How to stop ransomware in its tracks

Yitzy Tannenbaum sits down with AlgoSec CTO, Avishai Wool and Guardicore CTO, Ariel Zeitlin, to discuss the role of micro-segmentation in the fight against cybercriminals  I recently had the pleasure of moderating a virtual panel with AlgoSec co-founder and CTO, Avishai Wool and Guardicore CTO, Ariel Zeitlin, in which the two industry leaders discussed how organizations can fight ransomware using micro-segmentation.   According to recent survey figures, more than 60% of organizations claim not to have experienced a cyber-attack, but another 40% said they have experienced a significant number of breaches in the past two years alone. During the session I asked both panelists about these two extremes, and whether or not they thought the COVID-19 pandemic had been a contributing factor.  Impact of COVID-19 of ransomware attacks  Avishai began by talking about AlgoSec’s experience of its own customers being targeted more in recent years. He made the point that cybercriminals are opportunists, and once they have discovered a vulnerability or found a tactic that works, they’re likely to keep repeating it. There are frameworks out there which allow bad actors to mount quite sophisticated attacks without much technical knowledge, making cybercrime easier and more lucrative than ever been. The number of potential targets is also growing as COVID-19 has pushed businesses further online.   Ariel then highlighted the speed at which businesses had been forced to move to remote working in 2020, and that there wasn’t time to put proper security strategies in place. He said that employees were the number one access point for bad actors, and the move to agile working just made them even more vulnerable.   Ariel went on to talk about the move towards reconnaissance and how bad actors would typically choose their targets based on the amount of business-critical or sensitive information they were likely to have. However, he did warn that smaller enterprises shouldn’t become complacent in thinking they are “too small” to be targeted. Ransomware is far too easy to monetize in 2020, so everybody is a target. Ariel also discussed the trend of lateral attacks and exfiltrating small amounts of data at a time, creating a lever to continuously ask for ransom payments.   Avishai picked up on Ariel’s comments and highlighted the emphasis on the lateral movement of attackers. Traditionally, a ransomware attack may have been confined to one computer or one very small network. Today, however, the first infection could be an employee working at home who opens the wrong email. That infection could then spread laterally throughout the entire organization making it much harder to defend against, quarantine or eradicate. I asked Avishai what steps could be taken to prevent the lateral spread of something like a ransomware attack, and he talked about the importance of backups, access controls and quality staff training.   Minimizing loss with micro-segmentation  When asked about the first steps an organization should take if they’ve experienced a ransomware attack, Ariel explained how the number one priority should be to contain and stop the spread of the virus, saving whatever can be saved. Start using back-ups, disallow access to servers, and block SNP ports all over the network to contain the attack. Then it becomes an investigation - finding out what happened with whatever tools are available, ideally with a rapid response team. Avishai then talked about the advantages of segmenting an overall network into pieces to help with diagnostics and containment.   While traditional firewalls can offer some high-level segmentation, it’s not really feasible to deploy multiple firewalls to create smaller segments. Thankfully, that’s not much of a concern nowadays, since all leading public cloud vendors already include network filtering which gives businesses incredible levels of control over their network. However, Avishai went on, the real problem organizations face when it comes to micro-segmentation isn’t a lack of technological capability, it is a lack of policy and strategy.  In Avishai’s experience, this is a huge knowledge gap for many businesses. Ariel reinforced this, adding that policies aren’t static and change over time, often hundreds of times per week in larger organizations.   While vendors can provide the ability to create micro-segments, it’s down to organizations themselves to write the policy rules around what kind of traffic to allow through each segment. To hear more thoughts on micro-segmentation from Avishai and Ariel, including how to write effective micro-segmentation filtering policies both inside and outside of the data center, you can watch the recorded discussion here. 

One of the biggest concerns for info security professionals and business executives right now is ransomware attacks. It has prompted many organizations urgently assess what they need to do to contain and limit their exposure to this threat. Presented by renowned industry expert Prof. Avishai Wool, this new technical webinar will provide some best practices and tips to help organizations prevent, contain and respond to a ransomware attack. In this webinar Professor Wool will discuss:

• The different methods used by cyber criminals to penetrate the network security perimeter
• Best practices for reducing cyber criminals’ lateral movements across the network
• How to augment incident triage with critical business context to assess the severity, risk and potential business impact of an attack
• Prioritizing incident remediation efforts based on business risk, and neutralizing impacted systems through zero-touch automation
• The impact of a ransomware on regulatory compliance

