Onions have Layers, Ogres have Layers: Anti-Ransomware Strategy

Share:

Are you ready for a ransomware attack?

Globally, so far in 2024, there have been over 2,000 known ransomware attacks. About half of these attacks were on US-based entities. And the majority of these US-based ransomware attacks were directed toward healthcare and SLED (State, Local, and Education) organizations. Journals and analysis reports estimate that ransomware groups have collected about $460 million in payments during the first half of this year. I pray that that number does not come close to the more than $1 billion paid out in 2023.

If those stats are depressing you (as they do me), stick with me…

The Global Ransomware Threat: A Daunting Reality

I feel like Gerard Butler in the movie 300 up against a Persian army that seems to have more soldiers than stars in the sky. I believe it feels like that because that is, unfortunately, our reality, at least in the digital realm. With more than 245 known cyber threat actor groups globally, our ability to defend against cyber threats can feel daunting.

Ransomware actors wake up every day to disrupt the world and seem to be motivated by two primary drivers – money and power and, more specifically, global political power. Money motivation is evident based on the known recorded ransomware payouts. Their desire for power is displayed through the heavy focus on attacks on healthcare and SLED targets, which disrupt citizens’ lives and instill chaos and concern in the government and military to protect us from attack.

With the number of threat actors focused on stealing as much money as possible and grabbing as much power as possible, how can we defend against these ransomware attacks? Sadly, just like there is no miracle drug that cures all ailments, there is no silver bullet in cyber security.

First and foremost, you need a community… you need your people. This is an area I will not be covering here, but know that you are not alone. There are groups and professionals that are fighting this cyber warfare with you and me. I will cover this topic in more detail in a future article.

My focus here will be on strategy. Just like the ogre in Shrek… Cyber Security is made up of layers (aka Defense-in-Depth, Deep Defense, or Elastic Defense) and a necessary component that isn’t always considered because I don’t believe people are aware it exists, which is a dedicated anti-ransomware platform, and I’m not talking about a backup recovery solution here.    

CORE + LAYERS

0. Anti-Ransomware Platform (Core Layer)

  • Prevention Engines: Multiple advanced prevention engines that are trained on millions of ransomware TTPs (Tactics, Techniques, and Procedures) and behavior indicators.
  • Key Interception & Automated Recovery: Interception of encryption keys and recovery of affected endpoints at the system level.
  • Data Exfiltration Prevention (DXP): Prevent data from being stolen by disrupting the thieves’ actions in transit, mitigating any intended double and triple extortion attempts.

1. Perimeter Defense (Network Layer)

  • Firewalls: Deploy next-generation firewalls (NGFWs) that include intrusion prevention systems (IPS) and deep packet inspection to filter malicious traffic.
  • Network Segmentation: Segment critical assets and systems from less secure networks to limit the lateral movement of attackers within the network.
  • VPNs and Secure Remote Access: Require VPNs and multi-factor authentication (MFA) for remote access to prevent attackers from using stolen credentials.
  • DNS Filtering: Implement DNS filtering to block access to known malicious domains or command-and-control servers used by ransomware operators.

2. Endpoint Security (Device Layer)

  • Endpoint Detection and Response (EDR): Use EDR solutions to detect and respond to suspicious activity on endpoints in real time.
  • Antivirus/Antimalware: Install regularly updated antivirus software to prevent known malware and ransomware variants.
  • Application Whitelisting: Restrict systems to run only pre-approved and trusted applications to prevent ransomware from executing.
  • Patch Management: Regularly patch operating systems, software, and firmware to fix vulnerabilities that ransomware can exploit.

3. User and Access Control (Human Layer)

  • Least Privilege: Limit user permissions to only what is necessary for their role. Implement role-based access control (RBAC) to minimize access to sensitive systems.
  • Multi-Factor Authentication (MFA): Enforce MFA for all user accounts, especially for privileged accounts, to reduce the risk of credential theft.
  • User Awareness Training: Conduct regular security awareness training to educate users about phishing attacks, suspicious emails, and other social engineering techniques used to deploy ransomware.

4. Data Protection and Backup (Data Layer)

  • Regular Backups: Implement regular, automated backups of critical data, ensuring that backups are stored offline or in isolated environments to prevent ransomware from encrypting them.
  • Backup Testing: Regularly test backup recovery processes to ensure that data can be restored quickly in the event of a ransomware attack.
  • Data Encryption: Encrypt sensitive data both at rest and in transit to protect it from theft during ransomware attacks.

