Responding to Ransomware: Time Is of the Essence
Ransomware is nothing short of a cyber pestilence. Its financial impact in 2017 is estimated at around $5 billion globally. This represents a 1,400 percent increase over 2016, according to The Hill. And 2018 is off to an equally inauspicious start. The March SamSam infection that crippled Atlanta’s IT infrastructure and caused $2.7 million in damages is fresh in our minds. So are the attacks against the Hancock Health Hospital, Colorado’s Department of Transportation and many others.
The $5 billion question then, is how do you stop ransomware? The answer: better threat detection and incident response capabilities.
In part one of this five-part series about responding to the most pernicious cyber threats, we explain why defenders need to increase their focus on timely detection and swift and decisive incident response–not just prevention–to effectively combat ransomware.
How Ransomware Beats Perimeter Defenses
Too much faith has been placed on firewalls, intrusion detection systems, and other perimeter defenses to stop ransomware. The idea of the keeping the bad guys at the gates is enticing, but it’s also a pipe dream. Stopping ransomware and other malware at the network boundaries fails for three reasons:
- Social engineering: What good is a fortress when your employees hand over the keys to the enemy? Social engineering tactics, such as phishing emails, are the most common mechanisms for spreading ransomware. Unsuspecting users are frequently manipulated into opening links or downloading files from unknown senders or contacts who have had their accounts compromised. A ransomware infection follows.
- Fileless ransomware: Hackers now use fileless tactics, exploiting features that are native to legitimate applications such as Excel. For example, a seemingly innocuous spreadsheet might have an embedded macro that automatically runs ransomware scripts. Even organizations that are diligent about using next-generation firewalls and applications whitelists will miss these “zero-footprint” attacks.
- Lateral movement: Most importantly, preventative cybersecurity is useless against an infection that’s already on the network. Ransomware typically enters through a single compromised system (e.g. a user endpoint such as a desktop, or an exposed Internet-facing server). It then sends a message to a command-and-control (C2) server, at which point, it will be commanded to encrypt specific file types that may contain sensitive business data. Once this process is set in motion, all bets are off.
Arctic Wolf Networks has confirmed that it takes, on average, three seconds from the time ransomware executes to begin encrypting victims’ data. So, response time is critical when working to prevent a business-crippling attack.
The Steps to Detection
The first step to detecting ransomware is to aggregate log data from all your network devices, security solutions and SaaS applications for deep analysis.
Unfortunately, alert fatigue is a common problem, borne of many false positives triggered by existing security tools. While malware with known signatures will be caught in perimeter defenses, new strains of malware or suspicious file traffic might trigger an alert. There may be billions of daily networks events, and thousands of potentially harmful alerts. Businesses need a way to centrally manage all of these alerts and cross-correlate them to determine which to investigate.
The second step–for well-masked threats that bypass your initial defenses–is being able to spot suspicious C2 traffic.
Most forms of ransomware “call home” to a server before they begin encrypting files. Presuming you perform continuous threat monitoring (24/7/365) using machine learning-based threat hunting techniques employed by a human security analyst, suspicious C2 traffic isn’t difficult to detect.
Coordinating Effective IR
Threats that are snagged by the first lines of defense are easy enough to block. However, once an endpoint is infected, IR needs be swift and precise.
“An infected endpoint must be quarantined the moment C2 traffic is detected.”
An infected endpoint must be quarantined the moment C2 traffic is detected. Otherwise, the ransomware can move laterally to infect any accessible drives. Clearly then, responding to ransomware is a race against the clock. One lapse in vigilance can turn an ordinary day into a Kafkaesque scenario.
Once the infected endpoint is quarantined and further forensics are conducted to ensure that the ransomware has been contained, damage control can begin. At this point, the compromised endpoint can be reimaged, and file backups can be restored.
Acquiring the Resources for Detection and Response
The NIST Cybersecurity Framework has five parts: Identify, Protect, Detect, Respond and Recover. Clearly, the “detect” and “respond” aspects are especially important in combating ransomware. However, they’re also the more challenging components of NIST’s framework, especially for small and medium-sized enterprises that may not have the resources or the expertise to perform continuous monitoring.
That said, SMEs have another option: Managed detection and response (MDR). This managed security model supplies SMEs with a team of dedicated security engineers that performs continuous threat monitoring and supplies IR services. There is no more effective way for SMEs to combat ransomware than with timely detection and decisive IR – MDR provides both and is available as a predictable monthly expense. Click below to learn more.