Ransomware defense Cyber security is continually a relevant topic for Cisco customers and other stakeholders. Ransomware is quickly becoming one of the hottest topics in the technology space as these malware families target high-leverage companies and organizations. We at Cisco are often contacted for guidance and recommendations for ways organizations can prepare for, detect and prevent ransomware attacks. Some of Cisco’s vendors have also been affected by ransomware and have looked to Cisco for our expectations and expertise. As the leading technology security company, Cisco brings credibility to share with our guidance on proactive measures and reactive considerations. However, ransomware prevention and remediation are complex topics and there is no “one-size-fits-all” approach.

In this document, we’ll outline a collection of risk mitigation strategies. While none of these methods are new, when combined, these defensive techniques and methods allow resiliency against initial access, and the ability to contain the threat if an adversary successfully gains initial access.

PatchingRansomware is often avoidable for most organizations. As for the security community has emphasized for many years, effective patch management is a vital security control that organizations must implement within their environments. We have seen many attacks be successful simply because an organization failed to patch their environments. Reliable exploits for zero-day vulnerabilities are often awfully expensive for attackers, while patched public exploits can be cheaper. Attackers simply will not typically utilize a zero-day vulnerability if they can find a cheaper means to achieve their mission objective. In most cases, if a system within an organization’s environment is compromised due to a zero-day vulnerability being exploited, that is a good indicator that you are doing everything else effectively because it means that the attacker likely could not find another cheaper avenue to breach your defenses. That’s when some of our other strategies come into play.

Least functionalityOnly implement system functionality that is required for systems to perform their intended role or function. For example, Microsoft recommends disabling SMBv1 if it is not required. Likewise, limiting access to systems and services is another vital security control. Even if SMBv1 is in use on a system, it is rare for it to be required to be exposed to hostile network environments like the internet. Leveraging host-based firewalls, like the one built into the Windows operating system even on internal network segments, is another way to control access to these services.

Least privilegeLimit the use of administrative tools like WMI and PSExec to only those systems from which system administrators are performing system management functions. Monitoring for the use of these tools across an organization's network, while not necessarily a preventative security control, can be used to quickly identify compromised systems and enable organizations to initiate appropriate incident response processes.

Follow the Microsoft guidelines for configuring secure administrative hosts for critical system management.

If there are multiple Active Directory Domain controllers in your organization, consider deploying Read Only Domain Controllers as recommended by Microsoft.

System and network monitoringComputer worms typically propagate very quickly, making them extremely loud in most environments. In most cases, the worm would initiate a scanning function to identify new hosts to propagate to. Monitoring the environment for service sweeps or attempts to connect to many systems by a single system on a network within a brief period could identify the compromised systems early so that the issue can be addressed before it causes a larger organizational impact.

Network segmentationEven in environments where it was simply not possible to install security updates associated with host and application vulnerabilities, network segmentation is an effective way to either prevent a successful attack or limit the possible impact of a successful attack to the rest of the organization's environment. Creating "choke-points" in communications pathways not only limits the effects of a successful compromise, but also provides an ideal location to deploy network-based security controls that can be used to prevent a successful attack from occurring in the first place. As was previously described, the principle of least functionality would dictate that at each of these chokepoints, access controls would be deployed to limit communications to only what is required for systems to serve their role within the business. Flat networks, while easy to manage and maintain, afford little in the way of mitigating the impact of ransomware.

Processes and policiesIt is essential that organizations have established policies and processes in place to ensure that they are prepared to respond appropriately and effectively when the unexpected happens. Incident Response, Disaster Recovery and Business Continuity Plans enable organizations to recover from unplanned system outages or disasters. For these processes to remain effective over time, organizations must have the plans in place and test and validate those plans over time to ensure that they continue to meet the needs of the organization. Can your organization recover from a system outage quickly enough to meet its business needs? Is your backup strategy working? Can you recover using your backups alone? These needs change over time and testing these processes will ensure they remain effective before an outage or disaster occurs. Incident response is another example of a process that should be in place and tested periodically with hunting exercises, tabletop exercises, and walkthroughs. This is the only way to truly ensure that the incident response team has the knowledge and tools necessary to effectively respond when security events occur within an environment.

If your organization does not have a dedicated incident response team, consider an incident response retainer to proactively strengthen your security posture and provide investigation and communication support during the event of a data breach or ransomware incident.

The National Institute of Standards and Technology (NIST) has released Special Publication 800-53 "Security and Privacy Controls for Federal Information Systems and Organizations," which provides comprehensive guidance regarding recommended best practices and the selection of security controls that can be implemented to establish a sound defensive architecture within networked environments. This guidance is available in the references section below

References

Microsoft: Implementing secure administrative hosts

Microsoft: Install a read-only domain controller

Cisco: SAS incident response

NIST: Security and privacy control for information systems and organizations