Four steps for preventing the next ransomware attack
FYI, this story is more than a year old
As we approach the end of 2017, it’s clear that enterprise ransomware continues to be a huge issue for businesses all over the globe. Once ransomware enters your network undetected, your data is immediately encrypted and inaccessible or your systems are locked down.
In some cases, ransomware goes after the back-ups and if they are connected to the network, the data may be completely unrecoverable. Here are some tips on how to better prevent ransomware damages:
Apply behavioural-based detection
It’s crucial for organisations to shift to proactive cybersecurity techniques focusing on identifying malicious behaviour, relating to ransomware even when no signatures or known exploits are present.
Instead of being reactive and shoring up defences when you detect an Indicator of Compromise (IoC), or a “known bad,” organisations should track Indicators of Attack (IoAs) that identify adversary behaviour, related to ransomware, such as code execution or lateral movement.
This enables organisations to prevent, detect, and respond to both known and unknown attacks. An IoA can prevent multiple variants and versions of ransomware families, including new ones not detectable by known signatures or features.
Augment analytics with artificial intelligence/machine learning
AI/Machine learning (ML) is critical in helping to detect ransomware that might otherwise be missed. To be truly effective, ML must have enough relevant data so results can be meaningful and adjust to ensure the balance of true vs. false positives.
A signature-less ML combines behavioural analytics with ML and is able to learn what files are malicious without having to be fed new datasets every day. This approach is far superior in helping detect the malware and ransomware of today, much of which is unknown variants and ultimately leads to better classification of what is malicious or not, helping your organisation’s IT team in the long run.
Bolster your defence with proactive hunting
Rather than waiting for ransomware to appear and take hold in your organisation, it is better to spot the problem at inception and close it down immediately. This is what proactive threat hunting looks like, and leveraging threat hunting teams can help defenders shift the advantage back to themselves.
Threat hunters look for evidence of potential malicious behaviour that might exist in a broad pool of behavioral data, but may be too subtle to warrant a response.
From there, threat hunters can follow even the faintest suggestion of possible threat activity to put together a picture of whether an attack is in progress, or if the behaviour is irregular but does not represent malicious activity in your IT environment.
Threat hunters make it possible to find damaging attacks before they are able to be detected using automated security tools. This is a key fundamental for true visibility into your network.
It’s time to solve the patch problem
Vulnerability scans are no longer adequate in defending the network in real-time against modern-day threats. Many legacy approaches only report patch information collected from checking the registry for listing of installed patches. As a result, failures in the installation process such as delayed reboots may cause the scan to report incorrect patch status.
This leaves organisations with major blind spots that can turn into massive vulnerabilities in the event of attacks like WannaCry. Vulnerability management needs to work in real-time and have full visibility into the environment to create a capability of proper prioritisation and patching.
Article by CrowdStrike.