How secure is your organization from uncovering the unknown?
Ransomware has been the buzz word since the past 2 years and yet in my experience many organizations still struggle to tackle this issue. After numerous encounters with sophisticated attacks and conducting training and awareness about this issue, it was time to enlist industry best practices to tackle this menace. The attacks are getting more sophisticated with time and organizations need to evolve a more robust and multitiered cyber defense to ensure a resilient environment.
First let’s clear the air that when ransomware strikes it’s not the systems team or the network team to be blamed or the overall incapability of IT as a whole. Cyber security is a boardroom topic specially after the WannaCry attack last year that affected organizations globally. When an organization is going through a cyber-attack the foremost thing is respond during the crisis and have an effective incident management system in place. The team can later do the postmortem and come up with the exact details of the attack and the possible ways to tackle such attacks or of even greater severity with possible scenario planning exercises with the BCP and DR team.
There are many families of ransomware and malwares and various variants of them released frequently. It’s practically impossible to keep a track and we need a baseline industry best practice guideline to protect our organization from such devastating attacks.
Perimeter Defense
Let’s start with the gateway defense or the perimeter and then penetrate within the network towards the end points. The most vital step in our understanding of any malware defense be it ransomware or anything else, is to reduce the attack surface and make it difficult for the hacker to break into the network. Astonishingly more than 90% of attacks take place through phishing email campaigns and this data hasn’t changed over a couple of years. Its’ essential for security team members to educate senior leadership team and take corrective actions. Most organizations do invest in NG firewall alongside sandboxing capabilities.
I would strongly recommend to have a dedicated IPS (intrusion prevention system), secure ports that are open and review port forwarding policies and rules. Post that to go an extra mile to ensure RDP is blocked and apply rules to monitor network traffic round the clock.
Web & Email Gateway
It is extremely important to filter the traffic that is coming inside your organization. As per industry stats more than 90% of breaches and ransomware attacks take place through phishing attacks which is the most common. We have experienced several times in the past the method of ransomware delivery as PDF or Microsoft executable files as part of the attachment in the form of resume, invoice, PO etc. targeting different business units. Hence organizations need to have dedicated email and web security to ensure incoming traffic is monitored for suspicious activity. Block auto downloads from the web and strip email attachments and do multi layered email security checks before they hit the user inbox.
Segmenting LAN
The most difficult bit in stopping the ransomware is to make changes to your current infrastructure. Usually we have seen that ransomware spreads laterally once it gains entry inside the network. Organizations who have a flat topology usually have a tough time stopping such attacks. With demands of cyber security landscape changing organizations need to segment their LAN and connect them through firewall to ensure the blockage of lateral movement.
Patch Management
Patching is one of the most discussed topics in all organizations. Several organizations have dedicated teams for patching their endpoints and severs. Yet in all internal discussions we would still find that servers are not patched completely, or there has been some delay in patching at some other site or various operational issues.
I have categorically used the word Patch Management and here I would like to highlight its entire lifecycle of identifying a vulnerability (discussed more in detail below), testing the patch, implementing and then monitoring the performance in production environment. This entire lifecycle is what is see missing in many organizations and hence the project is never a success when implemented. Patch management life cycle along with policies and procedures should be reviewed periodically.
Many organizations do use dedicated products which offer vulnerability protection. This can be used as a stop gap arrangement to ensure vulnerabilities can’t be exploited until its patched.
One other key highlight is that we patch our endpoints and servers but still live with legacy vulnerable applications. When it comes to patch management it is necessary to ensure that applications too are fully updated and patched. If this is not adhered then it should be identified as major risk in the internal audit and should be highlighted to senior management.
Admin Rights, Secure Macros and Application Control
In my opinion and practice I have observed this is one of the most tried and tested strategy for most malware and specially ransomware to block from lateral movement. Usually ransomware or most malwares spreads by leveraging users privilege rights. If the user has administrator privileges then the potential threat is every file accessible to an administrator can be infected. Hence usually if the user has standard user rights the only files then the infection can be contained to local drive. Also, very important is to keep network share on read only mode else the damage can spread to network share as well. As best practice it’s vital to keep network share different for all business units to ensure the infection is contained.
Macro based ransomware (WannaCry being an exception) which we shall cover in the EDR section to a certain extent. Although newer version of Microsoft office contains this to great extent. Ideal scenario is to allow digitally signed macros found within the Trust Center settings, this stops all macros executables without a valid certificate.
