With any ransomware attack or security event, there’s going to be a before, a during, and an after. To understand how to protect your organization at each phase is to understand how an attack unfolds.
In this article I’ll start with the before of an attack and discuss what you should do and have in place to ensure you’re closing the gaps that create vulnerabilities and in-roads for attackers.
What Happens Leading Up to an Attack?
Typically, before an attack happens or a breach occurs, a few things will transpire:
- Attackers will perform reconnaissance on their target. They will learn if you have cybersecurity insurance, where from, and how much it’s for. They’ll assess your critical operations and supply chain to determine where an attack can do the worst damage.
- Attackers launch a campaign. This usually happens via email, tricking you into installing a small piece of software that will ”phone home” and serve as a door into the target environment.
- Or, attackers will “dwell” in the environment. Once in, they will slowly gather intelligence about your environment – this is referred to as “dwelling.” This will scan and map the target network and propagate to local and cloud, mapped and unmapped systems. During the process of dwelling, the attacker will create additional backdoors on multiple systems for future access to either be exploited by that attacker in a secondary, future attack or sold to another attacker. They may linger undetected and wait for the worst possible time (for you) to deploy their ransomware payload.
That period of time leading up to the attacker breaking in with credentials is when minutes count the most. What can you do to respond quickly and prevent a successful attack?
5 Ways to Close Security Gaps Before an Attack
These 5 things are critical to helping you proactively bolster your defenses and quickly respond to an attack:
1. Perform good data hygiene on systems. (Patch management is key.)
Unsupported operating systems and unpatched software open the door for malware infections and other attacker exploits. Once threat actors gain access to the environment, they methodically look for key systems and sensitive data to exploit.
That’s why it’s beneficial to have a well-defined patch management program that promotes the implementation of patches and updates soon after they’re released with the target of three to seven days for critical patches and updates and no more than 30 days for others. In many instances, by the time a vendor releases a patch, cybercriminals are already aware of the vulnerability and have developed or are well down the path to developing a tool to exploit it. For example, WannaCry ransomware was widespread because the targeted organizations failed to update systems using older operating systems even though a patch had been released and was available to them for some time.¹
System misconfigurations can also lead to breaches. Open ports and improperly configured firewalls or routers can give hackers access to your network or provide information about the network that can lead to access.
Tip: Try a gamified approach to patch management programs. This can illustrate how each business unit is performing relative to one another—no team wants to be the slowest! This can motivate and incentivize teams to improve.
2. Implement multi-factor authentication and admin credential vaulting for all systems.
Poor password management practices and improperly secured endpoint devices can create vulnerabilities. But passwords and credentials with privileged access are especially valuable. Vaulting credentials and admin credentials provides extra safeguards for credentials of shared resources on your network, offering a repository with passwords automatically refreshed after each login.
If an employee uses the same password for multiple personal and company accounts, and one of the accounts is compromised, attackers can gain access to the other accounts using the compromised credentials. Multifactor authentication adds extra steps and security, requiring a personal device or biometrics to prove identity.
3. Provide consistent logging across the entire environment
Security and access logs are absolutely critical to helping you identify the source of an attack—or ”patient zero.” The sooner you can do that, the sooner you can apply the necessary patches and restore a clean backup. After an attack, these logs also allow you to provide required proof of compliance to regulatory agencies, in which you can describe what happened and demonstrate that your organization was, in fact, taking the necessary precautions.
It’s not just enough to maintain security logs. These need to be protected from hackers, too, who will target these logs for deletion or alteration in order to cover their tracks. You can learn more about why and how to protect security logs in this article.
4. Implement a fast analytics platform to help identify signs of threat actors in the environment. ”Threat hunters” can actively look for and clean indicators of compromise.
Remember the period of time I mentioned earlier before an attacker breaks in? Speedy, real-time analytics can help spot suspicious behavior, anomalies, and more during that period. This will alert you to the possibility of an attack—but having a slow analytics won’t indicate unusual activity in time. Fast analytics platforms will spot it before it’s too late, allowing threat hunters to quickly identify threats and eradicate them before your data is widely compromised.
Tip: Your architecture should be built with resiliency and durability in mind. For instance, implementing SafeMode™ snapshots from Pure Storage® can protect critical backup data from deletion.
5. Regularly run security awareness training and tabletops with a focus on ransomware
Employees can be the weakest link in a company, especially where cyber threats are concerned. Employees frequently fall victim to email phishing scams, one of the most common ransomware attack vectors . Phishing emails trick users into downloading malware attachments or clicking on links that lead to compromised content with hidden malicious code. Inadequate password security policies can result in identity theft or unauthorized access to high-level information.
Remote devices on the company’s network, using out-of-date software or operating systems can also open the door to cyberattacks. Without clear internet and email policies, employees won’t know how to access, use, and share sensitive data securely, or what information should and shouldn’t be shared via email. Data access policies ensure that each employee only has access to the systems and data they need to perform their job.
Tip: Implement end-user awareness training and measure its efficacy. This will help you identify any weak points where you need to follow up. At the board and senior level, tabletop exercises should be performed at least annually to ensure everyone knows the game plan in the event of an attack.
Other Vulnerabilities to Note
The shift toward remote work and bring your own device (BYOD) policies has increased attacks on mobile endpoint devices. Unsecured remote desktop protocol (RDP), as well as virtual desktop endpoints and network misconfigurations, create vulnerabilities that can lead to ransomware attacks. Improperly secured endpoint devices can be susceptible to wifi hacking and man-in-the-middle attacks, leading to exposure of the company’s network and sensitive data.
RDP is the second most commonly exploited ransomware attack vector and is often used by attackers to gain unnoticed access to company networks. Security for RDP connections can be explicitly set, but in many cases, connections are protected by weak passwords and use a well-known default standard port, which is also poorly secured. RDP credentials can also be bought on the dark web, and once credentials are obtained, hackers can bypass endpoint security to gain access to a company’s systems.
Safeguard Your Data with Pure StorageⓇ
Although it’s not possible to guard against every known security threat, knowing the common vulnerabilities that cause ransomware attacks can help you create the right plan to minimize your risks before an attack occurs.
Pure can help at the “before” stage by
- Providing access to a large pool of analytics data and the fastest analytics processing to identify threats
- Protecting against internal administrative mistakes
For more information and guidance to take the next steps, check out these two helpful resources:
- The Hacker’s Guide to Ransomware Mitigation and Recovery, written by me and Hector Monsegur, a former black hat and member of the LulzSec and Anonymous hacking collectives
- 10 Questions to Ask Your CISO
Stay tuned for parts 2 and 3 where I’ll go into the threats and safeguards for during and after an attack.