In our last blog, we looked at the ransomware threat cycle and why defense in depth is the best approach to counteracting ransomware. Understanding what those defense layers look like is important. The following are our top tips.
Tip 1: Make regular backups
Keeping regular backups is the only way to ensure your files can be recovered without the need to negotiate with the cybercriminals. At the very least, your most important files should always be backed up and this needs to be done regularly. Also, do not forget to understand what is involved in restoring files from the backup.
Keeping your backups separate from your regular network is also crucial to ensure it is ‘offline’ and will not be impacted if the network is compromised. Often this is done using a dedicated cloud service.
Tip 2: Prevent malware from being delivered to devices
With a combination of blocking known threats and identifying unusual behavior, you can prevent a significant amount of malware being delivered to devices. For example, websites that are known to be malicious should be blocked and signatures should be used to block known malicious code.
By baselining ‘normal’ behavior you can also flag unexpected activity while actively inspecting the content. This also allows you to filter to only file types you would expect to receive. Complementary security techniques should also be deployed, such as anti-phishing solutions that eliminate the introduction of ransomware in your network traffic. Monitoring your DNS for phishing is one way of doing this.
Tip 3: Monitor network file shares
When ransomware is deployed in a network it aims to encrypt files and this leads to some tell-tale activity. The ransomware will search for network files, fetch them for encryption, and upload encrypted files. It will also delete the original files. If you can detect this pattern, you can intercept the ransomware attack.
How can CyGlass help?
CyGlass can detect unusual behavior on the network. It can detect the ransomware pattern and alert a company to allow them to intercept an attack.
It can also give visibility into a number of other aspects that help build a deep defense against ransomware. For example, it can tell you when your Endpoint Detection and Response (EDR) solution has not received an update or turned off. It provides notifications when abnormal Remote Desktop Protocols (RDP) and Domain Name System (DNS) tunnels appear. CyGlass would also issue an alert when abnormal lateral movements are made or after-hour VPN access takes place. All could indicate that something malicious is happening on your network.
It is also important that you monitor your network health after a ransomware event to ensure that the implications of malware or ransomware on the network are eliminated. CyGlass can help here too.
To learn more about how CyGlass can help build your defense-in-depth and mitigate the risk of ransomware taking hold – schedule a demo with us!