Malware and ransomware protection concepts required for your defense strategy

I constantly meet with many organizations with the job of evaluating security capabilities. When I ask about goals, defending against ransomware is a common top 3 request. A common thing is the saying that complexity is enemy of security, which applies to how many organizations address ransomware defense. Let’s look at defending against ransomware and how to leverage technology you likely already own or should acquire. These ingredients need to be part of your defense strategy.

Ransomware is typically the result of exploiting a vulnerability. That vulnerability could be your people, your security tools and general technology. Trying to address every use case will be really difficult for many organizations based on how data could be within email, mobile devices, servers, SaaS, laptops, IoT and everything in-between. A better approach is performing tabletop exercises targeting common ransomware scenarios and focus on improving any gaps or weaknesses identified. You will find gaps but by layering defense capabilities, the likelihood of everything failing will be reduced as you improve different areas through evaluation and adjustments.

Let’s break down general ransomware defense capabilities. First, you have anti-malware / endpoint detection and response tools. These should use a combination of signature, behavior and anomaly detection. If a vendor claims they don’t use signatures, they are probably salespeople that don’t know what they are talking about. Signatures are a good thing. They allow a tool to not have to waste resources evaluating a threat but rather matching and blocking. Signatures ALONE are not good, but they are a useful part of not wasting resources. This is a fundamental capability you should have but it shouldn’t be the ONLY capability. There is no EDR that will automatically block all malware/ransomware and you can’t set and forget these tools, or you WILL get owned. I’ve seen it happen to organizations using the best of the best EDR tools.

A second capability I’ve been preaching about for years is reputation security. This essentially is credit scoring external resources and blocking obvious bad stuff. Reputation security should exist on user systems aka anything they try to access (websites, etc.) should be evaluated before permitted, email (why accept email from a known malicious source?), servers …. everything. A good resource you can use to test this concept is “ihaveabadreputation.com”. If you don’t get a block page, you lack reputation security. I’ve posted about reputation security HERE.

Next, email security tools are needed to not only detect malicious attachments, but also malicious links. You users are a top target and ransomware could be the outcome of clicking the wrong link leading to a system being exploited, passwords being stolen opening the door for a ransomware infection or installing malware that includes ransomware. I dedicated email security tool is best but if you can’t afford one, enabling what is available is critical.

Another interesting defense area is encryption defense. Ransomware encrypts your files and holds them hostage using a third-party encryption. If you standardize on how encryption occurs on systems, you could by default block any third-party encryption hence preventing ransomware encryption behavior. Most customers I work with leverage Microsoft Bitlocker, which there is the ability to enable “Ransomware Defense” on systems that only allows Bitlocker to encrypt files. It’s a nifty free capability for most organizations that can save them from having to leverage backups.

Another area to consider is access control tools. This can be at a tenant level, domain level, network and resource level. By evaluating and limiting access to only approved behavior, you reduce the chance of compromise to occur. There are dozens of “zero trust” related guidelines published around how to do this and the best approach for you will depend on how your business runs. It is important to consider a few key points. First, policy shouldn’t depend on location meaning remote workers should have the same security as internal workers. Second, controls should consider what runs on systems, what resources they can access and how long access should be granted. Finally, Attack Vectors needs to be considered a different risk than exploiting vulnerabilities. Attack vectors are owning a user account privilege and using it to log into other systems. You can have the best security tools in the world however, if a malicious party gains access to an account that is trusted, they will be authorized to bypass those security tools leading to a companywide infection. Identity management is critical and must be part of an access control strategy hence identity management and access control are fundamental concepts for deploying zero trust guidelines. You fail at one, you fail.

Backups are an important topic but need to be considered a last line of defense rather than your primary defense. Any organization that has the mentality of “let ransomware encrypt my data, I can just replace it” doesn’t understand everything involved with the lifecycle of an incident. There are the Recovery time objective IE how much downtime can you handle, the Recovery point objective aka the maximum age files can be in the backup, sanitizing impacted systems before recovering data, risk of continue exploitation and many other factors that can delay a true recovery. Only a tabletop exercise will truly expose what you need for a probably backup recovery plan, which also must include protecting backups from contamination.

In summary, think endpoint defense, reputation security, email defense, encryption defense (if applicable), access control and backups. These are the fundamental ingredients for defending against ransomware. Don’t over complicate how these things work. Enable the capabilities and run a tabletop exercise to see if common ransomware scenarios would be successful within your organization. Hope this helps break down building a Ransomware defense strategy.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.