Best Practices to Combat Ransomware
Take a layered approach to security
A firewall and Antivirus combination are not enough to secure an environment against ransomware. Layers of protection are an important and in-depth part of your defense.
Manage network traffic
Proper management of network traffic leads to better control of what traffic is on the network. It is important that networks are properly zoned and that users and devices can only see and interact with their appropriate network areas.
Always make use of application layer firewalls. All services whenever possible should be published through reverse proxies so as to avoid subject-to-object direct access. This not only limits the damage but also prevents direct access to files and environments in the event of an attack. Firewalls should also be utilized on the endpoint to ensure that traffic outbound from hosts and from non-corporate software is blocked.
Use IPS and HIPS
The use of IPS/IDS on the network is highly recommended. This will assist in prevention, as traffic flowing between applications and interfaces that produce anomaly-based traffic can be effectively detected in this way. HIPS on hosts should also detect and prevent any unusual traffic.
Use restricted interfaces
Remote access applications that are locked down by strong policy help to mitigate this type of threat, as ransomware must be executed to infect the networked machines. If browsing is blocked through the restricted interface, application users tend to browse on their own machines and not through the corporate connection.
Patch your environment
Patching your applications and your environment is absolutely crucial to protection. Some cryptoware exploits unpatched systems and through these vectors the infection can be exceedingly worse.
Proxy your traffic
Good proxies are able to block traffic that originates from applications that are not on the allowed or trusted list. Even internal traffic can be proxies at an application layer and inspected.
Use application whitelisting
It is highly recommended to create a whitelist of the corporate applications allowed to run on the machines and on the network. This is a strong strategy that is very difficult to bypass. Certain whitelisting technologies hashes the allowed applications and only the list of allowed hashed applications will run on the machine.
Make sure your permissions are appropriately set and that authentication is required for access, especially to critical systems. The use of two-factor authentication to gain access to systems that are sensitive is always recommended and cryptoware cannot easily bypass these controls.
Follow the rule of least privilege
Always implement and keep reviewing the rule of least privilege. It is important that all files are carefully grouped and that the correct level of access is constantly applied. Users should always only have the least amount of privilege required to do their work.
Promote security awareness
One of the most important aspects of security, especially when dealing with encrypting software, is to inform your users on a regular basis to not click on any strange looking software or to visit any potentially harmful websites.
Have a restorable backup
The only sure protection is a cloud-based and internal backup strategy coupled with virtualization. Even if ransomware makes it past all your defenses, point in time backups will save your critical data and your business.
In this day and age, the best protection is a layered approach and adopting security in-depth. We can no longer rely on legacy mitigation strategies of a bygone age. Our security team have witnessed many customers that have only the basics installed and unfortunately become infected. This results in a challenging battle to keep ransomware at bay.