Mitigating a Ransomware Attack – Can Security Awareness Training Assist?
As the frequency and cost of ransomware attacks continue to rise, solutions for ransomware mitigation and prevention must be at the top of every IT leader and department’s list of priorities. Where most see crisis, cybercriminals see opportunity. In this article, learn how security leaders can meet the challenges of mitigating ransomware threats and phishing attacks. Is security awareness training the answer?
Traditional ransomware tricks users into running it and then it replicates itself on various endpoints across the network. It then encrypts those systems and demands a ransom — usually some type of cryptocurrency — in exchange for a decryption key to rescue data and files. Since the start of the pandemic, there has been a global surge in ransomware attacks. 40% of organisations in the UK, US, Canada, and Germany have suffered from a ransomware attack in the last year, according to an Osterman Research Survey Report.
The chaos and disruption caused by the pandemic have created the perfect environment for these types of attacks to flourish, and Covid-19 themed phishing lures have proved a very successful way to deliver malicious links. Many organisations fail to take ransomware seriously, and it’s only when they are on the receiving end of a crippling attack that they invest the proper time and resources into improving cyber security defences. However, at this stage, it’s often too late as the damage is already done.
Security awareness training for users that educates them about the types of phishing email they may encounter which can lead to a ransomware attack greatly reduces such risks. “Minimising human error is perhaps the most effective form of ransomware prevention”, says Andrew Brown, CTO of specialist cyber security company, Elasticito. Brown also stresses the importance of security awareness training in mitigating ransomware threats during times of crisis.
While ransomware attacks are continuously evolving, the root causes of how they enter your network have not changed much. To be able to mitigate or defend against a threat you first need to understand it. As mentioned in previous blog articles on this site (here and here), there are four common infection vectors:
- Remote Desktop Protocol (RDP – 3389)
- Email Phishing Campaigns:
- Links
- Attachments
- Software Vulnerabilities
- Leaked Credentials
While it might sound counter intuitive, the place to start with security awareness training is actually with your cyber and IT team to ensure that they know and understand the following:
- The four common infection vectors;
- How to mitigate against the common infection vectors while still enabling the business;
- Formulating a response plan and training first responders;
- Assisting with customising end user security awareness training that corresponds to the controls in place;
Let’s quickly run through each of the four common infection vectors as an example and demonstrate how this these could be effectively mitigated and also the requisite security awareness training included.
Remote Desktop Protocol (RDP – 3389)
The most common example of this is a new instance that has been spun up in the cloud and IT want to manage it from their Windows Desktop.
This one is easy, and the training should be:
- Just don’t do it – as in no RDP Port 3389 because it attracts attention. Try using this URL and check the results (you’ll need to create and account and login first to use this);
- Make use of an alternative solution provide by IT;
- Always ensure that 2FA authentication is used from the get-go even before the service is made public.
Email Phishing Campaigns
Human error is often a significant contributor to successful ransomware attacks. Ransomware is most often spread through phishing emails that trick users into taking an action that enables the ransomware to launch. Security awareness training can help employees to recognize the signs of a phishing attack and know what to do when they encounter potentially dangerous email and websites.
It is possible to trick anyone into clicking on any link or to open any attachment no matter how much training they’ve been given. Curiosity and fear are the two motivating factors here. Therefore, education and training should be on the dangers and what the organisation has put in place to assist the end user.
Making use of a protective DNS service will mitigate against the threat posed by clicking on links found in emails. Here’s some more information on this subject from the NCSC and BankInfoSecurity.
With regards to files, applications and webpages, opening them inside a micro virtual machine guarantees that even if a file contains malware including any type of ransomware, it’s trapped and cannot escape outside of the micro virtual machine, and endpoints and user data stay protected.
The above solutions ensure that end users have a simple set of rules to follow which apply to all incidents and leaves no room for human error.
Software Vulnerabilities
Chinese hackers have taken advantage of four Microsoft Exchange Server vulnerabilities to steal emails from at least 30,000 organizations across the United States, KrebsOnSecurity reported via CRN. Need I say more as to why patching is important? This needs to be made blatantly clear to IT Teams.
While patching systems is most certainly a challenge if IT can be made aware of why it is so important then various plans can be put in place to enable emergency patching of a subset of assets.
Leaked Credentials
These are used by threat actors to access login pages, e.g. G-Mail, O365, Outlook Web Access and VPNs. Once the threat actors has logged in as a normal user of the organisation, security controls like a secure email gateway are bypassed as very few organisations make use of internal content filtering rules. In this case recipients of a malicious email believe that it has originated from a colleague.
Mitigation of this risk can be performed by ensuring that the organisation has a continually updated digital footprint which details all login pages and by implementing at a minimum 2FA authentication.
Security awareness training needs to explain that unusual or suspicious emails even from colleagues should be treated as such and why controls such as 2FA have been implemented and why they are important. Other factors could be explaining why a different password should be used for every login page so that if one is compromised, not everything is compromised along with only using a business email address for business purposes and not personal usage.
Conclusion
Your weakest link is basically always going to be people, especially if they are a little disoriented from stressful situations, such as the pandemic. Hackers exploit the chaos, stress and grief that pandemics and other global emergencies cause, preying on users’ heightened vulnerability.
As the above examples have demonstrated phishing test campaigns can be limited to a simple set of rules and therefore won’t run the risk of alienating your end users of which there have been some nefarious examples of this past year – think of this GoDaddy incident or the West Midlands Trains debacle.
Brown believes “it’s a very fine line that security teams must walk”. While organisations need to prepare employees for emerging pandemic-related threats, in his opinion, they should avoid creating unnecessary, additional stress at a time when employees are already anxious and distracted, as in the GoDaddy and West Midlands Trains debacles above. “Never chastise employees who fall for simulated phishing attacks”, Brown advises. Instead, he recommended reiterating that such phishing attacks exist, explaining what they look like and advising employees what process and procedures are in place to support them and if in doubt don’t touch and ask for help.
At Elasticito, we believe security awareness training is most effective when tailored to your environment, rather than taking a “one size fits all approach”. Ransomware prevention does not necessarily require sophisticated tools that can identify potentially dangerous email and prevent users from inadvertently starting an attack by clicking a suspicious link or opening a dangerous attachment. That’s the reason Brown believes that cyber awareness training specific to your environment is of vital importance in bringing everyone together to mitigate ransomware attacks.
Contact the team at Elasticito, obligation-free, to discuss ransomware mitigation and security awareness training solutions.