Tim Bloomer, a Sales Engineer at AlgoSec, discusses the basic security principles organizations should use to minimize risk of cyber attacks  Recently I’ve been reading numerous articles and hearing about Ransomware attacks from my technical colleagues.  Ransomware basically locks users out of their devices until companies pay a given amount of money, which is a serious problem. While it is not a new attack, the methods continue to change. The common question I’m asked from the companies I talk with is, “What’s the best practices for dealing with ransomware, and how can we stop it from hitting our company?”  In order to find a solution for stopping ransomware, we first have to understand the methods used to gain access to your company computers/users. The most popular ones are:  Phishing Emails – This is where the attacker tries to trick users into clicking on a link or opening an infected attachment. Remote Desktop Protocol – This is where companies have this protocol open so IT can service employees’ computers by connecting to them. Drive-By Downloads from Compromised Websites – When ransomware is downloaded by the user visiting an infected website; users usually are not even aware of what just happened. USB & Removable Media – This is when a user inserts the USB or removable media into their computer. There are several reasons for this like getting a given software installed, transferring files that were supposed to be there, or simple curiosity.  Best practice security principles  Now that you understand a bit more on how ransomware is initiated, let’s look at how we can stop it from hitting our companies, and the best practices for doing so.  This is not something where you buy a given solution off the shelf and all your worries are over.  This is about adopting a true defense-in-depth methodology and using solutions that work in tandem with one another. I believe that you should never put all your eggs in one basket. The best practice should be building a network of products that work together to offer automated intelligence and are able to react quickly to whatever is playing out on the company networks.  You need a combination of EDR, IDS/IPS, SIEM, SOAR, and our ASMS to have a well-defined solution. They all have a unique role in helping security engineers to make the right choice at the right time with the right information.  This really allows your SOC team to have visibility and react accordingly.  When you utilize multiple solutions, you gain the benefits of knowing that you are covered from multiple angles and have more confidence that the data is accurate, and you can act upon it.  Without this approach you are basically watching the front door of your house believing it to be the only way anybody can get into your house, forgetting to check windows and the backdoor. So why would you do so on the company network?  This is all relevant for overall security, but when people are asking me about best practices, they are usually referring to their firewalls.  So, how do you setup your firewalls to protect your environment? It really comes down to the basics.   Building your security wall   Firewalls are designed to block all traffic except for traffic that has been explicitly allowed by the firewall rules.  But over time, they get bloated with extra “stuff” that has been placed in there over years.  So, here are my recommendations for managing your firewalls:  Remove the clutter from the firewalls – Over time your firewall probably has had numerous admins and we all know that everyone manages devices differently.  From naming conventions such as objects to just adding rules to the bottom of the firewall rule base. Get rid of duplicate objects and remove unused rules too.  Keep in mind, you need to have a solid audit trail for all this too. You want to have a good checks and balances process in place. Validate the rules on an ongoing basis – Just because you added a rule to a firewall six months or two years ago doesn’t mean it’s still being used or still needed.  You should have a process for recertifying your rule base on an ongoing basis, just as if it was another change request.  Doing so would prevent having to “shut down” changes while you recertify the entire rule base.  Doing this on an ongoing process ensures your team is still meeting or exceeding your customer expectations. Remove Objects that are not routed through that firewall – Often times you’ll see a change request added to every firewall in the path simply because the admin do not have time or the automation to do it correctly. Just because traffic was requested doesn’t always mean the firewall in the path needs to have the rule added.  A good automated system will evaluate firewall change request for each firewall and make sure “noise” isn’t added to firewalls. Establish a change procedure – You should have a change procedure in place that provides full documentation on why it’s needed and the full audit trail on what and who has taken action on that change procedure.  All teams need to be involved and embrace this process, such has DevOps, Cloud Teams, Network Teams, & especially Security teams.  Leaving anyone out of this process leaves gaps in your security posture and no way to audit it.  I have to say, though, there is one phrase that I learned long ago that has stuck with me.  That is, “more than half the time, attackers are insiders” and this seems to still hold true today.   The basic recommendations I’ve shared are a minimum of what needs to happen in an organization. Is this a complete list? Absolutely not. But it is at the core of what every company should adopt and add their business practices to.   Once you have the basic principles in place, you can further tighten your security posture by introducing micro-segmentation. This allows you to reduce the attack surface and stop lateral movement across your network to minimize any damage caused by ransomware attacks and insider threats. Read more about the benefits of thinking small in network security here.