Ransomware attacks have become a massive problem for almost every industry and every organisation size. In the US, federal officials have called it one of the biggest threats currently facing the nation. During the last year, criminals have attacked schools, shipping agencies, healthcare organisations, medical trials and more. Given the impact these attacks can have on organisations everywhere, security professionals need to secure their systems, networks and software in new ways.
Ransomware is a specific type of malware that holds data hostage in exchange for a ransom. As an attack methodology, it has the potential to cause severe damage. Phishing emails are a common delivery method, but ransomware can also be spread through drive-by downloading, which is when a user visits a website that’s infected. Advanced attacks take seconds to compromise endpoints and ransomware attacks take seconds to damage your systems and infrastructure. That’s why it’s critical to ensure your organisation is prepared. As attacks grow in sophistication, the impact of ransomware goes beyond financial losses and the productivity loss associated with systems going down.
Attempted attacks and data breaches are inevitable and no organisation wants to be forced to decide between paying a ransom and losing important data. Fortunately, those aren’t the only two options. The best option is to keep from being forced into that decision in the first place. This approach requires a layered security model that includes network, endpoint, application and data-centre controls powered by proactive global threat intelligence. With that in mind, here are nine things to consider to give your organisation the best chance of avoiding ransomware attacks.
Email gateway security and sandboxing
Email is one of the most popular attack vectors for threat actors. A secure email gateway solution provides advanced multi-layered protection against the full spectrum of email-borne threats. Sandboxing provides an added layer of protection. Any email that passes the email filter and still contains unknown links, senders, or file types can be tested before it reaches your network or mail server.
Web application security/firewall technology
A web application firewall (WAF) helps protect web applications by filtering and monitoring HTTP traffic to and from a web service. It’s a key security element because it acts as the first line of defence against cyberattacks. As organisations execute new digital initiatives, they often expand the attack surface at the same time. New web applications and application programming interfaces (APIs) can be exposed to dangerous traffic because of web server vulnerabilities, server plugins, or other issues. A WAF helps keep these applications and the content they access secure.
Threat intelligence sharing
Organisations must have real-time actionable intelligence to help mitigate unseen threats such as FortiGuard Labs. Information must be shared between the different security layers and products within your environment to provide a proactive defence. In addition, this information sharing should extend to the broader cybersecurity community outside of your organisation, such as Computer Emergency Response Teams (CERTs), Information Sharing and Analysis Centres (ISACs) and industry coalitions like the Cyber Threat Alliance. Rapid sharing is the best way to respond quickly to attacks and break the cyber kill chain before it mutates or spreads to other systems or organisations.
Protecting endpoint devices
Traditional antivirus technologies don’t always do a good job and as threats continue to evolve, they typically can’t keep up. Organisations need to make sure they are appropriately protecting endpoint devices using an endpoint discovery and response (EDR) solution and other technologies.
In the current threat environment, advanced attacks can take minutes or seconds to compromise endpoints. First-generation EDR tools simply can’t keep up because they require manual triage and responses. Not only are they too slow for today’s lightning-fast threats, but they also generate a massive volume of alarms that burden already overworked cybersecurity teams. Additionally, legacy EDR security tools can drive up the cost of security operations and slow network processes and capabilities, which can have a negative impact on the business.
In contrast, next-generation EDR solutions deliver advanced, real-time threat intelligence, visibility, analysis, management and protection for endpoints – both pre- and post-infection to protect against ransomware. These EDR solutions can detect and defuse potential threats in real time to proactively reduce the attack surface and help prevent malware infection and automate response and remediation procedures with customisable playbooks.
Data backups and incident response
Your organisation should be able to perform backups of all your systems and data and store it off the network. These backups should also be tested to ensure you can properly recover.
Every organisation should have an incident response plan in place, to ensure your business is prepared if you’re hit by a successful ransomware attack. People should have specific tasks assigned ahead of time. For instance, who will you contact for help with forensic analysis? Do you have experts readily available to help you restore systems? You also should be running exercises on a regular basis, with a focus on how you would recover from a ransomware attack.
Zero trust implementation
The zero trust security model assumes that anyone or anything that attempts to connect to the network is a potential threat. This network security philosophy states that no one inside or outside the network should be trusted unless their identification has been thoroughly checked. Zero trust recognises that threats both outside and inside the network are an omnipresent factor. These assumptions inform the thinking of network administrators, compelling them to design stringent, trustless security measures.
With a zero-trust approach, every individual or device that attempts to access the network or application must undergo strict identity verification before access is granted. This verification uses multifactor authentication (MFA) requires users to provide multiple credentials before they are granted access. Zero trust also includes Network Access Control (NAC), which is used to restrict unauthorised users and devices from gaining access to a corporate or private network. It ensures that only users who are authenticated and only devices that are authorised and compliant with security policies can enter the network.
Firewalls and network segmentation
Network segmentation is increasingly important as cloud adoption increases, especially in multi-cloud and hybrid cloud environments. With network segmentation, organisations partition their network according to business need and grant access according to role and current trust status. Every network request is inspected according to the requestor’s current trust status. This is extremely beneficial to prevent lateral movement of threats within the network, if they do in fact get inside the network.
User training and good cyber hygiene are key
Humans need to be at the heart of any cybersecurity strategy. According to the 2021 Verizon Data Breach Investigations Report, 85% of data breaches involve human interaction. You can have all the security solutions in the world, but if you’ve overlooked training your employees in cyber awareness, you’ll never be truly secure. Make sure all your employees receive substantial training on spotting and reporting suspicious cyber activity, maintaining cyber hygiene and securing their personal devices and home networks. Employees should take training when they are hired and periodically throughout their tenure, so the information stays current and top of mind. Training also should be kept updated and include any new security protocols that may need to be implemented.
Educating individuals, especially remote workers, on how to maintain cyber distance, stay wary of suspicious requests and implement basic security tools and protocols can help CISOs build a baseline of defence at the most vulnerable edge of their network and help keep critical digital resources secure.
Organisations also need to practice good basic cyber hygiene to ensure all systems are properly updated and patched.
Organisations also should be aware of deception technology. Although it’s not a primary cybersecurity strategy, deception solutions can help protect systems if, despite all the other cybersecurity strategies you have in place, the bad actors still find a way in.
With deception technology, decoys mimic the actual servers, applications and data so that bad actors are tricked into believing they have infiltrated and gained access to the enterprise’s most important assets when in reality, they haven’t. This approach can be used to minimise damage and protect an organisation’s true assets. In addition, deception technology can accelerate the average time to discover and address threats.
Ransomware attacks are everywhere. Company size and industry no longer matter as criminals search for an easy entry point into the network. The global shift to remote work has opened many security backdoors for bad actors to exploit and they are making the most of their moment. According to the Fortinet Global Threat Landscape Report, by the end of 2020, there were as many as 17,200 devices reporting ransomware each day.
Yet organisations are hardly helpless. They may need to do some rethinking and reorganising, but tools are available that can provide significant protection against ransomware attacks. Evaluate these nine recommendations and consider what you might need to do differently to give your organisation the best possible chance of defeating this significant threat.
By Renee Tarun, Deputy CISO/Vice President Information Security, Fortinet