Deployment Strategies to Guard Data and Protect Against Ransomware and Cyber Threats
Many enterprise organizations have diligently built defenses against all sorts of exfiltration-style cyber threats to prevent patient data from being stolen and sold on the black market. These perimeter defenses - firewalls, data loss prevention and intrusion detection systems - can protect against exfiltrations, but they don’t address the structural vulnerabilities that ransomware readily exploits.
Ransomware is a different kind of threat – it’s not about exfiltration-linked extortion, instead data is encrypted and the attackers threaten to throw away the key unless a ransom is quickly paid. Such attacks have recently held several major hospitals and other organizations hostage, tying up critical systems for days and threatening business critical operations, including healthcare delivery and compliance. If the emergence of ransomware ‘service broker’ Ran$umBin which facilitates exchanges between hackers and victims, and powerful new ransomware variants like “Locky” are any indication, attacks will continue and their frequency may increase. Locky is an especially aggressive variant, traveling through the network as encrypted files are shared, typically within macros inside emailed Microsoft Word documents.
In other kinds of cyber attacks, there are ongoing events in the kill chain that signify an attack’s early stages - such as exploration and escalation prior to exfiltration - but ransomware can seemingly spread instantly, automatically propagating via mapped network drives without indicators of infection until the ransomware payload is unleashed. As a result, there’s often little or no response time.
And unfortunately, some common and longstanding sysadmin habits have shaped the attack surface in favor of the attacker and against the organization, increasing both the ease and speed with which ransomware can spread. If new and newly affordable tools such as real time machine learning and user behavior analytics are to be effective in detecting and thwarting attacks, some old habits need to change.
The New Need for a Least Privileged Access Model:
In any organization, access to file share resources are granted via Security Groups comprised of like individuals. It makes sense that individuals performing like functions would be granted access to the same resources, and using groups makes it simpler to grant and remove access as users join, move through, and leave the organization. However, it is highly common to find that access is actually being granted through groups that contain every individual in the organization, leading to a condition known as Open Access. This is a direct contradiction to the concept of security.
A Least Privilege Access Model (LPAM) recognizes that not all users need access to - or the same levels of access to - any particular resource. In the case of ransomware and many other types of malware, the level of access and number of resources a compromised user has access to has a direct correlation to the level of success that an attack can achieve. If a user has access to file shares and other resources they don’t really need, the malware is able to reach and propagate to resources it otherwise could not have under a least privilege access enforcement model. In this sense, LPAM isn’t just about denying user access, it’s about refusing the attacker an open pathway to valuable corporate resources.
Achieving LPAM in the file structure comes down to one pivotal capability: the ability to monitor file activity. Doing so will not only enable an organization to detect that a ransomware attack is underway, but it will also clarify who does and does not need access to data, as well as the level of access they should have based upon how they’ve historically interacted with the data.
Many users with full control rights don’t use them, and really need just ‘read-only’ rights – and that one change could significantly limit the spread of ransomware. If a user that's been compromised doesn't have rights that would allow ransomware to encrypt their files, they’re exposed but not infected, and more importantly, they’re not contagious. This restricted access model gives internal defenses a much better opportunity to spot and isolate the attack location.
Many organizations use tools like temporary elevated privileges for time-limited tasks. This ensures efficiency and minimizes disruption, while keeping the attack surface as small as possible. Several sectors are adept at this and offer strong best practices. For example, in the automotive industry, high-level credentials are constantly issued with time limits for those designing new generations of products, and then revoked with passwords scrambled.
LPAM can be very helpful both for ransomware scenarios and other scenarios such as insider threats and data exfiltration attempts. It doesn’t involve a new technology or revolutionary approach. It’s a set of best practices that are already relied upon in many sectors. It helps IT, security and compliance understand and identify the difference between normal and abnormal behaviors, and invoke and enforce policies fairly easily. When executed with User Behavior Analytics, it can be truly invaluable.
It also makes the security administrator’s job easier in other ways. For example, an IT or security staffer monitoring a SIEM solution is trying to review and derive insight from an often overwhelming volume of alerts, and decipher real threats versus false positives in near real time. Even the simplest of LPAM implementations is helpful in reducing the noise.
Other steps – although obvious – are similarly important in reducing and controlling the attack surface your organization presents to would-be intruders. Key steps:
- Educating users so that click-bait doesn’t override security.
- Data strategies such as moving critical ‘always needed’ data and applications to a more secure infrastructure, and of course to incorporate air gapping isolation to protect data backups.
- Penetration testing goes hand in hand with user training, especially in large organizations. There’s lots of ways to show users just how their individual actions increase institutional vulnerability, but none are more effective than a security assessment using click bait – such as a LinkedIn request from a new intern – and phishing attacks, that then hypothetically shut down critical functions.
- Security basics remain critical, such as ensuring that virus detection and operating systems are up to date, moving from (or at least enforcing regular updates to) static passwords, and ensuring that sysadmins use different email accounts and passwords for administration work than for day-to-day communications.
- Blocking macro-enabled Word (and Excel and PowerPoint) documents from email delivery. It’s extremely rare that anyone legitimately needs to send an Office document containing a macro from outside a company.
These steps all take some changes in habits, and some effort, but as one IT pro recently joked, it’s better to get smart than to get Locky.
About the Author
Adam Laub is the Senior Vice President of Product Marketing at STEALTHbits Technologies. He is responsible for setting product strategy, defining future roadmap, driving strategic sales engagements, supporting demand generation activities, enabling the sales organization and all aspects of product evangelism.