Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Ransomware Defenses SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Ransomware Defenses

Ransomware attacks continue to be in the headlines everywhere, and are also an almost weekly reoccurring subject in the SANS Newsbites. As useful as many of the reports are that security firms and researchers publish on the subject, they often focus heavily on one particular incident or type of ransomware, and the associated "indicators of compromise" (IOCs). We already covered before how IOCs can turn into IOOI's (Indicators of Outdated Intelligence), and how to try to elevate the defense work from detecting IOCs to detecting TTPs (Tactics Techniques and Procedures).

While IOCs change quickly and often, a good TTP detection will still trigger on attack variants that look different. But it's still "detection", and therefore reactive and after the fact. Detection is best used to catch instances where the prevention failed, and should not be misused as a stand-in or replacement for preventive measures that we know we should have, but never got around to implement, enable or configure properly.

For Ransomware Prevention, most advice starts with "Have backups" and "Test your incident response". Both are true and valid. But the CISA.gov Ransomware Guide published last September has a decent list of additional advice that is worth reading.

From what became known of recent successful attacks, it looks like lack of 2-factor authentication (2FA) is still the most prevalent root cause. If you still have any remote access or remote desktop connections that rely on userid/password only, switch them to 2FA now!  And if you still have any webmail or the like without 2FA, make the change there as well.

For most avenues of infection, the attackers first have to establish a foothold on the compromised system, and find a mechanism to maintain remote access or command&control to the affected machine. These two phases (MITRE ATT&CK calls them "Execution" and "Persistence") provide additional chances to intercept or at least detect an ongoing compromise. Not so if that initial compromise occurs through exposed remote desktop - in that case, the bad guys basically score a home run, obtain interactive remote access from the get-go, and can get busy right away.  

As for webmail, your users WILL get successfully phished eventually, if not today then tomorrow. Absence of 2FA allows the attacker to impersonate your phished user, both towards your other employees, but also towards all your customers, clients and business partners. To those recipients, the email will look like it came from a known and trusted source, which increases the damage potential. Don't be the company that emails ransomware to others - activate 2FA for all your email users!

If you are in an industry that is considered to be part of "critical infrastructure" and are based in the US, you can apply to receive vulnerability scanning and security assessment support from CISA, *for free*. Check out https://www.cisa.gov/cyber-hygiene-services .

Further resources from SANS include a recent webcast, and a compilation of anti-ransomware resources. There is also an upcoming SANS Training, currently in Beta Test, titled "FOR528: Ransomware for Incident Responders", see https://www.sans.org/blog/for528-ransomware-for-incident-responders/ for more information.

 

Daniel

381 Posts
ISC Handler
May 17th 2021
Good idea - 2FA is a key deterrent. I also recommend either "air gapped" backups or backups with WORM features like AWS S3. You can turn on versioning and WORM and your backups will not be overwritten unless your AWS account is compromised. Ransomware can poison your online backups.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!