[SANS ISC] Ransomware Defenses, (Mon, May 17th)

Ransomware attacks continue to be in the headlines everywhere, and are also an almost weekly reoccurring subject in the SANS Newsbites. As useful as many of the reports are that security firms and researchers publish on the subject, they often focus heavily on one particular incident or type of ransomware, and the associated “indicators of compromise” (IOCs). We already covered before how IOCs can turn into IOOI’s (Indicators of Outdated Intelligence), and how to try to elevate the defense work from detecting IOCs to detecting TTPs (Tactics Techniques and Procedures).

While IOCs change quickly and often, a good TTP detection will still trigger on attack variants that look different. But it’s still “detection”, and therefore reactive and after the fact. Detection is best used to catch instances where the prevention failed, and should not be misused as a stand-in or replacement for preventive measures that we know we should have, but never got around to implement, enable or configure properly.

For Ransomware Prevention, most advice starts with “Have backups” and “Test your incident response”. Both are true and valid. But the CISA.gov Ransomware Guide published last September has a decent list of additional advice that is worth reading.

From what became known of recent successful attacks, it looks like lack of 2-factor authentication (2FA) is still the most prevalent root cause. If you still have any remote access or remote desktop connections that rely on userid/password only, switch them to 2FA now!  And if you still have any webmail or the like without 2FA, make the change there as well.

For most avenues of infection, the attackers first have to establish a foothold on the compromised system, and find a mechanism to maintain remote access or command&control to the affected machine. These two phases (MITRE ATT&CK calls them “Execution” and “Persistence”) provide additional chances to intercept or at least detect an ongoing compromise. Not so if that initial compromise occurs through exposed remote desktop – in that case, the bad guys basically score a home run, obtain interactive remote access from the get-go, and can get busy right away.  

As for webmail, your users WILL get successfully phished eventually, if not today then tomorrow. Absence of 2FA allows the attacker to impersonate your phished user, both towards your other employees, but also towards all your customers, clients and business partners. To those recipients, the email will look like it came from a known and trusted source, which increases the damage potential. Don’t be the company that emails ransomware to others – activate 2FA for all your email users!

If you are in an industry that is considered to be part of “critical infrastructure” and are based in the US, you can apply to receive vulnerability scanning and security assessment support from CISA, *for free*. Check out https://www.cisa.gov/cyber-hygiene-services .

Further resources from SANS include a recent webcast, and a compilation of anti-ransomware resources. There is also an upcoming SANS Training, currently in Beta Test, titled “FOR528: Ransomware for Incident Responders”, see https://www.sans.org/blog/for528-ransomware-for-incident-responders/ for more information.


(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: Read More (SANS Internet Storm Center, InfoCON: green)

You might be interested in …

[ZDNet] New data security rules instituted for US payment processing system

All posts, ZDNet

The ACH Network processed $17.3 trillion in Q1 2021, including 110 million economic impact payments from the federal government. Source: Read More (Latest topics for ZDNet in Security)

Read More

[SecurityWeek] Israeli Hospital Targeted in Ransomware Attack

All posts, Security Week

An Israeli hospital was targeted Wednesday by a ransomware attack, officials said, with the state’s cyber directorate calling it the first such attack on a hospital in the country. The Hillel Yaffe Medical Center is “currently using alternative systems to treat its patients”, it said in a statement, describing the attack as “totally unexpected”. read […]

Read More

[ZDNet] Apple will finally give iPhone and iPad users an important choice to make

All posts, ZDNet

To upgrade to iOS/iPadOS 15, or not to upgrade to iOS/iPadOS 15, that is the question. Source: Read More (Latest topics for ZDNet in Security)

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.