Network Defense:
Why Visibility Is Key To Rooting Out Ransomware

Network Defense: Why Visibility Is Key To Rooting Out Ransomware
By Wendy Moore

Most organizations work hard to invest in reducing operating costs and improving the overall efficiency of their networks. But often there are unforeseen risks and costs that are associated with the infrastructure of connecting servers and hosts internally and out to third parties and devices. Without “agnostic visibility” into all traffic and network activity, hackers will always engineer methods to enter your network.


A lack of network visibility can allow ransomware authors to effectively repurpose your network to monetize your data against you. What follows will expose your organization to a whole raft of unforeseen risks and costs, many of which will exceed the original ransom that was demanded.

Ransomware used to be more of a consumer or end user problem. Now, criminal groups are infiltrating ransomware into your network, host, database, file share system and your system backup. Hereby it exposes your organization to the risk of being turned into an extortion engine. While it is difficult to accurately estimate the impact of the enterprise ransomware epidemic globally. Another indication of just how serious the problem is, came at the end of March 2016, when both the Department of Homeland Security’s US-CERT and Canada’s Cyber Incident Response Centre (CCIRC) issued a major warning to organizations on the dangers of ransomware.

The warning listed some of most important potential repercussions for businesses:

  • – Temporary or permanent loss of sensitive or proprietary information and intellectual property
  • – Disruption to regular operations
  • – Financial losses incurred to restore systems and files
  • – Potential harm to an organization’s reputation

By either encrypting data and/or preventing access to a host, system, server or application, your adversary will seek an extortion payment in exchange for a promise to return your data to normal use. From a network perspective, there’s more at play here than whether or not to pay.

In short, organizations should consider the following:

    1. 1) The initial ransom demand might be just the tip of the iceberg. Part of your strategy, including a decision to pay or not to pay, should involve a clear line of sight into the extent of the problem within your network. Without this, you might inadvertently be playing your hand in additional stages of an attack.
    1. 2) Knowing the source, means and method of the infiltration is key to ensuring you are not being set up for additional stages of a ransomware attack. In addition, it is fundamental to close any exposed gaps which may have allowed ransomware to have gained access to your network.
    1. 3) Establish visibility into all malicious network activity so you can effectively scope the problem and work out the level of current and future risk. You should be able to identify not only the point of entry but also the attempts to move within your network. Moreover you should be aware of which hosts have been impacted and, ultimately, of the black hats’ overall game plan.
    1. 4) Rapidly identify indicators of compromise and publish these to other network assets as a means of both preventing an outbreak and foiling subsequent attacks.
  1. 5) Use all these insights to continuously improve both your human and device security posture. Were unsecured devices the cause? Which employees were impacted? Were trusted third party credentials used?

You Can’t Defend Your Network Against What You Can’t See

Ransomware can infiltrate your network through any nook or cranny that is either unmonitored or appears normal to the naked eye.  To remedy what amounts to a ‘ransomware cataract” within your network, you need clear line of sight into network traffic, ports and protocols across both the physical and the virtual segments of your network. When this is combined with the power of extensive detection techniques such as advanced threat scanning, custom sandbox analysis and correlated threat insight, you will have the network equivalent of laser eye surgery; you will gain unrestricted visibility into attempts to hijack your network along with the systems, applications data and intellectual property therein.

The value of gaining that visibility is extensive for a number of reasons:

– It allows you to detect attempts to use trusted third party credentials or devices as a ransomware ‘island hop’ into your network. Is that actually your supplier trying to authenticate an application at 3am?

– It helps you identify unmanaged systems, applications or devices associated with indicators of ransomware infiltration. Is the TOR application on an employee host linked to an IP address that is known for command and control/advanced malware?

– It aids you in correlating all aspects of an attempt to seed ransomware into your network across the entire attack lifecycle. Have the IoCs (inversion of control) you found coming in by web or email appeared anywhere else in network? What other protocols and segments of your network are affected by this attack?

In short, protecting your organization is all about taking proactive steps to limit the impact and reduce the risk of a repeat ransomware attack. This means taking a defensive in-depth approach: A layered security architecture which establishes agnostic visibility into all network activity at its core. Combined with email, web, endpoint and server protection, it will help you to fully minimize the risks and costs associated with the modern ransomware epidemic.

Wendy Moore is Director of Product Marketing at Trend Micro.