Part 3 in a series of blogs on ransomware. Ransomware is on the rampage. Earlier in the year, barely a week would go by without a report of a costly attack. Now it’s almost a daily news story with reports suggesting that the number of attacks increased by 30 per cent in August alone. Even worse, payment doesn’t necessarily come with any guarantees. A recent article from Infosecurity magazine found that 1 in 5 UK organisations that paid during a ransomware attack didn’t get their data back.
In this climate, the question is how to have confidence that you are on top of the problem, with a good chance of prevention and a coherent strategy to recover from it without having to pay up.
In our previous two blogs on the topic of ransomware, we focused on backup strategies for individual/home users and SMEs. This time we are focusing on larger enterprises, which often have more sophisticated IT environments and, potentially, a lot more data at risk. Equally, they have more users and likely more variation in the way that IT is delivered and consumed.
There are six key areas (or controls) to think about:
This is primarily about boundary protection; securing each possible path for ransomware to enter your network: The attacker is deterred and, hopefully, encouraged to find an easier target. Most ransomware (currently) is distributed via phishing email – encouraging the user to click on a link; some ransomware is distributed via infected websites. Boundary protection devices must prevent both of these – but be prepared for the ransomware threat to move to other vectors in the future. One common failing of boundary protection is to ignore the threat from remote users – who may already be infected with the malware; treating remote users as internal users (i.e. inside the boundary) is a mistake. There are a number of methods available to support remote users without compromising boundary protection.
Prevent controls are focused on avoiding the problem altogether: The first step is user education – ransomware is a user-initiated malware infection, therefore users should be educated to recognise and avoid ransomware (or in fact any malware delivered using similar mechanisms). The next step is to ensure that your privilege management is up to scratch – minimising privileges reduces the likelihood of infection. Finally, control over administrators is essential: they should be encouraged to only use privileged accounts when strictly necessary.
Containment controls are intended to limit damage to as small a set of data files as possible. This is partly an exercise in information management, partly privilege management and partly system architecture. For example, many larger organisations separate users from data by implementing systems such as SharePoint – as the user does not have direct access to data, the risk from ransomware is minimised (but note that inappropriate configuration of SharePoint could still provide a direct path to the data). Similarly, thinâ client solutions can be used to enforce separation of users and data. There are many good reasons why such solutions could be deployed in an enterprise, protection from malware attacks such as ransomware is a bonus.
The ability to detect when a ransomware infection has occurred, or is ongoing, is essential to support recovery controls. This involves technical mechanisms, such as protective monitoring and intrusion detection systems as well as operational mechanisms to identify and respond to incidents. Solutions in this space tend to be focused on security information and event management (SIEM) systems. Most large enterprises will already have an investment in this area – but it is not unusual to find that, although the technology is good, the appropriate management systems for incident response are weak.
The ability to recover original data following a ransomware attack is the ultimate layer of defence. The design of recovery systems depends a great deal on the system architecture – and the effectiveness of containment controls. In many cases, the damage will be limited to a single users system and any data directly accessible by that user. Most enterprise backup systems are focused on large data volumes in systems such as storage area networks (SANs), with automated disk-disk backups (or redundant SAN designs) and archive to tape-based systems. Whilst these support many recovery scenarios, there is a danger that ransomware infected files will be perpetuated into the archive system – hence the need for efficient detection mechanisms and the inclusion of data isolation within incident management plans.
Assurance is about having confidence that controls are implemented correctly and delivering the protection that is required. There are many ways of gaining assurance, from testing user response to phishing emails, challenging detection systems with test data sets through exercising incident management plans. The more assurance you have in your controls, the greater confidence you can have that you will not have a ransomware problem.
The controls outlined above are an exercise in defence-in-depth. You should not pick one or two control types, but aim to implement all of the controls: You cannot assume that any single control will be 100% effective; a defence-in-depth strategy will ensure that the actual risk is minimised by incrementally reducing risk within each control layer.
Read our earlier ransomware blogs
For further information
If you have found this article interesting, the Ascentor blog regularly carries articles about Information Assurance (IA) and cyber security issues. You might also like to keep in touch with Ascentor by receiving our quarterly newsletter.
If you’d like to discuss the topic of ransomware in more depth or any aspect of IA and cyber security, please contact Dave James at Ascentor.