Five common ways businesses are targeted by ransomware attack
Information security should be made part of the values and culture of any organization. Many organizations forget about safety, only to be jolted into action once an incident has occurred. That should not be the case. Employees must be persuaded to become good stewards of information security through behavior change. Organizations that are adept at getting everybody on board are more successful at keeping attackers at bay.
Some common ways businesses are targeted by ransomware attack:
1) Email Attachments
Email is still the largest attack surface in organizations. Every organization is reliant on email for communication. There should be a concerted effort to address email attacks holistically and boost email security. Many attacks start with a simple email attachment that will execute malicious code and spread a ransomware payload across the entire organization within minutes. Most of the time, the attachment can be a JavaScript file or a ZIP file. These files are popular email attachments and make it easy for attackers to introduce malicious code and execute an organization’s attack. One effective way of preventing email-based ransomware attacks is by assessing all inbound emails and identifying the most common attachments. For most organizations, the most common attachments are Word docs and Excel files. If that is the case, all other attachments should be blocked and dealt with on a need-to-need basis. Take note that exceptions can be made to ensure that non-typical file types can be handled differently when the need arises.
2) External Facing Assets
You have two types of external-facing assets – intended and unintended assets. There are specific assets such as remote desktop protocol (RDP) or server message block protocol (SMB) that are particularly vulnerable to attacks. Both intended and unintended assets are targeted for the attack through existing vulnerabilities and brute force attacks. The involuntary assets present the most significant problems to security teams since they are not supposed to be exposed. Businesses must fully understand their external-facing infrastructure and have in place measures that will help identify infrastructure changes or suspicious activity. The ideal scenario is to use a third party to verify all the external-facing assets of the organization. Solutions developed to help in-house teams determine all assets that appear in the public IP address. This information should be collected and reviewed regularly to keep track of any changes. Institute measures to ensure that user accounts that attempt numerous logins are locked out. The most critical charges to protect are service accounts that typically have more privileges than end-user accounts. Server accounts also carry back-end configurations that help auto-reset login attempts or disable lockout policies that may disrupt business operations.
3) Process Injection
Process injection will entail arbitrary code execution. Malicious actors use process injection to introduce arbitrary code into normal running processes. For example, TrickBot uses legitimate svchost.exe to inject and run arbitrary code to finally take control of a business environment. Process injection relies on stealth to mask attacks and make them difficult to detect. Such is the use of stealth that you may not see malicious processes when looking at the currently running processes on a host. The execution of arbitrary code is entirely dependent on the user context their processes are running. A legitimate executable running through a signed-in user is different from an executable running from a system administrator account. The solution is to disengage as many administrative rights from end-users. Reducing administrator access brings down the success rate of arbitrary code execution. When an endpoint becomes compromised or suspects suspicious activity, work to identify any legitimate executables that may perform abnormal actions. Using the svchost.exe example, check if the process establishes a connection to a remote IP address without a command-line argument.
4) Inventory Asset Management
A big challenge for incident responders is that they have to fully understand how incidents affect core business operations. That’s in addition to having the required technical skills and keeping abreast of the latest tactics being used by malicious actors. Small businesses have to grapple with small IT security teams or none at all, whereas the large corporations have to deal with numerous assets and more infrastructure. During incident response, having visibility into more infrastructure will provide a more significant opportunity to detect abnormalities. Attackers have gained the upper hand where an asset is not correctly monitored by security teams. Repeated damage has occurred when numerous environments recover from ransomware attacks only to get compromised a second time since preventive policies were not applied for all endpoints. In some instances, security teams were unaware that the endpoints existed, and malicious actors compromised them. Asset inventory management calls for organizations to be relentless in understanding their environments and all assets. Security teams can use inventory management software or built-in tools such as PowerShell to regularly collect information and ascertain every purchase status. Inventory management is a never-ending process characterized by continual learning and tracking of changes.
5) User/Human Error
Human error is the weak point for organizations even when they have the best security team assembled and the best security tools in place. Many attacks start with an employee opening an email attachment and allowing actors to gain access. Even the most diligent employees still fall for phishing attacks. Beware of devices that are unaccounted for but are used to connect to your organization’s network. These devices and apps increase the surface of attack exploited by malicious actors. The security team must keep track of all external-facing assets and put in place policies that govern the use of personal devices in the organization’s network. Human error can be minimized through policies and procedures, software, and security awareness training. Organizations that view end users as part of their security assets will fare better in the fight against malicious actors.
The solutions? Prevention, training, and the right working habits.
By Alessandro Vicati