In my last installment, I outlined guidance for the first three ransomware initial attack vectors detailed in the MS-ISAC #StopRansomware guide. In this paper I will outline the last three initial attacks vectors found in the guide. The fourth vector they deal with is Precursor Malware Infections.
Researchers have found that ransomware infections are usually preceded by reconnaissance malicious code that lays the groundwork for the full ransomware attack to come. In some cases, ransomware deployment is the last step in a network compromise and is dropped to obscure previous post-compromise activities such as business email compromise. These malicious code packages have been dubbed ‘precursor malware.’ For example, malware such as Qakbot, Bumblebee and Emotet have been employed as precursors to ransomware attacks. Identifying and remediating such precursor malware can alert you to the possibility of an imminent ransomware attack, and can help you prevent the full ransomware attack from actually happening. For this attack vector, the guide recommends:
- Ensuring that antivirus and anti-malware software and signatures are automatically updated. In fact, the authoring organizations go one step further and recommend using a centrally managed antivirus solution.
- Using application allowlisting and/or endpoint detection and response (EDR) solutions on all assets to ensure that only authorized software is executable, and all unauthorized software is blocked. Application allowlisting is deeper than traditional application control solutions and works at the file level to screen against unwanted applications. EDR is cybersecurity technology that monitors and responds to threats on endpoints such as mobile phones, laptops and IoT devices that connect to your network. This is recommended for cloud-based resources.
- Implementing IDS systems. These can be used to detect command and control activity and other potentially malicious network activity that occurs prior to ransomware deployment.
- Monitor indicators of activity and block malware file creation with the Windows Sysmon utility. Sysmon has a file block executable option that can used to block the creation of malicious executables, DLL files, and system files that match specific hash values.
The fifth initial attack vectors listed in the #StopRansomware Guide is advanced forms of social engineering. Advanced forms of social engineering attacks include tactics such as search engine optimization (SEO) poisoning, imposter websites (drive-by downloads) and malvertising (malicious advertising). All of these techniques are used to extract information from users or to provide an avenue for attackers to inject malware into the network. To help counter this threat vector, the guide recommends:
- Ensuring that you have a good cybersecurity awareness training program that schools your employees in how to recognize and report advanced social engineering attempts against your network.
- Employing a protective DNS service. A protective DNS service is any security service that analyzes DNS queries to identify and mitigate threats.
- Implementing sandboxed browsers to help thwart malware that can be introduced through web browsing. Sandboxed browsers isolate the host machine from malicious code.
The sixth initial attack vector listed in the #StopRansomware guide is one that is on everyone’s mind since the MOVEit attacks started: third parties and managed service providers. In the modern business world, organizations are employing ever-increasing numbers of third-party software packages and managed service providers to perform all kinds of tasks for them. To be effective, these services need access to internal network information and devices, and become in effect a part of your internal network. This increases the attack surfaces available to ransomware attackers immensely. To help thwart these kinds of attacks, the guide recommends:
- Examining the risk management and cyber hygiene practices employed by managed service providers (MSPs) to ensure they are in line with best practices and your organization’s security requirements. They also recommend that you formalize security requirements in contract language with these providers.
- Ensuring the use of least privilege and separation of duties when setting up access of third parties. They should only be allowed access to those devices and servers that are within their role or responsibilities.
- Creating service control policies (SCPs) for cloud-based resources to prevent users or roles, organization wide, from being able to access specific services or take specific actions within services such as deleting logs or changing configurations outside of their role.
Implementing the recommendations found in the #StopRansomware guide encompasses the best advice available to date for preventing and mitigating ransomware attacks against your organization, and will help you remain competitive in the markets of today.