"How can we prevent ransomware attacks?" We've been hearing this question with new urgency after a string of high-profile ransomware events like the shutdown of Colonial Pipeline made headlines far beyond the security world.
It's not just massive corporations and government agencies that have cause for concern. An August 2021 IDC report makes clear the growing scale of the problem: "More than a third of organizations worldwide have experienced a ransomware attack or breach in the last year."
Average ransom payments during this period approached a quarter of a million dollars, and the data suggests making such payments to criminals offered companies little protection from future ransomware events. Organizations hit once were often the targets of multiple subsequent ransomware attacks — cooperation with bad actors may have encouraged them to try their luck turning the victim into a regular "customer."
This follows the pattern we've seen tracking the evolution of "Ransomware-as-a-Service," in which cybercriminals increasingly employ the tactics of legitimate businesses. Ransomware groups have introduced "multilingual 24/7 support pages, subscription models, affiliate programs, and more." Ransomware is a lucrative industry, predicated on exploiting enterprises large and small for profit. The only real solution, then, is averting ransomware attacks in the first place. But ransomware actors, motivated by the prospect of extravagant payouts, are relentless.
For years, businesses have turned to traditional security solutions such as Security Incident and Event Management (SIEM), Network Detection and Response (NDR), and traditional Antivirus (AV) software for protection. In non-complex environments, such "search and alert" services can work quite well.
In diverse IT environments — a network where users on remote endpoints are accessing the company cloud, for example — detecting ransomware attempts and sending alerts becomes more challenging. Used alone, these legacy tools struggle with sifting through raw data across multiple sources simultaneously. Without a holistic view of all attack surfaces, this fractured approach jeopardizes the ability of such tools to detect ransomware early and with a high degree of confidence.
Get Proactive on Toughening Your Systems
Before you toss out your legacy security solution or hire a third-party provider, there are a few steps you can take to beef up your digital defenses in-house. It's surprising how often these essential measures are overlooked since they're inexpensive and relatively simple.
—Ensure your security technologies are properly configured: Check that your prevention tech has the latest updates installed. As CSO reported last year, "60 percent of breaches involved vulnerabilities for which a patch was available but not applied." Tune the permissions and exceptions of your firewalls to balance intrusion protection against the access needs of your staff. Make sure your SIEM rules are optimized for the event types and triggered responses you want, so the correct alerts are flagged.
—Practice good hygiene: Good cybersecurity habits will help keep your business healthy. Require strong passwords and multifactor authentication on your endpoints. Conduct regular scanning to identify and address vulnerabilities, especially those on internet-facing devices, to limit the attack surfaces most targeted by adversaries. Ensure your AV is updated with the latest known signatures. Make backups regularly. And remember that while extending admin privileges widely may seem like a good way to manage stretched IT resources, it can create more problems than it solves.
—Have a software restriction policy: Ransomware often depends on an executable initiating the encryption process. By limiting which applications can execute on your systems with a Software Restriction Policy (SRP), you can constrain an attacker's ability to act on a given endpoint. Barring unapproved software from your environment is critical — users shouldn't be permitted to download or install any software without written permission from the IT department.
For more on these steps, see our recent white paper, "The Rise of Ransomware-as-a-Service."
Be Ready to React
We're focusing on prevention here, but we'd be remiss not to mention two ways to ensure you're ready to mitigate the damage of successful attacks. Since it's impossible for anyone to be 100% secure, it's also a great idea to do the following:
—Have an incident response plan: Quick, a Trojan is pushing ransomware to your machines! Do you have a team prepped and ready to counter? A coherent response might require coordination with business management, endpoint and network admins, legal, HR, PR, and law enforcement. (You can read more about this in our post "Preparing For A Security Incident: Six Decisions You Must Make.")
—Practice fire drills for worst-case scenarios: Remember scheduled fire alarms at school? Make use of the concept as part of your security training. Consider who will be involved in a real-life security incident, as they should be included in "fire drills" — and then try drills with them excluded, to ensure your plan still functions when they're away. Test regularly, and recommend additional training for users when required.
Harden Your Security Through Managed Detection and Response
Most security tools generate numerous irrelevant alerts, forcing you or other security services to sift through thousands of false alarms to find the true indicators of compromise (IoCs). Managed Detection and Response (MDR) services — especially those employing AI and machine learning — can pinpoint threats that have evaded your defenses across your entire IT environment, from endpoints to the cloud.
By looking at diverse sources of data and multiple variables including user behavioral analysis, MDRs are able to provide their threat hunters with more accurate detections. This means less time spent filtering noise and responding to needless alerts, freeing up security staff for things like proactive threat hunting. And the ability to respond at machine speeds is essential in mitigating the damage of a breach. In the event of a ransomware detection, most MDRs will take automated action on your behalf, quarantining affected devices or users and beginning the process to remediate and recover from the attack.
About the Author
This article is contributed and written by Aaron McIntosh, Director, Product Marketing, at ActZero.ai. He has over 20 years of experience in new product introduction, go-to-market strategy, and business retention and expansion planning.