5. Monitoring and Detection (Monitoring Layer)

  • Security Information and Event Management (SIEM): Use a SIEM solution to monitor and correlate logs from various sources (e.g., firewalls, IDS/IPS, endpoint systems) for early detection of ransomware activity.
  • Anomaly Detection: Implement behavioral analytics to detect abnormal behavior, such as large-scale file encryption or unusual network traffic patterns indicative of ransomware attacks.
  • Incident Response Plan: Develop and test an incident response plan specifically for ransomware attacks, ensuring rapid containment and recovery.

6. Email Security (Phishing Defense)

  • Email Filtering: Implement email security solutions that filter out phishing emails and malware-laden attachments, a common vector for ransomware.
  • Attachment Sandboxing: Use email gateways with attachment sandboxing to analyze and quarantine suspicious files before they reach the end-user.
  • Link Scanning: Ensure that links in emails are scanned for malicious URLs or re-directed to security sandboxes before they are clicked.

7. Cloud Security (Cloud Layer)

  • Cloud Access Security Brokers (CASBs): Use CASBs to ensure visibility and control over cloud applications and enforce data loss prevention (DLP) policies to prevent the spread of ransomware via cloud storage.
  • Zero Trust Architecture: Implement zero trust principles in cloud environments, where every access request is thoroughly verified, reducing the chance of a ransomware attack escalating.
  • Security Posture Management (CSPM, SSPM, DSPM, CNAPP, etc.): Threat detection, vulnerability management, and incident response to safeguard cloud assets.

8. Vulnerability Management (Test & Assess Layer)

  • Regular Vulnerability Scanning: Perform regular vulnerability assessments and penetration testing to identify and remediate weak points in your network and systems before attackers can exploit them.
  • Patch Critical Vulnerabilities: Focus on promptly patching critical vulnerabilities in systems, especially in public-facing applications and services that could be targeted by ransomware.
  • Proactive Threat Exposure Management: Map of security landscape to help identify overlapping controls, highlight critical gaps, and prescribe clear-cut next steps for any security operations teams.

9. Deception Technologies (Deception Layer)

  • Honeypots and Decoys: Deploy honeypots and decoy systems to mislead attackers, giving your security team early warning of potential ransomware activity.
  • Cyber Insurance: Consider cyber insurance policies that cover ransomware attacks, but ensure your security posture aligns with the requirements of insurers.
  • Legal and Regulatory Compliance: Ensure compliance with industry regulations (e.g., GDPR, HIPAA) that mandate security controls and incident reporting for data breaches or ransomware incidents.

SUMMARY OF BEST PRACTICES:

  • Dedicated Anti-Ransomware Platform: Incorporate a last line of defense solution focused on ransomware and the TTPs and behaviors associated with ransomware attacks. And no. I am not talking about a backup recovery solution.
  • Layered Approach: Integrate multiple layers of defense, including perimeter, endpoint, and network security.
  • User Training: Make users the first line of defense by educating them on phishing and social engineering risks.
  • Backup Strategy: Regularly backup data and store it in a secure, offline location.
  • Incident Preparedness: Have a ransomware-specific incident response plan in place.

Breaches happen every day. The question you have to ask yourself is, will a breach be stopped, or will it escalate to your organization eventually being encrypted and ransomed? By using a defense-in-depth approach, your organization can reduce the likelihood of a successful ransomware attack, minimize its potential damage, and often stop it altogether.

How can we help?

The team at 3 Tree Tech works with some of the most elite cyber security professionals in the world and has an extreme passion for protecting US-based entities and the United States supply chain. Many of the services and assessments that 3 Tree Tech provides are at no cost to you and are focused on empowering leaders to simplify the complexity of the technology and security worlds.  

Eric Skeens of 3 Tree Tech

Eric Skeens is the co-founder of 3 Tree Tech in Portland. He is a platform-agnostic tech researcher that transitions siloed organizations into automated DevOps centric businesses. Message him right here.

For Leaders, By Leaders (FLBL)

We are leaders that enjoy networking leaders with other leaders. Do you want to talk one of our Insights authors, a speaker, or be plugged into one of many communities that we are partnered with across the country? Time to call in the cavalry! We’re saddled up and ready to ride to your rescue.

Related Posts

Think Your Cybersecurity’s Solid? Here’s What a Real Crisis Will Expose

At 3 Tree Tech’s Stealth Security Experience in Chicago, Shefali Mookencherry from the...

Black Hat USA 2022 conference stage
“Unmasking” the Black Hat Conference

Have you ever asked, what is Black Hat? Unlike other technology conferences and...