Last week, we discussed the best practices around securing VPNs and the roles that unsecured VPNs can play in a ransomware attack. This week, we’ll cover the network, and the critical role network defense plays in defending against ransomware attacks.


Network defense is another of the critical cyber defense points because the primary objective of a ransomware attack is to infiltrate your network to access the critical systems that need to be attacked to ensure ransom payment. Advanced ransomware attacks regularly bypass endpoint defenses, making network defense essential to detect an attack and minimize dwell time.


Network defense starts with firewalls. Firewalls act as the first line of defense against unauthorized access attempts and malicious activities from external sources. Firewalls analyze network packets and filter traffic based on various criteria such as IP addresses, port numbers, protocols, and application-specific rules. By implementing access control policies, firewalls can permit or deny traffic based on these rules, effectively controlling what can enter or leave a network. Most firewalls include intrusion-prevention capabilities. An IPS monitors network traffic for potential security breaches and malicious activities. It can detect and block suspicious traffic patterns or known attack signatures, providing additional protection against cyber threats. But configuring firewalls can be complex, even for moderate-sized networks. Misconfigurations are common and can inadvertently create security holes or block legitimate traffic, affecting network performance and usability.


In this blog, our best practices are going to focus on defenses beyond firewalls; here are six critical network defense strategies we suggest:


  1. Gain Network Visibility: Organizations must have comprehensive visibility into their network infrastructure, including endpoints, servers, cloud platforms and applications, and other devices, including IoT. This visibility allows IT teams to understand where risks and vulnerabilities are hidden across the network, from unprotected and rogue devices to firewall rules that are outdated or improperly defined.


  1. Utilize AI-based Threat Detection: Network threat detection starts with an AI-based understanding of normal network behavior. The voluminous nature of network traffic makes human or rule-based approaches (firewalls) quickly overwhelmed with data or filled with false positives. AI (primarily unsupervised machine learning) will define “network normal” and identify deviations indicating ransomware attacks. Early detection enables organizations to respond quickly, preventing the encryption or loss of critical data.


  1. Rapidly Respond: When a ransomware attack is detected, teams must quickly identify the source, the affected systems, and the extent of the compromise. With ransomware start-to-finish attack time averaging seven days, rapid remediation by the IT team can isolate infected systems and defeat a ransomware attack. Defensive systems must offer the context of what part of the network is under attack and what systems/devices are involved. Advanced network detection and response can even connect IP addresses, devices, and users to rapidly identify all aspects of the threat, making containment much easier.


  1. Continuously Monitor and Improve: Network security is an ongoing process, and it’s essential to constantly monitor, analyze, and refine your network risks and threats, as well as your defensive strategies. Regularly inventory your network devices searching out new, unprotected and rogue devices, and review your network security control effectiveness, remediation procedures, and playbooks to adapt to evolving threats and incorporate lessons learned from previous incidents.


  1. Deploy Cloud-Based Network Threat Detection: Most small and medium organizations have passed on deploying AI-based Network Detection and Response (NDR) because of their high operating costs, but a new generation of cloud-native tools that cover both network (NDR) and Cloud (CDR) are available. They remove expensive hardware, are much easier to manage, and lower the total cost of ownership by over 60%. These new solutions offer small and medium businesses enterprise-class, AI-based network defense at a fraction of the costs.


  1. Layer Your Defenses: Network defense is critical because when ransomware bypasses your endpoint defense, your network defense is all you have left. Do not rely on endpoint defense alone, as it has repeatedly proven to be a losing strategy. Firewalls, IDS, and NDR all work together to add a layer of defense beyond your endpoints and minimize dwell time.


Your network is your “source of truth” to what is happening inside your organization regarding risk and threats. A network-centric approach to ransomware defense is the most critical piece of the ransomware defense puzzle when you are attacked. It is the one place a ransomware attack cannot hide and where your defenses will always be effective.


Next week we will continue our blog series focusing on multi-factor authentication and its role in ransomware defense. Don’t miss it.


To learn more, reach out to CyGlass:


Bill Munroe

VP of Marketing, CyGlass