Ransomware Awareness Month: Same as it ever was.
“You’ve got to learn WHY things work on a starship.”
- James Kirk, Star Trek : The Wrath of Kahn
With a nod to David Byrne, we dive headlong into ransomware awareness month noting that as the song goes it’s “Same as it ever was”⁴. While advancements in the technology behind ransomware attacks expands to new operating systems & processor architectures and victims are piling up running for bitcoin or decryption help one thing remains that I believe we are overlooking.
In order for ransomware to work, you have to be compromised first.
In a rush to save the day many people are asking ‘how do we stop ransomware’ and overlook the fact that before ransomware can do its dance on your data you must be compromised. Defensively they are putting the cart before the horse. Even the most advanced ransomware needs an entry point. The usual suspects such as an unpatched vulnerability, a user clicking on something they should not or a skipped upgrade opens the door to the wonderful world of disaster recovery. With that in mind let’s take a step back and consider a proactive instead of reactive approach to ransomware.
We need to step up our defense game, and stop paying lip service to concepts like backups, defense in depth, least access, RBAC ( Role Based Access Control ) and instead of frog marching employees back to the office hardening the methods that they use to work remotely side by side with good old fashioned end user training to prevent the initial incursion. We can no longer wait weeks to apply patches or allow software to go without updates because in the current world there are bad guys out there trying their best to break anything and everything they can get their hands on regardless if it is an old forgotten flavor of Linux or an open source solution that your IT department hates but your accounting department loves. Let’s break it down :
BACKUPS
As a person who started out swapping DLT tapes every night for a large corporation, I know the importance of backups as well as how unimportant they are until you need them. With the advent of ransomware they are more valuable than ever when it comes to data restoration. Specific flavors of ransomware will attempt to attack, encrypt or destroy your backups if it can get the required access to them. Because of this it becomes important to create off line backups along with using WORM ( write once read many ) backups of vital data for the day when trouble comes knocking. Using a WORM system prevents the malware from altering, encrypting or deleting backups. Some companies like to store their backups off site, but that comes with the hazards of transportation loss, theft, and time to retrieve them when needed. As with all things defensive, take your time, plan according to your needs & resources before taking action.
DEFENSE IN DEPTH
We no longer have the luxury of one size protects all packages that protect us from the bad guys. We need to examine every stage of internet access from where the fiber meets the firewall to where the user clicks on their free vacation package email. Every point in your network can hide a vulnerability waiting to be exploited, and only be covering all the bases can you have a fair shot at eight hours of sleep at night. There are no unimportant people and not a single unimportant aspect within your network that you can afford to not protect. Do your due diligence.
LEAST ACCESS AND RBAC
As any good parent knows, sometimes you have to say no. This applies monumentally to your security posture. Restricting access to sections of your network as well as data permissions ( read, write, destroy ) can make the difference when it comes to compromise. Isolating your network to the employees who needs access to do their jobs ( accounting, development, security , guest access ) along with granular access to read or modify files can stop ransomware in its tracks. Likewise assigning access based on roles can limit who can tinker with aspects of your network allowing APT or other methods of repeat performances of an incursion.
REMOTE EMPLOYEES
No one wants to sit in their car, on a subway, or on a bus 2–3 hours a day to get to the office where there is limited coffee, a dress code that disallows bunny slippers and where you have to pay $25 for anything passable to eat at lunch². The combination of remote work and BYOD have opened up whole new worlds of compromise that ransomware can easily take advantage of. Despite the accusations of draconian control and the costs of company owned assets the advantages of company control, VPN purity¹, and the ability to drop the guillotine on a device at a moment’s notice far outweigh any user complaint. In out current world there is no place for personal email, games, casual surfing or non business related apps on a device that touches the company network³. Adblockers are a must-have not a ‘would be nice’.
CONCLUSION
So for this ransomware awareness month please keep in mind through the sales pitches, fear mongering, vaporware and dog & pony shows keep in mind that a gram of prevention prevents the need for a kilogram of cure.
Don’t focus so much on ransomware that you forget what makes ransomware possible. Plan for before, during and after a ransomware attack. Never give up , never surrender⁵.
Frank Clark is a security engineer at Hunter Strategy, who firmly believes that the Talking Heads film Stop Making Sense is the same as the Godfrey Reggio film Koyaanisqatsi, only with a happy ending. He will be taking time off in August for hacker Summer Camp and learning to ride a sandworm, Fremen style.
[1] : Ensuring that only business related traffic travels through the company VPN, and not personal use data. While there are configuration options to ensure this does not happen they are rarely configured correctly and can open extra avenues of vulnerability.
[2] : Unless you are in NYC, where you can get a dirty water dog with red onion sauce and a drink on most any street corner for less than your double double half decaf triple corn syrup pump soy whip-a-chino.
[3] : I know I will catch a lot of flack for this, but I can honestly say that if you care about your business or are an aware end user you can understand why this is a must, and save your farming adventures for your own devices. No matter how you slice it when the company stock tanks or goes out of business because of a ransomware attack no one is going to care if digital crops were harvested on time.
