Prevent Ransomware Attacks with Access Controls and Good PAM Practices
October 23rd, 2019 by admin
Modern businesses are all struggling with the growing threat of ransomware attacks. We deal with them all the time here at ICX, often spotting them and stopping them before our clients even become aware they are happening. The consensus on the best way to prepare for the eventuality of a ransomware hit seems to be having regular, up-to-date, secure onsite and cloud backups. These should be able to bring a business operation back and online quickly and with minimal disruption, thus reducing the cost of downtime and avoiding large payouts that would motivate criminals to continue pursuing these nefarious pursuits.
However, the cost of a compromise can be substantial, and the process of reinstating operations is always time- consuming. Both the time needed to recover and the price tag of a successful attack seem to be increasing over time, as recent research has discovered. In Q4 2018 it took organizations an average of 6.2 days to get back up and running, as compared to 7.3 days in Q1 2019. This downtime costs businesses thousands, but in certain cases, the cost of the downtime can itself exceed the cost of the ransom, making it more cost-effective for organizations to pay criminals to have their data back.
If paying the ransom is not an option, and malware removal isn’t possible, how can you effectively recover from a ransomware attack hitting your business? The only real answer is to prevent the attack altogether by having the right security measures in place. This may sound impossible, but by taking certain steps, organizations can dramatically strengthen their security posture, thus reducing the probability of falling victim to a ransomware attack.
Step 1. Know Your Enemy
Ransomware is nothing but a package of malware attacks that aim to get around internet security suites, most commonly deployed with a phishing or spear-phishing campaign aimed at tricking users into clicking on a malicious link or downloading a compromised attachment. Often, these emails are designed to look like they are coming from someone in the high ranks of an organization, which increases the likelihood that an employee will open the message and execute whichever action it prescribes. WATCH OUT FOR THIS! Read our recent article on a very sneaky phishing attack we helped stop for a client.
Once the malware has infected an end user’s machine, the software starts looking for privileged credentials. These credentials give criminals access to the most sensitive areas of the network, allowing them to obtain valuable data and, ultimately, critical control over the entire IT infrastructure, and with it, they gain the ability to lock files and halt business processes. At this point, cybercriminals need to wait for organizations to pay the ransom, conscious that every second of downtime translates in revenue loss.
Step 2. Protect Your Business with PAM (Privileged Access Management)
Although the destructive nature of ransomware attacks has been widely documented, it is important to remember that this malicious software is only capable of compromising the portion of the network and data that they can gain access to. For example, if privileged credentials are protected and inaccessible from an end-users’ machine, a ransomware infection will remain limited to that single machine, unable to spread to the critical processes that cause operational collapse if halted through good network monitoring and management. (FYI- this is what we do!) By implementing solid privileged access management (PAM) procedures, organizations can protect their crown jewels from ever being compromised, even in the eventuality of an intruder gaining access to the network.
Step 3. Learn the Key Concepts of PAM
The key components of a successful PAM strategy are:
Leverage a password vault. Password vaults generate privileged access credentials that are valid for a single session. This means that there are no sensitive credentials sitting around for an intruder to find, but that each access is performed with a password that becomes obsolete as soon as the session is terminated.
Monitor and record privileged sessions. Whenever a user accesses a privileged area of the network, the session should be monitored and recorded. This allows security teams to be alerted if suspicious behavior is detected, and the monitoring tool can remotely end the session if the risk is deemed over a certain threshold.
Use behavioral biometrics. Through machine learning, behavioral biometrics tools can collect behavioral markers of each privileged user, including keyboard strokes and mouse movements. These markers are then computed into a continuously updated behavioral profile, which serves as the blueprint of what normal activity should look like. In this way, suspicious activity can be spotted immediately, and actions can be taken to terminate the session.
Follow the principle of least privilege. Users should be given access to the smallest portion of the network they need to do their job and not more. This includes restricting which users can download and run which software and applications on their systems.
By understanding how ransomware works and by implementing the appropriate PAM procedures – including password vaults, behavioral biometrics, privileged session management and least privilege – organizations can all contribute to making these business-crippling attacks obsolete.
Curious if your network is ransomware attack ready? Get a custom evaluation today and learn how ICX can protect your businesses’ data and bottom line.
Posted in: Security