With many employees now working from home, organisations are exposed to a vastly increased attack surface and must re-assess their endpoint security strategies to ensure they are equipped for this new environment. Tamer Odeh, Regional Director at SentinelOne in the Middle East, tells us how enterprises can best improve their endpoint security and why prevention is crucial for defending against sophisticated attacks.
Tell us about ransomware – how much of a threat is it to modern organisations?
Ransomware attacks continue to pose a threat to modern organisations, especially during the COVID-19 pandemic. In fact, the increasing diversity and total volume enabled by RaaS and affiliate schemes, along with the low risk and lucrative returns, only serves to suggest that ransomware will continue to evolve and increase in sophistication for the foreseeable future.
There are different types of ransomware. Examples like DopplePaymer ransomware employ lightning-fast payloads to perform over 2000 malicious operations on the host in less than seven seconds. This means that legacy detection and response methods are failing to prevent infections, and defenders’ response to ransomware often starts after the ransomware has achieved its objectives.
Moreover, in the case of Maze ransomware, it has plenty of time to encrypt tens of thousands of files. Unfortunately, if a business relies on the cloud, for virus signatures or reputation lookups, time plays a huge role in the process.
Huge damages can occur in one minute. In one test, SentinelOne’s Labs recorded 23,969 events triggered by Maze within the span of a mere 60 seconds. Each one of those events is a file being encrypted in preparation for hackers heavily threatening a company’s head and demanding a ransom to unlock its data.
All this damage underscores why local protection models – as in, those that are located on endpoints and don’t need to pause to fetch marching orders from the cloud – are superior to products that suffer from cloud lag and the dwell time it grants attackers.
Can you give us a summary of the methods of infection?
There are various methods of infection based on various situations. Some ransomware criminals take advantage of the challenges and vulnerabilities created by BYOD, IoT and Digital Transformation initiatives using technologies like social, mobile, cloud and software defined networks. Remote workforces demanding the ability to work from anywhere at any time while accessing company data and using cloud applications also create challenges and increase the attack surface.
However, usually methods of infection include the below:
- Breaches through phishing and social engineering
- Infection via compromised websites
- Malvertising and breaching the browser
- Exploit kits that deliver custom malware
- Infected files and application downloads
- Messaging applications as infection vectors
- Brute force through RDP
Other ransomware criminals recruit employees inside the firm as a means of breaching security controls which is a technique one would normally associate with nation-state actors engaged in espionage.
Are remote workers more vulnerable to ransomware attacks?
Yes, they definitely are – with millions of people working from home, there is an enormous attack surface ripe for the taking by malicious actors. It is no trivial task to provide the same levels of security for all these employees, operating outside the (relatively) safe perimeter of their offices and local intranet.
Furthermore, with time and numerous IT ‘temptations’ (like letting your kids use your work laptop for browsing) employees’ awareness levels can be eroded, leading to an increase in their vulnerability to cybercrime.
What other key threats are remote workforces facing?
An increased number of staff working remotely presents an opportunity for Business Email Compromise (BEC) fraud, as the whole scam relies on communications that are never confirmed in person.
Phishing campaigns are also a threat for all employees whether they are based in-house or remote, but for workers who are unused to working ‘home alone’ and are now dealing with an increase in email and other text-based communications, it can be easier for them to lose perspective on what is genuine and what is a scam.
In particular, with a rise in malspam playing on fears of Coronavirus from the ‘usual suspects’ like Emotet and TrickBot, remote workers need to be extra-vigilant.
How should organisations plan for a ransomware [or other] cyber incident?
Organisations must rely on a modern, well maintained and properly tuned and trusted security solution. Prevention is key with these attacks. Even if the encryption/data-loss can be mitigated through decryptors, backups or rollbacks, victims still face the problem of their data being posted publicly. We encourage security teams to analyse and understand the threats and to take swift and appropriate action to prevent incidents occurring in the first place.
Below are the suggestions for the type of training:
- Train staff to habitually inspect links before clicking by hovering over them with the pointer to see the actual URL destination
- Train staff to deny requests to enable macros when opening email attachments. Ideally, use an advanced EPP/EDR security solution that can enforce a policy to prevent macro execution or block malicious content if it is executed by the user. CDR (Content Disarm and Reconstruction) software can also help protect against exploits and weaponised content in emails and other external sources.
- It is obviously best to prevent the ransomware attack from occurring, as recovery is difficult
What advice would you offer organisations for navigating the prepare, protect, respond and recover stages of an incident?
To address the security challenges, we believe preparation and protection should:
• Support all your existing OSs, including cloud and VDI; attackers are always looking for your weakest link
• Include several types of technologies that can detect in parallel to achieve separate security layers
• Not rely on a person to run it effectively, including threat prevention
• Integrate with other security solutions on your network – able to benefit and provide security data
• Allow visibility of all your assets: a single view of a device is always weaker than a historical view across your network
Unfortunately, there is little one can do to recover files once the system is infected with a ransomware attack, but here are a few tips that can help prevent it from spreading and you to be a victim of a repeat attack.
Steps that can be taken when a ransomware attack happens:
1. Alert law officials – They probably won’t be able to help, but as with any ransom activity, they should be informed
2. Isolate the infected machine – It’s important that the system is taken offline, as they essentially own the machine now and can use it to gain access to other systems on the network.
3. Don’t pay the ransom – As with any form of ransom, one is not guaranteed to get data back and paying could encourage attackers to keep up their lucrative game. In addition, if one pays and actually gets keys once, one may be the target of a repeat (and potentially more costly) ransom attack in the future.
4. Remediate – Run endpoint security software to discover and remove the ransomware software. If it cannot detect the threat, wipe your machine.
5. Restore – Restore your files with the most recent back-up.
How can organisations best improve their endpoint security?
It’s best if organisations use endpoint security software that protect it against unknown forms of ransomware. One way to do that is through EPP that uses Predictive Execution Inspection Engines that go beyond file-based analysis – even mathematic algorithmic analysis – that observes the actual execution of every system process or thread, in real-time. By understanding the execution behaviours of all applications, programs and processes in real-time, EPP should provide ultimate defence against any type of attack.
Click below to share this article