Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

12/18/2019
02:00 PM
Shawn Taylor
Shawn Taylor
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

5 Security Resolutions to Prevent a Ransomware Attack in 2020

Proactively consider tools to detect anomalous behavior, automatically remediate, and segment threats from moving across the network.

Over the past two years, ransomware attacks have increased in frequency and severity. In 2019 alone, the attacks have crippled manufacturing businesses, brought hospitals to a halt, and even put lives at risk.

It's no wonder that many organizations are putting ransomware prevention and response planning at the top of their priorities list for 2020. And those that aren't probably should consider what more they can do to better prepare their organizations against these types of attacks.

The time to put measures in place is not after an attack has already taken place. I've worked with many organizations scrambling in the aftermath of a breach, but this can be avoided if you proactively consider tools to detect anomalous behavior, automatically remediate, and segment threats from moving across the network to limit an attack's reach.

Here are five things organizations should consider as part of their security resolutions in 2020:

1. Basic Cybersecurity Hygiene: Improving basic cybersecurity hygiene is the No. 1 defense against any type of attack, including ransomware. This is the cybersecurity version of many people's New Year's resolution to "get healthy." Cybersecurity hygiene can mean a lot of different things, but a good place for companies to start is by making sure they have strong vulnerability management practices in place and that their devices have the latest security patches. They can also make sure they are taking basic security precautions that are often also important for regulatory compliance, like running up-to-date antivirus software or restricting access to systems that can't be made compliant. Ultimately, however, for most organizations, starting with CIS Control 1, Inventory and Control of Hardware Assets, will establish a good foundation upon which to build.

2. Penetration Testing: Companies that already have much of the basic hygiene in place can take the additional step of engaging pen testers to further ensure that anything Internet-facing in their organization is protected. By finding what means or mechanisms attackers could hack or brute-force an attack to gain access to applications or internal systems by bypassing other protections such as firewalls, security leaders can fix those areas before bad actors find them. 

3. Board Discussions: Cybersecurity is increasingly becoming a board of directors-level issue. That's because an attack can have a significant impact on a company's revenue, brand, reputation, and ongoing operations. However, it's worth having a specific board-level conversation about ransomware to ensure they understand the specific risks it could pose to the business, and that there is budget made available to prevent or limit the damage of an attack. That discussion will prove critical if the company wants to implement added protections, such as improved cyber hygiene, or put in place automated reactive technologies to limit the spread of an attack. If the CIO or CISO is not already regularly having these conversations about cybersecurity or ransomware in particular, that's definitely a good place to start for 2020.

4. Tailored Training: There is one vulnerability that has proven effective again and again as an entry point for attack: people. You can buy all the latest and greatest cybersecurity technology, but if you aren't training your employees in basic cybersecurity or how to respond during an attack, then you're leaving yourself vulnerable. Training to prevent ransomware starts by teaching employees to recognize phishing attacks and what to do if they suspect one. This is important because — even though many users have gotten better — phishing remains one of the most effective ways for an attacker to breach an organization. Teaching users to validate URLs or avoid clicking on links or attachments altogether can go a long way toward protecting against all types of attacks. This is a good practice to start or revisit in 2020.

In addition to preventing an attack, security leaders can also think about adding specific training for ransomware response. It's pretty easy for an employee to know when they've been hit with ransomware — their work screen may go away and they may get a pop-up directing you to a URL to pay the ransomware (likely in bitcoin). Training employees in what steps they can take in response or giving them an emergency point of contact on the security team can make them feel more in control in the panic of an attack.  

5. Limit the Scope of an Attack: Ransomware resolutions should include not only preventing an attack but also taking steps to minimize the damage of a successful one. That starts with having tools in place, such as SIEM systems that can identify the behavior patterns and heuristics of an attack and begin to automatically isolate and remediate those systems when indicators are flagged. It also means embracing tools such as network segmentation that can prevent the lateral movement of an attack across the network.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "How to Manage API Security."

Spanning a 20-year career as an accomplished and well-respected Systems Engineer, Shawn Taylor's strong mix of technical acumen, architectural expertise, and passion for operational efficiencies has established him as a trusted adviser to ForeScout's customers since joining ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
seven_stones
50%
50%
seven_stones,
User Rank: Apprentice
1/12/2020 | 2:43:11 PM
VM / detection
Would prefer to see something like "mature vulnerability management processes" instead of penetration testing, especially as local controls on Windows devices, believe it or not, even though vendors would have the world believe otherwise, be very effective indeed. 

You mentioned SIEM in your last point, which is fair enough. I'd probably emphasise detection a lot more, mostly because prevention is far from guaranteed to help. At least the organisation can get a heads up of environmental skullduggery before the payload is active. Unlikely, yes, but good to do anyway for so many reasons. 
seven_stones
50%
50%
seven_stones,
User Rank: Apprentice
1/12/2020 | 2:36:16 PM
Re: Deploy key technologies to close critical vectors
Those aspects you mention are critical for mail servers, for security yes, and the organisation will have trouble sending mail to some domains if these aren't in place - there's even a chance they could end up on a spam black list. Awkward. But for preventing malware malicious email, not so useful. Low level phishers can get blocked but its pitifully easy to subvert, and moreover lots of Phishing comes from compromised accounts.
duetqqip
50%
50%
duetqqip,
User Rank: Apprentice
12/21/2019 | 12:40:24 PM
Re: Deploy key technologies to close critical vectors
nice
smtaylor12
50%
50%
smtaylor12,
User Rank: Author
12/19/2019 | 8:00:46 AM
Re: Deploy key technologies to close critical vectors
First of all, thanks for your comment.

The list wasn't meant to be all-inclusive, I've received other good suggestions via Twitter and LinkedIn. Email protections certainly are definitely a good strategy. I think the bottom line is that there is not one singular tactic, tool or solution to completely protect from ransomware. Education, good endpoint protection/patching strategies, complete visibility of what's on the network (to include the risks of those devices), but that visibility should also be from the outside in, ensuring all protections are made on externally facing devices, systems and applications. While I would agree email is a primary target, some of the highest profile breaches/ransomware attacks weren't initiated by email at all.
sethblank
50%
50%
sethblank,
User Rank: Author
12/18/2019 | 7:05:06 PM
Deploy key technologies to close critical vectors
Thanks for the article, Shawn.

There's one crucial item missing from your list. 90+% of cyberattacks, including ransomware, begin from email. And there are well known technologies, such as SPF, DKIM, and especially DMARC, that prevent these abuses before they ever get in front of a user.

These solutions don't cover every scenario, but they cover the majority of the sources of the threats. We've seen in the real world that when an organization has DMARC in place, attackers simply move on to abuse other organizations instead of moving to more difficult vectors.

If you want to stop ransomware, deploy these open standards and you've reduced your threat surface by more than half. Then apply the rest of your recommendations to continue closing the gap.
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.