Reducing your risk of ransomware attacks

Tim Bloomer, a Sales Engineer at AlgoSec, discusses the basic security principles organizations should use to minimize risk of cyber attacks 

Recently I’ve been reading numerous articles and hearing about Ransomware attacks from my technical colleagues.  Ransomware basically locks users out of their devices until companies pay a given amount of money, which is a serious problem. While it is not a new attack, the methods continue to change. The common question I’m asked from the companies I talk with is, “What’s the best practices for dealing with ransomware, and how can we stop it from hitting our company?” 

In order to find a solution for stopping ransomware, we first have to understand the methods used to gain access to your company computers/users. The most popular ones are: 

• Phishing Emails – This is where the attacker tries to trick users into clicking on a link or opening an infected attachment. 
• Remote Desktop Protocol – This is where companies have this protocol open so IT can service employees’ computers by connecting to them. 
• Drive-By Downloads from Compromised Websites – When ransomware is downloaded by the user visiting an infected website; users usually are not even aware of what just happened. 
• USB & Removable Media – This is when a user inserts the USB or removable media into their computer. There are several reasons for this like getting a given software installed, transferring files that were supposed to be there, or simple curiosity. 

Best practice security principles 

Now that you understand a bit more on how ransomware is initiated, let’s look at how we can stop it from hitting our companies, and the best practices for doing so. 

This is not something where you buy a given solution off the shelf and all your worries are over.  This is about adopting a true defense-in-depth methodology and using solutions that work in tandem with one another. I believe that you should never put all your eggs in one basket. The best practice should be building a network of products that work together to offer automated intelligence and are able to react quickly to whatever is playing out on the company networks.  You need a combination of EDR, IDS/IPS, SIEM, SOAR, and our ASMS to have a well-defined solution. They all have a unique role in helping security engineers to make the right choice at the right time with the right information.  This really allows your SOC team to have visibility and react accordingly. 

When you utilize multiple solutions, you gain the benefits of knowing that you are covered from multiple angles and have more confidence that the data is accurate, and you can act upon it.  Without this approach you are basically watching the front door of your house believing it to be the only way anybody can get into your house, forgetting to check windows and the backdoor. So why would you do so on the company network? 

This is all relevant for overall security, but when people are asking me about best practices, they are usually referring to their firewalls.  So, how do you setup your firewalls to protect your environment? It really comes down to the basics.  

Building your security wall  

Firewalls are designed to block all traffic except for traffic that has been explicitly allowed by the firewall rules.  But over time, they get bloated with extra “stuff” that has been placed in there over years.  So, here are my recommendations for managing your firewalls: 

• Remove the clutter from the firewalls – Over time your firewall probably has had numerous admins and we all know that everyone manages devices differently.  From naming conventions such as objects to just adding rules to the bottom of the firewall rule base. Get rid of duplicate objects and remove unused rules too.  Keep in mind, you need to have a solid audit trail for all this too. You want to have a good checks and balances process in place. 
• Validate the rules on an ongoing basis – Just because you added a rule to a firewall six months or two years ago doesn’t mean it’s still being used or still needed.  You should have a process for recertifying your rule base on an ongoing basis, just as if it was another change request.  Doing so would prevent having to “shut down” changes while you recertify the entire rule base.  Doing this on an ongoing process ensures your team is still meeting or exceeding your customer expectations. 
• Remove Objects that are not routed through that firewall – Often times you’ll see a change request added to every firewall in the path simply because the admin do not have time or the automation to do it correctly. Just because traffic was requested doesn’t always mean the firewall in the path needs to have the rule added.  A good automated system will evaluate firewall change request for each firewall and make sure “noise” isn’t added to firewalls. 
• Establish a change procedure – You should have a change procedure in place that provides full documentation on why it’s needed and the full audit trail on what and who has taken action on that change procedure.  All teams need to be involved and embrace this process, such has DevOps, Cloud Teams, Network Teams, & especially Security teams.  Leaving anyone out of this process leaves gaps in your security posture and no way to audit it. 

I have to say, though, there is one phrase that I learned long ago that has stuck with me.  That is, “more than half the time, attackers are insiders” and this seems to still hold true today.  

The basic recommendations I’ve shared are a minimum of what needs to happen in an organization. Is this a complete list? Absolutely not. But it is at the core of what every company should adopt and add their business practices to.  

Once you have the basic principles in place, you can further tighten your security posture by introducing micro-segmentation. This allows you to reduce the attack surface and stop lateral movement across your network to minimize any damage caused by ransomware attacks and insider threats. Read more about the benefits of thinking small in network security here.