Best Practices for CISOs to Defend Against Ransomware
There has been an incessant rise of ransomware attacks in recent years. Ransomware trends gained greater precedence with the advent of the coronavirus pandemic, as organizations scrambled to effect remote workforces, leaving significant gaps in their IT systems. A Sophos study earlier revealed that in India 82% of organizations surveyed admitted to being hit by ransomware, reiterating the heightened need for increased network security to help block the attack.
Sunil Sharma, MD – Sales, Sophos India & SAARC, shares the best practices for firewall and network configuration to defend against ransomware.
1.Ensure the best protection: As a part of this, an organisation’s security solutions must include a modern high-performance, next-gen firewall with IPS, TLS Inspection, zero-day sandboxing, and machine learning ransomware protection.
2. Lockdown RDP and other services using firewall: A good practice to prevent attackers from entering a network is to ensure remote access to servers and systems is only possible via VPN and ideally using multi-factor authentication or a whitelist of sanctioned IP addresses.
3. Reduce the surface area of attacks: Thorough and periodic reviews of all port-forwarding rules help to eliminate any non-essential open ports. Each of these open ports represents a potential opening in networks. Where possible, VPN should be used to access resources on the internal network from outside rather than port-forwarding. It is also advisable to secure any open ports by applying suitable IPS protection to the rules governing that traffic.
4. Enable TLS Inspections: TSL inspection, with support for the latest TLS 1.3 standards on web traffic, ensures threats are not entering a network through encrypted traffic flows.
5. Minimize the risk of lateral movement within the network: A good way to do this, is to segment LANS into smaller, isolated zones or VLANs that are secured and connected by the firewall. When doing so, be sure to apply the recommended IPS policies to rules governing the traffic traversing these LAN segments to prevent exploits, worms, and bots from spreading between LAN segments.
6. Automatically isolate infected systems: When a ransomware or other attack strikes, it’s important that IT security solutions are able to quickly identify compromised systems and automatically isolate them until they can be cleaned up, to prevent spread to other systems on the network.
7. Use strong passwords: Last, but not least, strong passwords are critical. Attackers today deploy brute-force hacking tools to enter systems, and hence passwords must be strong enough to withstand their impact. Sophos also recommend setting multi-factor authentication for VPN access, email, and other accounts that contain sensitive information.
According to Sharma, based on research from Sophos’ 2021 Threat Report, attackers are going to continue developing and using ransomware against organizations. Ransomware attacks launched throughout 2020 magnified the suffering of an already wary population, targeting mostly health and education sectors.
Ransomware operators pioneered new ways to evade endpoint security products, spread rapidly, and even
came up with a solution to the problem (from their perspective) of targeted individuals or companies having
good backups, securely stored where the ransomware couldn’t harm them, the report said highlighting the gap between ransomware operators at different ends of the skills and resource spectrum will increase.
Sophos analysts also discovered that some ransomware code appeared to have been shared across families, and some of the ransomware groups appeared to work in collaboration more than in competition with one another.
At the high end, the big-game hunting ransomware families will continue to refine and change their tactics, techniques and procedures (TTPs) to become more evasive and nation-state-like in sophistication, targeting larger organizations with multimillion-dollar ransom demands, he said.
At the other end of the spectrum, he said, Sophos anticipates an increase in the number of entry level, apprentice-type attackers looking for menu-driven, ransomware-for-rent, such as Dharma, that allows them to target high volumes of smaller prey.