write access to files and shares that they need write access to. Malware can't do anything with files it can only read. Implementing software that either whitelists only specific applications, or blacklists applications from being run from non-standard locations (temporary internet files, downloads folder, etc…) can go a long way in mitigating the threats that signature-based tools miss.

Patch Your Systems: This is another very basic concept, but something that is often neglected. Many pieces of malware make use of vulnerabilities that are already patched by the vendor. Yes, patches sometimes break things. Yes, distributing patches on a large network can be cumbersome and time consuming. You simply don't have an option, though. It needs to be done.

Have Backups: If you do get infected with ransomware, and it is successful in encrypting local or networked files, backups are going to come to the rescue. You are doing backups regularly, right? You are testing restores of those backups, right? It sounds simple, but so many find out that their backup system isn't working when they need it the most. Don't make that mistake.

Store Backups Offline: Backups that are stored online are at the same risk as the files they are backing up. Backups need to be stored on a removable media and then that media needs to be removed from the network and stored off-site. The more advanced ransomware variants look specifically to infect backup locations, as a functioning backup guarantees the attackers don't get paid. Don't let your last recourse become useless because you weren't diligent enough to move them off-line and off-site.

Final Thoughts

For those of you who have been in this industry for any time (yes, I'm talking to you graybeards of the bunch), you'll recognize the above list of action items as a simple set of good practices for a secure environment.  However, I would be willing to bet you've worked in environments (yes, plural) that haven't followed one or more of these recommendations due to a lack of discipline or a lack of proper risk assessment skills. Regardless, these tried and true strategies still work because the problem hasn't changed. It still comes down to the blast radius of a malware attack being directly correlated with the amount of privilege you grant the end-users in the organizations you manage. Help your management understand this tradeoff and the tools you have in your arsenal to manage it, and you can find the sweet spot between usability and security.

29 Comments
rschroeder
Level 21

I'd sum it up from a Network Administrator's viewpoint like this:

1. Get NCM

2. Get every device into NCM that's possible

3. Back up the configs at least daily, and consider enabling/configuring Real-Time Configuration Change Detection

4. Compare configs at least daily and analyze them for issues

5. Use NCM's Compliance & Remediation tools to keep your network device configurations as safe as they can be made

6. Use NCM's Vulnerability Reporting to show what problems may be waiting to pounce on your network gear

7. Use NCM's ability to upgrade your network equipment to the appropriate level

8. Stay on top of reports, rumors, remediations

9. Train everyone to do the correct things (listed in your lovely article above).

And finally, follow best practices and practice:

pastedImage_0.png

tallyrich
Level 15

All good recommendations and very prudent.

I would put backups as the most important simply because the "bad guys" are getting smarter and trickier every day. Most people will be hit with something (if not ransomware something else, maybe even worse) and good / regular backups will mitigate the losses. Backups are like most forms of insurance, you hope you never need it, but if you do . . .

michael.kent
Level 13

We have invested recently in end user training, awareness is key for us.

tallyrich
Level 15

Agreed.

Let me also add that cultivating a culture of accountability, without fear, is also very important. I've seen a couple of real examples.

1) a user, under a "controlling" manager got a virus that did quite a bit of damage. Feeling like "I might get in trouble." They tried to ignore it and hope that it wouldn't come back to them. needless to say the virus spread much further than it needed to and cost a lot of time and money to rectify.

2) a user, let's call him the CEO, got a virus - he clicked a link, it looked kind of real, but . . . - as soon as he realized his mistake he shut down his machine, got on his cell phone and sent email to the IT team "Yes, it was me, I clicked a link I shouldn't have" With that one we fixed the issue quickly with little effort and cost.

mtgilmore1
Level 13

Backup Backup Backup...  Good point about storing them offline. 

gfsutherland
Level 14

User Training.............. User Training............User Training............

Backup............Backup............Backup...........

User Testing .................. User Testing...........User Testing............

Repeat....

Richard is right... accountablity is key... I'd rather have a user call me and say ... "ummm... I think I clicked something bad..." than one that says... "no .. not me...." when I can see that it was (either immediately or after investigation)

Everyone makes mistakes, but training and awareness can mitigate the intances of these errors.

ecklerwr1
Level 19

Backups are the best weapon in this fight because users are going to click on things they shouldn't and even training won't prevent it.

gfsutherland
Level 14

Agreed... I never stop trying!   :-)

jeremymayfield
Level 15

And then there is NHS in England....  Ooofta

mghrivera
Level 7

Good information to know.

shuckyshark
Level 13

Avecto...

vinay.by
Level 16

Nice article

jkump
Level 15

and it appears to be spreading from England to the U.S.   I would say education is the best weapon against these attacks.  If you don't recognize the subject or the send delete it.  If it is important they will send again or contact you via alternative methods.  Adjusting email client to not automatically preview email or automatically open new emails is helpful as well.  But the bottom line is, the user must be educated and accountable for their activities.

jeremymayfield
Level 15

74 countries and counting.

gfsutherland
Level 14

99 countries and counting... as of 5:30 PM EDT...

This " Wannacry" makes the Malware Hall of Fame...

tinmann0715
Level 16

Wow! Talk about topicality! This article came out just in time!!!

shuckyshark
Level 13

teach your users not to click click click

Jfrazier
Level 18

Backups are great if you know the backups are without error and you know you can restore a system.

Again, someone has to check the logs...whether via an automated method or not...and then someone "HAS TO" resolve any issues or errors found.

This can be a daunting task with over 2000 servers involved.

Somewhere in there, someone has to validate you can restore a server of each flavor of OS (different server for each validation test which I think should happen once a quarter if not once a month).

jkump
Level 15

Excellent point!  What good are backups if they are not tested or no one knows the procedure to restore.

tallyrich
Level 15

I worked with a guy once that would look at the logs every morning and any errors he would write an exception. It took a bit of persuading to convince him that you can't just do that you have determine first if it's a file/folder that really needs to be ignored (i.e. temp files) or if there is a problem, then actually fix it.

network_defender
Level 14

Wannacry Ransomware has been targeting servers using the SMBv1 protocol. SMBv1 is an outdated protocol that should be disabled on all networks.  Tenable make a product called Passive Vulnerability Scanner (PVS).  Think of it a Snort style sniffer that specifically looks for protocol versioning.  Such as SNMPv2 traffic where only SNMPv3 exists.  PVS could look for SMBv1 and alert.

mcam
Level 14

Was this a brilliant precognition of the events of the weekend for some staggering coincidence - I'm not sure of the timeline

jkump
Level 15

Either way.  a relevant thread to participate in

shuckyshark
Level 13

i couldn't imagine having to tell our CEO that we need to restore 2000 servers and it would take ???how many weeks????

Jfrazier
Level 18

yeah, that would suck for someone(s).

tallyrich
Level 15

That would be better than having to tell your CEO that your replacement was going to have to restore 2000 servers.

superfly99
Level 17

It's amazing how many people still fall for the simple "click on the link" malware. It doesn't matter how many times you tell them, they will still click. It's like sending outage notifications - they never read them and then complain that they "didn't know" there was a scheduled outage.

rschroeder
Level 21

155 countries affected as of 20170515.  And counting . . .

jordan.martin
Level 11

mcam I can assure you it was strictly coincidence, but a good one at that.  If I had that kind or precognition I would be buying lottery tickets, not writing blog posts