There is no silver bullet, although there is a silver lining when it comes to ransomware attacks. Each time an attack occurs, there are really good, smart people (perhaps some of you) who examine and deconstruct the way the criminals perpetrated the attack. This attack profiling is called the Kill Chain. I’m going to walk through the ransomware kill chain so that you can see how attacks by these groups are performed.
The basic kill chain phases of a ransomware attack are: distribution, infection, staging, scanning, encryption, and the big payday. Once the files are encrypted and a ransom is demanded, your options become limited.
The first phase of a ransomware attack is distribution — where the bad code is distributed to your system. The attacker tries to get users to click a link or download an attachment which opens the door to scan for unpatched or vulnerable services. Some controls that would be useful here (or even prior) are:
- Email and web filtering
- Endpoint Detection and Patch management
- and (Don’t click on that link!) Security Awareness Training
Any one of these controls could probably help a lot, but not a single ONE should be completely relied upon to be effective against all attacks.
Incidentally, user training is one of the most important defenses you can employ. Making sure all users know how to identify suspicious threats in correspondences is the number one thing you can do to stop distribution from happening. These trainings should be recurring, continually updated, and not be understated.
The next stage after the distribution is infection. At this stage, new processes are being launched and the malware is installed and starts its infection process. Some processes may look legitimate, but they’re running from bizarre locations in the file structure. Some controls that can help here are:
- File and Process Monitoring
- Endpoint and Least Privilege
The infected endpoint user will probably not notice much of what’s going down here if things get to this point.
In the staging phase, the malicious code starts communicating with the outside world and uploading your stuff...usually to a newly registered domain or a bare IP address.
So, the same controls as the infection phase are going to apply here and least privilege is still the most effective control. The point here is that if your users don’t have admin rights to their machines, the malware can’t do most of what they were written to do after the bad link was clicked on.
In the scanning phase, the malware is looking for content to encrypt both locally and at the network level. At the network level it looks for network drives and mounted cloud accounts such as Box.com, Dropbox, and buckets like S3. Your Backups!
If you have a security team, this is when they would see the most amount of network traffic as the malware is reaching out over the network to infect new targets.
So, the controls that can detect and prevent threats at this stage are things like:
- Network, Process and File Activity Monitoring….again
- And Security Analyst Training
This stage is the first stage where security teams have the best opportunity to detect the infection and do something about it. This phase can take seconds if the malware doesn’t find a large network or it can take hours if it finds a jackpot. A well-trained SecOps team can identify and isolate the infection here…..if you have one.
On to the encryption phase. If it finds stuff to encrypt, the malware is going to start encrypting files. At this point, the same detection/monitoring controls are relevant, but now we actually have an incident. Incident response controls like SOAR or Security Orchestration and Automated Response workflow technologies are useful here.
Unfortunately, any human intervention will probably be too slow to be effective. SOAR is probably the most effective tool at mitigating the infection. You’re likely to see the effects of this phase across multiple systems, so your response could be much larger depending on what the malware was able to find in the scanning phase. This is where any response planning or desktop exercises you’ve done will start to pay off.
Finally, at this point your infected machines are telling you to pay up. Things like, “the contents of this machine are encrypted, send us <enter foreign currency here> or other crypto to get your files back.” Controls at this stage are all incident response related:
- Secure Backups, AND Forensics, Investigations, etc.
If YOUR company hasn’t already established a policy regarding negotiating with digital criminals, you probably should discuss whether or not you’re going to pay up. You have to consider the value of the data that was encrypted. Is it catastrophic if it becomes unavailable? Is the public release of the data damaging to your business?
These discussions SHOULD NOT be happening for the first time during an active attack. Your C-Suite should probably game this out a few times in advance of an attack and be aligned in the event this happens to you.