Ransomware response — Prevention? Detection? or both?
Ransomware are in news a lot lately. As I had written earlier, they have changed the game by behaving like traditional data breach and ex-filtrating data before encrypting. If you are the unfortunate victim, you can no longer just restore from backup since you now have to also care for potential public disclosure of data.
Post infection ransomware response is no longer simple. The stakes are loaded in favour of attackers. But you are not helpless. The best actions against ransomware are the ones taken before the attack. Lets look at few actions that we can take.
Prevention: Today, I want to highlight a nifty feature in Windows 10 and Windows Server 2019 called ‘Controlled Folder Access’. It’s part of the Windows Defender Exploit Guard, offered free with Windows. It’s quite easy to set up and manage. You can enable controlled folder access by using any of these methods:
- Windows Security app
- Microsoft Intune
- Mobile Device Management (MDM)
- Microsoft Endpoint Configuration Manager
- Group Policy
- PowerShell
Controlled folder access works by only allowing apps to access protected folders if the app is included on a list of trusted software aka whitelist (or going by the latest trends — allowedlist). If an app isn’t on the list, Controlled folder access will block it from making changes to files inside protected folders. Apps are added to the trusted list based upon their prevalence and reputation. Apps that are highly prevalent throughout your organization, and that have never displayed any malicious behavior, are deemed trustworthy and automatically added to the list. Wow! Just wow.
Is this 100%? No. Can it be bypassed? Possibly. Does it reduce attack surface? Absolutely. And you cannot complain about the price.
Detection & Response: The fact that modern ransomware stay in victim’s environment for weeks to months mean that they behave in a more traditional manner. They have to achieve persistence, move laterally, establish command and control, exfil large volumes of data etc. and that gives us more time to detect and respond. Are our SOC’s capable of detecting modern data breaches? Do you detect a) rule based?, b) behavior based?, c) anomaly based? or d) all three? Do you threat hunt regularly? How good is the threat intelligence?
An unbiased answer to these questions and appropriate responses will definitely help in, at least making it more expensive for the attacker to target your organisation. At the same time, it provides the additional avenues to prevent, detect and respond much faster.
Providing the right timely advice and continuously working towards improving detection and response capabilities is what we do for our clients and we love it.
