Protecting your brand in the digital age is fraught with challenges. Ransomware and other targeted attacks have been increasing in both frequency and complexity. Researchers discover new vulnerabilities daily while cybercriminals continuously exploit older, known vulnerabilities in new ways.
Addressing the polymorphic nature of these threats requires a coordinated approach. It requires a strategy aimed at prevention, detection and response. You must leverage skills and tools within your organization and pull resources from the widest degree of available security intelligence to act, at scale, in response to the severity of a given threat.
The U.S. Computer Emergency Readiness Team (US-CERT) estimated that on average, more than 4,000 ransomware attacks have occurred per day since Jan. 1, 2016. This represents a 300 percent increase over the previous year.
How Ransomware Attacks Work
The Locky variant of ransomware, for example, follows a pattern of operation similar to many other ransomware variants. Its chain of operation proceeds as follows:
- Delivery and distribution: Locky is spammed out as an innocuous-looking invoice requesting the recipient’s immediate attention.
- Payload detonation: Embedded in the email is a Windows executable file that, once opened, infects the machine and begins execution. Sometimes this happens immediately and sometimes it’s triggered by an end user or system operation, depending upon the variant.
- External command-and-control (C&C): Locky establishes connection with an external C&C server and receives the unique encryption key.
- Identification and encryption: Locky identifies and targets file stores and can spread laterally to networked and removable drives. Locky targets over 100 known file types.
- Demand and collect ransom: After encrypting these files, Locky takes over the victim’s wallpaper and provides details on how to decrypt the files. The instructions lead to a page requesting payment in bitcoin in exchange for a key.
Threat Response
Many users, feeling that they are without recourse, are compelled to pay the ransom. In other cases, victims may choose to forego their locked files and write them off as corrupted or otherwise lost.
You should report and respond to malware as soon as it is discovered. Ransomware can spread laterally, lie dormant and persist in the environment even after the initial attack. Simply doing nothing or giving up is not an option. It is important to completely root out the breach and take the appropriate escalation and reporting steps. But protection and detection are still not enough — you must also have a well-formulated response.
With a security operations and response program in place, organizations are able to integrate the various sources of security intelligence and make pertinent decisions, understand the trade-offs and respond with precision. This enables the chief information security officer (CISO) to programmatically take the actionable data and form responses that are in line with industry best practices and the company’s stated policies. Armed with intelligence and analytics, the CISO can execute the most appropriate and effective response.
Protecting Your Brand With Security Intelligence
Effectively protecting and defending against ransomware requires an orchestrated effort. Typical to most complex problems, there are no simple guarantees. There are, however, a number of important measures and best practices that organizations can put in place to defend the organization against ransomware. These include:
- Robust user training: Users need to be trained — and retrained. There are few shortcuts here. Users must understand their role in data loss prevention, how they can avoid phishing and ransomware attacks, and how to identify and prevent social engineering attempts.
- A disciplined backup and restore regime: It is important to back up files regularly. That means verifying the integrity of the backups and testing restoration procedures to ensure they are working. The best practice is to avoid connecting them permanently to the computers and networks they are backing up.
- Prevention and detection at the endpoints, perimeter and cloud: Locky exhibits malicious behavior that can be identified and blocked at the endpoint. Additionally, because Locky relies on external C&C servers to encrypt files, these known malicious domains, ranges and suspect IPs can be identified and blocked on the network, effectively stopping the lock before the key exchange happens.
- Vulnerability management, including patching and fixing: It is critical to identify known application and software flaws within the environment. The best vulnerability management programs include network and application scanning to discover potential vulnerabilities. They also include the ability to prioritize risks and expedite remediation by fixing vulnerabilities, applying patches across all endpoints and further securing the environment against future compromise.
- Security intelligence and analytics: With an enterprise security information and event management (SIEM) platform, organizations are able to apply security intelligence across their enterprise. SIEM enables IT professionals to conduct context, behavior and time-based analytics to evaluate the widest degree of data and focus their efforts on the threats and responses that matter most. Once identified, incidents can be forwarded, with the contextual data, to your incident response team for further analysis and remediation.
- An incident response platform: Predefined response plans, established run books and guided instant responses are critical to expediting the reduction and removal of threats. An incident response platform provides a single hub for organizing and orchestrating response activities. Action plans and an expert knowledge base can lead your team though the most effective response while allowing for customization to your standard operating procedures.
Unlocking the Power of Your Defenses
You can combat ransomware. Protecting your environment requires a coordinated and organized effort. Armed with the right tools, processes and skills, you can protect and defend your brand – even in this era of escalating attacks.
Download the complete Ransomware Response Guide
Program Director for QRadar Cloud, SaaS and MSSP, IBM Security