Trustwave: How To Prepare for Ransomware in the Wake of JBS, Colonial Pipeline Attacks

Trustwave, a top global cybersecurity company focused on managed detection and response, has provided a high-level framework for organizations to help them prepare for this new wave of ransomware attacks organizations are faced with. As a philosophy, Trustwave believes a lack of proactive security makes you more susceptible to ransomware attacks.


"Organizations must ensure they have a proactive approach to threat protection, detection and response, and the right people, processes and capabilities in place to strengthen resilience to these types of attacks," said Kory Daniels, Global Director, Threat Detection and Response Consulting, Trustwave.


"The continuation of these attacks is yet another wake-up call for organizations to take a hard look at their defenses."

The recent attacks that crippled operations for Colonial Pipeline and now JBS, the world's largest meat packers, have demonstrated the dire need for ransomware preparedness and assessment.


Read the ransomware preparedness guide Trustwave outlines:


First Off


Ransomware requires a robust layered security approach. The concept behind a layered security strategy is “Defense in Depth”, which aims to have fallback protections if a particular control fails. Defenses must address People, Process and Technology in order to be effective. Below is a quick high-level overview to help you prepare for this new surge of ransomware attacks.


People


Ransomware often requires human action to be successful, which makes people the critical part of a ransomware attack. It has been found that many ransomware attacks use phishing techniques combined with exploit kits. As a significant number of attacks use this method, it is critical for organizations of all sizes to educate their employees on cybersecurity hygiene, particularly how to recognize and avoid suspicious links and attachments. Doing so has been shown to help reduce the number of successful attacks.


1. Security Awareness Training


Targeted security awareness training is something that all employees can benefit from. It is the best way to build cybersecurity awareness in the organization and help employees understand the threats faced and the security policies of the organization and why they exist. The training should be carried out on an ongoing basis, informing employees on the latest security trends and how to respond in the case of ransomware attacks. Highlighting the following two key messages will help protect them and the organization against ransomware:

  • Don’t click on any attachments or links in emails that appear suspicious, you weren’t expecting, or otherwise reply.

  • Report potential phishing attacks to the Information Security team for support.

Process


Technology alone cannot form a security defense strategy. Supporting processes are the key to optimizing the benefits of the technologies in place.


1. Security Policies


How employees practice security will directly impact the effectiveness of security controls in the organization. Security policies and standards provide a roadmap and a guideline to employees describing how to interact in day-to-day business operations securely. The policies will include a detailed guide on the use of various types of email, web, collaboration technologies, social media, and other tools that have been deployed, including guidance on the use of personal devices.


Policies can be useful in defining and limiting the tools that are used to access sensitive data. These limitations can be helpful in reducing the number of ingress points for ransomware, other forms of malware, phishing attempts, and other content that could pose a security risk to the organization.


2. Logging and Monitoring


Ransomware may hide in networks undiscovered for days, months, and years. It may even contaminate backup data, tempting organizations to pay the ransom to retrieve the data. A logging and monitoring process in place that analyses the logs regularly and uses well-defined methodologies to uncover anomalies can help identify any unusual activities in the network and detect potential attacks as early as possible.

  • Logs that are collected in logging servers and related software must be continuously analyzed and reviewed for anomalous or suspicious activities

  • A definition of the events to be logged must be prepared and then communicated.

  • Logs must be securely retained in a centralized location.

3. Patching and Vulnerability Management


Cybercriminals look for any known weakness in systems or software and exploit them as a way starting point to deliver malicious code. For example, the WannaCry ransomware targeted unpatched PCs exploiting the “EternalBlue” vulnerability one month after it was leaked. Patching systems, applications and devices promptly is an essential part of an effective approach to cybersecurity. It ensures that known problems and vulnerabilities that could be exploited by cyber attackers and which may impact the availability, integrity, and confidentiality of our information assets are remediated promptly.


4. Data Backup Process


A useful method for recovering from a ransomware attack, as well as from other types of malware infections, is to restore from a known, good backup taken as close as possible to the point before the infection occurred. Using a recent backup, an endpoint can be reimaged and its data restored to a known, good state with as little data loss as possible. While this strategy will likely result in some level of data loss because there will normally be a gap between the most recent backup and the time of reimaging, recent backups will minimize data loss if no other remedy can be found.


5. Incident Response Process


Having an incident response process in place can provide the organization with a clear and guided process to be followed when a cyber-attack occurs. In the case of a ransomware attack, isolating the infected device should be the first step to contain the damage. Backup is the “go-to” solution to remediate and recover. If possible, ransom should never be paid because you would not get your full set of data back in most cases.


Technology


Ransomware often infects computers via malicious emails and pop-up windows that encourage the users to click or download “authentic” applications. Specifically, targeting the following technologies in the organization will assist in protecting against ransomware:


1. Email Security


As the primary delivery vector, email security should be the first and foremost thing to be considered in terms of protecting the organization from ransomware. Email security solutions such as Trustwave MailMarshal, provide a layered approach to email security against phishing, ransomware, and other email-based threats. These technologies often perform deep analysis of inbound email traffic in real time to detect and block malicious content, while scrutinizing outbound email traffic to safeguard sensitive data and information. In addition, establishing the following principles within the organization will help:

  • Limit the use of company emails or email addresses for personal purposes.

  • Be cautious of email asking you to open files, click links, or otherwise release information.

  • Do not use company email for any business activities unrelated to the job role.

  • Regularly change email passwords

2. Endpoint Security and Testing


Proactive security testing on endpoints can help the organization understand where risks and vulnerabilities reside, enabling it to better prevent, detect and respond to security incidents and continuously improve overall security posture. Even though phishing is the major attack vector in ransomware, a comprehensive testing program can address attacks from multiple sources. Testing can confirm the following capabilities exist at the endpoint:

  • Ability to detect and prevent malware, encryptors, and the execution of malicious code, documents, and files.

  • Ability to filter content, preventing users from going to known malicious websites or plugging in uncontrolled devices (such as USB drives) to the endpoints. Ability to prevent the exploitation of known and unknown vulnerabilities in applications, operating systems on the endpoints.

Forensic-state analysis can help the organization determine the current standing of the endpoints. This approach can in identify ongoing and past intrusions and enable the organization respond effectively to future incidents.


3. Network Security


Ransomware attacks usually involve three steps:

  1. Infection

  2. Data encryption

  3. Establishment of Command-and-Control (C&C) communication.

Establishing C&C communication is a critical step for cybercriminals to either transmit the stolen/encrypted data or prepare for later attacks within the victim’s network. An intrusion Detection/Prevention System (IDPS) can identify abnormalities of network flow, alert the security personnel, and block the ransomware attacks, backed by integrated threat intelligence.


Another aspect of network security is appropriate network segmentation. Ransomware aims to spread and to infect as many machines as possible. Network segmentation can greatly limit the spread and contain the damage if a ransomware attack does happen.


<