OFFICIAL PUBLICATION OF THE NEBRASKA BANKERS ASSOCIATION

Pub. 15 2020-2021 Issue 5

top-six-controls

Tech Talk: Top Six Control to Mitigate a Ransomware Attack

Combating a ransomware scenario can be intense and stressful, so most organizations agree that it is better to stop the attack from happening in the first place. Below you will find the top six controls that can be put in place to protect your organization’s network and data from a ransomware attack.

1. Backup, Backup, Backup

It’s important to note that backing up your network’s data will not prevent a ransomware attack in the future, but doing so will make the situation abundantly less stressful. It’s been said that there are two types of people in this world: 1) those who back up their data, and 2) those who wish they would have. It is a good rule of thumb to stick with the 3-2-1 rule. Have at least THREE (3) copies of data, store your backups on TWO (2) different types of media, and keep ONE (1) backup off-site; in other words, keep one copy of the data air-gapped. Creating an “air-gapped” backup would make it very difficult for an attacker to infect this copy of your data with ransomware.

2. Endpoint Protection with Scripting Control

When it comes to today’s current antivirus or endpoint protection solutions, there are two (2) types of solutions:

1. Traditional, signature-based antivirus/endpoint protection solutions that rely on a known signature to identify if a file is potentially malicious; or
2. Modern, behavior-based antivirus solutions that look at the code of a file to determine what actions the file will look to take when executed.

While there are pros and cons to each, modern behavior-based antivirus solutions will handle and identify unknown and unidentified threats, rather than relying on known-bad signatures to prevent potential cyber incidents.

It’s strongly recommended that you use a modern, behavior-based solution with second-generation detection capabilities, including scripting control. Keep in mind, some providers claim their product has scripting control consistently fail to detect Powershell scripts running on your network. Applications lacking scripting detection will not be helpful in the event an attacker uses the Powershell tool to create scripts that automate attacks. Your antivirus solution should be configured to the highest level of security, alerting and protection. These controls would be able to stop any scripts that would attempt to run without the user’s permission. Modern, behavior-based antivirus solutions should also alert the user if any red flags (malicious behavior) are detected on your devices.

3. Multi-Factor Authentication

Multi-Factor Authentication (MFA) is an authentication method in which a user is granted access to an application only after allowing two or more pieces of evidence to the authentication mechanism, such as an SMS code, soft token or hard token. When enabled on a system, MFA would prompt the user if a malicious adversary tried to log in to an account, since the attacker should not have access to your smartphone (SMS or soft token) or hard token (physical device).

Not only would implementing MFA help prevent a ransomware attack, but doing so would mitigate the risk to various other cyberattacks as well, such as credential stuffing, business email account takeover, and phishing attacks. However, just like with every other control, MFA has its drawbacks. You must train employees only to provide authentication factors when they know they are logging in themselves.

4. Security Awareness Training

Employees are your first line of defense and are known as the “human firewall.” It is important to educate workers of potentially malicious email attachments, links, website downloads, and other methods of spreading ransomware – including how to identify phishing emails and what to do if they receive or click on something in a phishing email. Phishing emails are still the #1 delivery vehicle for malware, and training your people to handle phishing emails properly may be one of the most important things you can do to mitigate your risk. It is a great idea to not only train and educate employees, but to test them, too.

5. Email Controls

Email sandboxing along with Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC) are impactful controls that can be put in place to protect your network against a ransomware attack.

Email sandboxing, which automatically tests links and attachments in an email in a secure environment before your users receive the email, adds a layer of security and lessens the chances of an employee clicking on a malicious link. The Advanced Persistent Threat subscription to Office 365, which implements the Safe Links and Safe Attachments sandbox controls, is an excellent example of how email sandboxing can protect your organization from email threats.

SPF, DKIM, and DMARC all help authenticate senders using an organization’s specific domain. SPF prevents hackers from sending emails on behalf of an organization’s domain. In addition to SPF, DKIM checks if an email was truly sent by the owner of that domain. DMARC uses both SPF and DKIM to determine the authenticity of the content of an email message. SPF, DKIM, and DMARC are typically free additions to your email system that can make a significant impact on the amount of junk or phishing email your organization receives.

6. Egress Firewall Whitelisting with Geolocation IP Blocking

Egress firewall whitelisting examines all outbound traffic from your network to the internet (at the firewall level) and only allows information to leave the network if your organization’s IT administrator’s requirements are met. Egress firewall whitelisting works best with geolocation IP blocking, which blocks activity to IP addresses associated with geographical locations in which your organization does not do business or wants to block intentionally (like certain foreign countries known for cybercrime). Blocking traffic to certain regions and countries while examining the traffic that leaves the network in the first place is an important control that would notify the organization if a ransomware scenario is unfolding.

For more information, contact Reece Simpson at 605-270-3916 or reece.simpson@sbscyber.com.

SBS delivers unique, turnkey cybersecurity solutions tailored to each client’s needs, including risk management, consulting, on-site and virtual auditing, network security and education. Learn more at www.sbscyber.com.