by Cindy Murphy, President of Tetra Defense
Threat actors are opportunistic. They often follow a short playbook of exploits that could potentially apply to multiple industries. Government IT systems, however, prove to be especially critical if faced with a cyberattack. There comes the added responsibility of maintaining infrastructure, even if that infrastructure is compromised. As threat actors continue to seek money or disruption through their attacks, and leverage whatever data they can hold hostage, ransomware stills serves to be their best vehicle for that.
A recent analysis revealed that in 2020 alone, ransomware as an industry reached the multi-billion dollar mark. Other milestones for ransomware operators include Ransomware as a Service to expand their reach, shaming websites to name and dump data of victim organizations, and an average ransom demand of $170,000 — nearly double last year. While the nature of this crime (and its criminals) has evolved, their methods are consistent. Threat actors still exploit the lowest-hanging fruit first, usually through three very predictable avenues. When considering government IT systems, here’s how to block these three avenues from ransomware:
#1: Securing Remote Access
The most high-traffic avenue for threat actors is accessed via unpatched, external-facing systems. Threat actors constantly scan the internet looking to exploit vulnerabilities in these systems since they are often highly trusted within (and have wide-ranging access to) a network. To combat the ongoing, malicious scanning of vulnerabilities on this avenue, we recommend patching external-facing systems as a top priority. Here’s how to keep an eye on them, and keep them protected:
- Identify external-facing systems by looking up IP addresses for your organization.
- Block public access to the services Remote Desktop Protocol (RDP), Secure Shell (SSH), and File Transfer Protocol (FTP).
- Ensure external-facing systems such as firewalls, VPN gateways, and email gateways are patched.
- Perform vulnerability scans against external-facing systems.
- Implement Multi-Factor Authentication (MFA) across accounts with remote access.
#2: Securing Email
Many ransomware incidents can begin with just one email to a single user — making it another popular avenue for threat actors. While education and awareness training are important, a safer bet is to keep bad emails from reaching inboxes to begin with. An email security gateway acts as a protective barrier between emails from the outside internet and individual inboxes within a network. To protect against the threats that are directly sent to users, we recommend the following priorities:
- Ensure email is filtered using scanning technology that can open attachments and links to find advanced threats.
- Quarantine or block documents that are password protected as threat actors often use these to bypass scanning.
- Ensure that these attachment types according to Microsoft are blocked by an email gateway, at a minimum.
#3 Keeping Backups Secure
The third most popular avenue towards extortion is targeting, encrypting, or completely deleting backups. This goes beyond primary or live data — threat actors spend the extra time it takes to search a network to find all backups and encrypt them as well. Corrupting backups through encryption or deletion gives threat actors significantly more leverage when demanding a ransomware payment. If a victim organization can’t retrieve data from their backups, they may consider paying for the data that the threat actor encrypted.
Follow the 3-2-1 backup strategy:
- 3 – Keep 3 copies of any important file: 1 primary backup of the live data used daily, and 2 backups of it.
- 2 – Keep the files on 2 different media types to protect against different types of hazards.
These copies are meant to be on-site, or at least easily accessible, to restore quickly from most incidents. This helps recover quickly from server failure, accidental deletion, etc.
- 1 – Store 1 copy offsite (e.g., off of the home or business network).
This recommendation started in case of physical disasters like fires or floods within the four walls of an organization. In the case of remote working, this strategy is more effective when backups can be stored “off” of the organization’s network. Physical space is less of an issue in 2021 since employees can work within one network no matter where they may be physically located. The same applies here — without proper protections, this copy can appear to be on the same network and can be just as easily reached by a threat actor.
Ransomware is unfortunately on track to continue its growth and evolution. Luckily, the industry that fights it every day will do the same. Knowing how threat actors behave now is a promising glimpse into what threats (and protections) lie ahead. When considering government IT systems, and the ever-changing nature of threats, our last recommendation is implementing an Endpoint Detection and Response (EDR) tool. EDR tools go beyond traditional antivirus — they analyze the behavior of systems to find threat actors from the not-so-obvious avenues to come.
About the Author
Cindy Murphy is the President of Tetra Defense, an incident response and digital forensics firm based in Madison, Wisconsin.. She worked in law enforcement for 31 years, starting her career in the US Army in 1985 and joining the Madison Police Department in 1991. She began investigating computer-related crimes in 1998 before being promoted to detective in 2000. Since then, Cindy has become one of the most highly respected experts in the digital forensics field. She has been teaching digital forensics since 2002 and helped develop a digital forensics certification curriculum for Madison Area Technical College and co-authored the SANS FOR585 Advanced Smartphone Forensics course.