We talked about the patch management lifecycle earlier but one important fact is that we can’t patch zero day or zero-hour threats, or if one is running legacy application that’s not been patched. In such scenario the usual security instinct is what can’t be patched shall be blocked. Application control can whitelist applications which are legitimate and used within the organization. Users can’t download any unauthorized apps which in turn could be a risk and might hamper productivity in terms of desktop stability or breach the licensing agreement and compliance. Hence with application control organizations can reduce risk and enhance productivity.
Endpoint Security
It extremely important for organization to change their mindset in terms of treating endpoint security to just an antivirus. Basic features of detection having machine learning capabilities or behavior monitoring and sandboxing at endpoint level are usual these days. Organizations not having such technology in place need to implement them at the earliest possible. Today endpoint security in large organizations is evolving to a managed security service model wherein it caters to endpoint detection and response along with malware analyst working alongside to ensure remediation. Proactive approach in terms of having deep visibility and malware hunting across the endpoint network, threat intelligence gathering, coordination with the NOC team, disabling infected endpoints from the network etc. are required.
It is critical for smaller organizations to at least check their endpoint security dashboards regularly if not daily. Align their policies accordingly and present this report to the management monthly to ensure visibility and approvals if required at any given point in time.
Backup and DR
We have seen several organizations paying ransom either they do not have their backup in place or it was also infected by ransomware. It is critical to have a well-defined backup and DR policy in place. The process should be well documented; tested at regular intervals to ensure all critical data is backed up and available in case of disaster. One important point to remember is that if the backup is running on the production network or same VLAN then we need to change it else it will also get be rendered ineffective as it will be a victim of ransomware.
DR policy needs to holistic and not just limited to IT infrastructure. It is essential to include the RPO (recovery point objective) and RTO (recovery time objective) during the DR plan by involving stakeholders and deciding acceptable RPO and RTO for the organization. The DR plan should be tested thoroughly to verify that the objectives and timelines are met as per expectation. Should there be a need to make amendments it should be documented and tested during the next DR exercise.
Vulnerability Management and Pen Test
VAPT is one of the vital aspects of proactive approach towards cyber resilient organization. We have noticed on several occasions that there is some misunderstanding between Vulnerability assessment and penetration testing. While vulnerability scans are done to identify the existing vulnerabilities within the current infrastructure and penetration testing actively exploits known vulnerability. Pen test requires different level of expertise and skill sets to successfully breach the network while vulnerability scan can be automated using several tools. It’s important for organizations to scan their entire network regularly to identify if there are systems which are not patched, missing certificates and services, outdated protocols or any rogue devices/new devices within the network. Ideally there should be at least monthly scan and report reviewed with the senior management to identify key risks.
Pentest exercise should be done based on the key risks identified during the vulnerability scan. Ideally it should be done twice a year but more organizations tend to conduct this exercise once a year due to paucity of time. The most important aspect while conducting Pen test is also Red Teaming exercise to ensure the completeness of the exercise. While red teaming might take more time as compared to pen test but it also identifies lacunae within the organization by exploiting social engineering attack, physical and logical access - piggy backing, tailgating, eavesdropping, dumpster dive etc. Usually Red teaming exercise is performed by organization having a mature cyber security framework.
Training, User Awareness and Sustenance
A holistic approach towards cyber security is close knit integration of people, process and technology. After all the possible tweaks in processes and technology implementation its imperative to educate employees about the cyber threats that are prevalent to the organization. A recent study survey for small and mid-sized businesses last year revealed 54% of respondent named negligent employees as root cause of data breaches. A focused approach with sound training policy, calendar and employee certifications is a must. Several organizations do conduct a security awareness week which is a noble initiative too.
Sustenance is the key to ensure all the hard work that is being done till now in educating end users, creating policies and procedures etc. It’s important to do regular updates aligned to the present-day threats, create dashboards for leadership team, form risk committee and ingrain risk in the DNA of the organization.
As we understand that a holistic approach towards a cyber resilient environment is the need of the hour towards protecting your organization from zero-day threats or ransomware/malwares. Hence the onus is on cyber security professionals to drive this change alongside business leaders. Unfortunately, there is no magic wand, or easy tools or just one strategy in safeguarding your organization; one needs to try and test the above-mentioned recommendations to reduce the threat surface and ensure a cyber resilient environment.