The news is filled with stories about horrible attacks against corporate and government networks. It’s almost enough to make administrators for small and mid-sized networks give up.
But it’s important to note not all of these attacks are the same. There’s a vast difference, for example, between the incredibly sophisticated long-term attacks against high-profile companies and government agencies, and the mere smash-and-grab attacks.
In June 2015, we learned attackers had carried out the massive theft of highly sensitive data from the Office of Personnel Management (OPM), essentially the human resources department for the US federal government.
The attack has been blamed on the Chinese government. And while there were almost certainly things that could have been done to detect the attack earlier, it probably couldn’t have been prevented. The attackers were well-resourced, patient, and had an exceptionally valuable target.
On the other hand, in March 2018, the city of Atlanta suffered a more typical sort of attack: ransomware. Ransomware attacks have also crippled hospitals in several countries and companies around the world.
Not all hacks are the same
The difference between the OPM attack and these ransomware attacks is like the difference between a sophisticated bank heist and a thug smashing the window of a jewelry store to grab whatever they can.
To stop a sophisticated heist, banks deploy complex alarm systems and 24×7 monitoring. They use vaults with timed locks that can’t be opened after-hours.
To stop a smash-and-grab thief, the solutions are simpler: things like shatterproof glass, cameras, and alarms.
In both cases, the companies think about the likely attack scenarios and the motivations of the attackers, then defend against them appropriately. We need to do the same when defending networks against attackers.
If you have something of great value to defend, you should probably deploy a vast, sophisticated, and expensive security infrastructure.
If you’re worried more about ransomware smash-and-grab attacks, the defenses are simpler.
Protecting clients against ransomware smash-and-grabs
The first thing to do is to determine the likely attack vectors. In the case of ransomware, the malware will probably come in through either an email attachment or some sort of web download.
You can cover the email vector fairly easily using a cloud-based or on-premises email scanning tool. I generally recommend the cloud-based tools because they’re very easy to deploy and reasonably inexpensive. If you’re using a cloud-based email system such as Microsoft Office365, there may already be some attachment scanning enabled. Or you may be able to enable it for a modest additional monthly cost.
Covering the web download vector is much harder because the content of most web sessions is encrypted using SSL/TLS. Just having a good scanning tool inline with your internet circuit isn’t actually sufficient unless it’s also decrypting your content. But, once again, there are some good cloud-based web proxies that can help with this problem.
Then, if you can force all your web-browsing traffic through a cloud-based proxy, you can put a rule on your firewall that blocks all web traffic that isn’t directed through the cloud proxy service provider. This helps prevent malware from calling back home for instructions or to download additional code.
That covers the entry points.
The next thing you need to do is to try to detect the malware as soon as it hits a user’s workstation. For this you need some sort of endpoint protection software that uses a combination of anti-virus signatures and behavioural heuristics to detect when software starts doing something that looks hostile.
Remember that we’re trying to prevent smash-and-grab type attacks, not sophisticated government spies. Most of the malware in circulation uses pretty basic tricks that can be spotted quickly with the right tools.
And finally, because you can’t cover everything, you need to be able to recover quickly from the damage these attacks can cause. That means backups.
There are many ways to do backups. Again, some are cloud-based. The critical thing with backups is that some ransomware variants have started looking for backup software and trying to destroy the backups at the same time as they destroy your live systems. So it’s worthwhile having a talk with the provider of your backup software to make sure your backups can’t be destroyed from an infected workstation.
None of the solutions I’ve described need to be prohibitively expensive, and there are multiple vendors in each of these spaces.
Remember that everybody faces exactly the same set of challenges, which means you don’t need to invent anything here. The tools exist and many of them are available as cloud-based subscription services.