Ransomware Resilience: Detect and Respond

When ransomware tore through organizations last year, questions were raised about how organizations could react to such attacks and be able to better prevent, detect and respond in the future. Mimecast talked to Infosecurity about how businesses should be defending against ransomware, and whether, in the wake of the headlines, they are now better prepared

Ransomware is a great example of why companies need a resilient security program, says Mimecast’s senior product marketing manager Matthew Gardiner.

Speaking to Infosecurity, Gardiner said that when you have a resilient security program, you are in the right place to prevent things like ransomware from happening as it tests your disaster recovery plan and backup strategy and doing so puts "you in the right place to prevent things like ransomware for happening, continue operating your business when it does happen, and get back to a good state quickly and easily."

Detection or Blocking?
So are we at a stage where we can detect ransomware, or should we still be looking to block it? Gardiner claimed that ransomware is particularly easy to detect, especially with the concept of using an analytic as a sandbox. If something starts to encrypt local files, you can determine that it is bad, but detecting is only easy if you are looking with the right technology, he added.

“The problem is if you are not using sophisticated technology,” he said. "It is hard to detect with anti-virus or a signature-based security system as the ransomware files themselves can be easily changed from moment to moment to evade them.

“However, the behavioral monitoring that comes with a sandbox is pretty good at detecting, so the question is: are you able as an organization to sufficiently behaviorally monitor your inbound files? If you can, you’re going to be pretty safe, but once it gets in and into your network (if the EternalBlue vulnerability is present for example) it can hop to other machines unless you have sophisticated endpoint controls. These do exist and won’t let unknown software execute unless it is on a whitelist or has been sufficiently analyzed, but you have to have that software on all endpoint machines that you are worried about.”

Gardiner said that detecting can therefore be done, but it is about doing it at all entry points efficiently.

Cloud-Based Security
This is one of the reasons why cloud-based security services are successful, he claimed; as well as cost and efficiency, the need to build resilience is outsourced and the IT security manager can become more of a portfolio manager of security controls.

He explained that while the top 1% of organizations can build their own security teams and SOCs, the rest of the world will need to depend heavily on service providers to do as much as possible.

So is outsourcing a way for businesses to mitigate the threat of ransomware? Gardiner said that it is a way of mitigating the threat and not the only reason to outsource, but while upper management will understand the attack vector, one way to deal with ransomware is via a multi-layered defense that includes technologies, user education and businesses processes.

“Your enterprise security program needs to have layers, just like anything else. Network and endpoint controls can increasingly be done by the cloud,” he said.

“That is not the end of the story as you want to have business continuity and disaster recovery and you need to have systems that are backing up and recovering automatically, but you also want a process for doing it and deciding what systems are covered.”

What Have we Learned 12 Months On?
Last year, with WannaCry in May and NotPetya in June, we saw two cases of ransomware dominating news headlines around the world and shaking up security operations centers, as well as making a lot more businesses aware of the cyber-threat.

So 12 months on, what have we learned as an industry about responding to such a major infection and recovery, and are we in a better place to deal with this? Gardiner believed that we are not really in a better position, as it comes down to businesses not doing resilience properly.

He also felt that “it is almost certain we are going to have another thing like that because there is going to be some vulnerability discovered or something stolen from the NSA that falls into the wrong hands and attackers will take advantage of it.” 

Gardiner said that it is not about a lack of understanding, it is down to execution and what to do first; how do you afford it, how do you keep it persistent and how do you navigate your program towards resilience?

“The shift to the cloud is the big change and that is why AWS and Azure are growing so fast – it will not solve all problems – but it will free up resources to focus on the trickier problems”, he concluded.

What’s Hot on Infosecurity Magazine?