Network Defense: Why Visibility Is Key To Rooting Out Ransomware
By Wendy Moore
Most organizations work hard to invest in reducing operating costs and improving the overall efficiency of their networks. But often there are unforeseen risks and costs that are associated with the infrastructure of connecting servers and hosts internally and out to third parties and devices. Without “agnostic visibility” into all traffic and network activity, hackers will always engineer methods to enter your network.
A lack of network visibility can allow ransomware authors to effectively repurpose your network to monetize your data against you. What follows will expose your organization to a whole raft of unforeseen risks and costs, many of which will exceed the original ransom that was demanded.
Ransomware used to be more of a consumer or end user problem. Now, criminal groups are infiltrating ransomware into your network, host, database, file share system and your system backup. Hereby it exposes your organization to the risk of being turned into an extortion engine. While it is difficult to accurately estimate the impact of the enterprise ransomware epidemic globally. Another indication of just how serious the problem is, came at the end of March 2016, when both the Department of Homeland Security’s US-CERT and Canada’s Cyber Incident Response Centre (CCIRC) issued a major warning to organizations on the dangers of ransomware.
The warning listed some of most important potential repercussions for businesses:
By either encrypting data and/or preventing access to a host, system, server or application, your adversary will seek an extortion payment in exchange for a promise to return your data to normal use. From a network perspective, there’s more at play here than whether or not to pay.
In short, organizations should consider the following:
You Can’t Defend Your Network Against What You Can’t See
Ransomware can infiltrate your network through any nook or cranny that is either unmonitored or appears normal to the naked eye. To remedy what amounts to a ‘ransomware cataract” within your network, you need clear line of sight into network traffic, ports and protocols across both the physical and the virtual segments of your network. When this is combined with the power of extensive detection techniques such as advanced threat scanning, custom sandbox analysis and correlated threat insight, you will have the network equivalent of laser eye surgery; you will gain unrestricted visibility into attempts to hijack your network along with the systems, applications data and intellectual property therein.
The value of gaining that visibility is extensive for a number of reasons:
– It allows you to detect attempts to use trusted third party credentials or devices as a ransomware ‘island hop’ into your network. Is that actually your supplier trying to authenticate an application at 3am?
– It helps you identify unmanaged systems, applications or devices associated with indicators of ransomware infiltration. Is the TOR application on an employee host linked to an IP address that is known for command and control/advanced malware?
– It aids you in correlating all aspects of an attempt to seed ransomware into your network across the entire attack lifecycle. Have the IoCs (inversion of control) you found coming in by web or email appeared anywhere else in network? What other protocols and segments of your network are affected by this attack?
In short, protecting your organization is all about taking proactive steps to limit the impact and reduce the risk of a repeat ransomware attack. This means taking a defensive in-depth approach: A layered security architecture which establishes agnostic visibility into all network activity at its core. Combined with email, web, endpoint and server protection, it will help you to fully minimize the risks and costs associated with the modern ransomware epidemic.