By Zamani Ngidi
Ransomware attackers often operate with the discipline and approach of a legitimate traditional business, except with criminal intent.
Fortunately, there are strategies companies can take to reduce the risk of falling victim to a ransomware attack.
It is critical for organisations to approach cyber risk exposure through the lens of risk mitigation, taking the necessary precautions to prevent and/or minimise the risk if an event takes place.
An organisation’s ability to secure cyber insurance is very much tied to its ability to mitigate cyber security risks such as a ransomware attack. This is achieved by having the correct controls in place. Most of South Africa’s local cyber insurers are either global players or have reinsurance provided for by a global reinsurer, which means that South African companies need to align their IT controls and practices to global standards, if they wish to transfer the risk off their balance sheet.
Consider these ten technologies and processes to help prevent and detect a ransomware attack.
Each of these steps aligns closely with how attackers create and consummate their criminal activity. While some are costly, proactively implementing these steps now can mitigate the costs of business interruption, reputational damage, incident response and/or a ransomware payment.
1. Phishing awareness training: to educate employees and end-users on how to spot phishing emails and know the red flags to drive down clicks on the malicious emails many ransomware attackers use to gain a foothold in a network.
2. Disabling accessibility of remote desktop directly from the internet: to prevent ransomware attackers from brute-forcing Internet-facing RDP services to gain entry into a network.
3. Properly configured URL filtering and e-mail attachment sandboxing: to prevent malware contained in ransomware emails from executing or going unnoticed.
4. An advanced Endpoint Detection and Response (“EDR”) solution: to detect and potentially quarantine ransomware and other advanced malware, and also to facilitate enterprise forensics in the event of an attack.
5. An advanced malware detection tool that inspects network traffic: to identify ransomware and other malicious packets or network traffic flowing over the wire.
6. 16+ Character service account and domain admin passwords: to prevent ransomware and other hackers from cracking weak admin usernames and passwords. Optimally, these strong passwords should be rotated regularly, using a Privileged Access Management (PAM) tool. Ransomware attackers use these cracked credentials to move laterally and deploy their ransomware.
7. Lateral movement detection tools: After gaining a foothold, ransomware actors typically move laterally using compromised IT credentials. Detecting that anomalous lateral movement normally enables the attack be shut down before ransomware is deployed.
8. A properly configured Security Information and Event Management (“SIEM”): Platform that aggregates event, security, firewall and other logs. Trying to respond to and recover from a ransomware attack without a SIEM is very difficult, as visibility through local, non-centralised logs is often poor.
9. A continuous security monitoring function: this provides continuous monitoring and threat hunting using collected logs and alerts.
10. Locking down software deployment and remote access tools: to a small set of privileged accounts with multi-factor authentication where possible. Once they have secured elevated privileges, ransomware attackers typically commandeer SCCM/PDQ/PsExec accounts to push the ransomware executable across the network.
Zamani Ngidi, Cyber Solutions Client Manager at Aon South Africa.
*The views expressed here are not necessarily those of IOL or of title sites.