Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

A Blue Team's reference guide to dealing with Ransomware

Steve Ragan | March 22, 2016
Ransomware is a known threat IT/InfoSec, but sometimes it's good to be reminded of the defenses that can be marshaled against it

"I didn't make mention of it at all in the article, but some firewalls have the ability to block connections to known botnet servers," Tharp explained,

"If that's not available, you can use DNS sinkholing to block connections to known bad domains. SANS released a tool to that end for Windows Server DNS and documentation for it here. This isn't enough on its own but answering this issue needs a multi-layered approach."

He offered another tip for organizations that manage their shares with File Server Resource Manager. Those that do can set file screens.

"You might want to add a screen like *decrypt*, one for *.locky, and look at the common names given for the decryption help instructions (e.g., help_your_files.txt for CryptoWall). FSRM can take action if a screened file is attempted to be written, which includes firing arbitrary commands. You could kill your LanManServer service, for example," Tharp said.

It's possible that after seeing Tharp's list, some administrators will consider the information old news - and if so - they're not wrong.

But consider this, if these protections are dated - why is Ransomware still so effective? The gut reaction is to blame the user, and that's not wrong either. However, sometimes the user is always going to be a problem - the trick is to expect an end user will eventually make a mistake and look for ways to limit exposure regardless of what they're doing.

Tharp says he was taken to task by fellow administrators because some of the things he suggested were outdated, particularly the blacklist-based Software Restriction Policy.

"In my defense, that was one point out of seven, but people have really pushed me to point out that a whitelist-based solution is better than a blacklist-based one. I don't disagree at all, but if you're an MSP with 150 clients that's a lot of R&D time to be billed," he said.

"If you're managing one infrastructure you should certainly spend the time to work on an application whitelist. AppLocker is available in Enterprise versions of Windows and has some huge timesaving features, like the ability to allow certain signed publishers across the board. If you don't have AppLocker, working with Software Restriction Policies on a whitelist basis will also do what you need but with a bit more work."

The point is that while some of these methods might seem old, they're still needed. They're the basics that most organizations are missing.

Rather than using a layered approach, organizations rely on a mix of endpoint signature-based protections and awareness training. Teaching users is good, but it isn't a foolproof method of defense.

"My last thought is that if the end-user is put in a position where they're my last line of defense to not open that attachment, to not click that ad, then I have failed them. Not to say that training is useless; we conduct security awareness training and are rolling out phishing testing, but the responsibility ultimately falls on my team to prevent them from ever being put in that position in the first place," Tharp said.


Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.