In this paper, I will outline best practices for preventing and mitigating ransomware attacks as detailed in the #StopRansomware Guide published by the Multi-State Information Sharing & Analysis Center. In this guide, measures for preventing and mitigating ransomware attacks are grouped according to six initial attack vectors employed by cyber-criminals to worm their way into your network. The first of these attack vectors that the guide addresses is Internet-facing vulnerabilities and misconfigurations. Most organizations should be used to addressing vulnerability and configuration management by now. What is changing is the degree to which organizations need to rigorously discover and address vulnerabilities and misconfigurations in a timely manner. For this attack vector, the guide recommends:
- Conducting regular vulnerability scanning to identify vulnerabilities on your networks. This is especially true of external, Internet-facing networks (in fact, we recommend employing continuous vulnerability scanning for these). We also strongly recommend that internal and wireless networks should also receive vulnerability scanning. In addition, we recommend penetration testing of your networks to help identify cascading failures and other subtle security flaws that simple vulnerability testing cannot identify.
- Ensuring that all entities on your networks (operating systems, software/firmware applications and hardware devices) are regularly patched and updated to the latest versions. They also recommend prioritizing patching of internet-facing servers that operate software for processing internet data. Organizations should especially employ CISA’s Known Exploitable Vulnerabilities Catalogue available at their website to ensure they are addressing the most serious vulnerabilities. In addition, the guide recommends that organizations that have trouble keeping up with this process should consider migrating systems to reputable “managed” cloud providers to reduce, not eliminate, system maintenance roles for identity and email systems.
- Ensuring that all devices (on-premises, cloud services, mobile and personal) are properly configured and that security features are enabled. They recommend reducing or eliminating manual deployments and codifying cloud resource configuration through IaC. IaC templates should receive security testing prior to deployment. They further recommend that checking configuration drift routinely to identify resources that were changed or introduced outside of template deployment.
- Limiting the use of RDP and other remote desktop services, and if they must be used, applying best practices security measures to help ensure they are not misused. They also recommend regularly updating VPNs, network infrastructure devices, and devices being used to remote in to work environments with the latest software patches and security configurations. MFA should be used for VPN and all remote access.
- Disabling SMB protocols 1 and 2 and upgrading to version 3 after mitigating existing dependencies (on the part of existing systems or applications) that may break when disabled.
The second initial attack vector listed in the #StopRansomware Guide is compromised credentials. To prevent and mitigate successful attacks from this vector, the guide recommends:
- Implementing phishing-resistant MFA for all services, particularly for email, VPNs, and accounts that access critical systems. They further recommend employing password-less MFA that replaces passwords with two or more verification factors such as fingerprints or facial recognition.
- Considering subscribing to credential monitoring services that monitor the dark web for compromised credentials.
- Implementing identity and access management (IAM) systems.
- Implementing zero trust access control measures.
- Changing all default admin user names and passwords.
- Not using root access accounts for day-to-day operations, and rather creating users, groups and roles to carry out tasks.
- Ensuring that passwords of at least 15 characters are used. We further recommend using passphrases that are longer and harder to break, but that are easier to remember.
- Enforcing account lockout policies, and monitoring login attempts for brute force password cracking and password spraying.
- Storing passwords in a secured database and using strong hashing algorithms.
- Implementing local administrator password solution (LAPS) wherever possible.
- Protecting against local security authority subsystem service (LSASS) duping by implementing ASR for LSASS and credential guard for Windows 10 and Server 2016.
- Educating all employees on proper password security in your annual security training.
- Using Windows PowerShell Remoting, Remote Credential Guard, or RDP with restricted Admin Mode as feasible when establishing a remote connection to avoid direct exposure of credentials.
- Ensuring that administrators use separate access accounts for administrative duties and simple network access.
The third initial attack vector listed in the guide is phishing. As all of us know by this point, phishing attacks are one of the most common and successful attack methods employed by cyber-criminals. To prevent and mitigate ransomware attacks using this vector, they recommend:
- Including guidance on how to identify and report suspicious activity or incidents in regular user security awareness training.
- Implementing flagging external emails in email clients.
- Implementing filters at the email gateway to filter out emails with known malicious indicators.
- Enabling common attachment filters to restrict file types that commonly contain malware and should not be sent by email.
- Implementing domain-based message authentication, reporting and conformance (DMARC) policy and verification.
- Ensuring macro scripts are disabled for Microsoft Office files transmitted via email.
- Disabling Windows script host (WHS).
These are only the first three of the six initial attack vectors included in the guide. In my next paper I will outline the last three vector which include precursor malware infections, advanced forms of social engineering, and one of the most fearsome attack vectors currently plaguing us all: third parties and managed service providers.