In Times of Ransom(every)ware, Unified Security is Essential

Following a series of headline-grabbing ransomware attacks that disrupted critical services in the US, FBI Director Christopher Wray likened the threat posed by ransomware to the September 11 terrorist attacks of 2001. According to Wray, recent attacks against one of the largest oil pipeline operators in the United States and a major meat processing operation may be just a harbinger of what is to come.

“There are a lot of parallels, there’s a lot of importance, and a lot of focus by us on disruption and prevention,” Mr. Wray said in an interview with the Wall Street Journal. “There’s a shared responsibility, not just across government agencies but across the private sector and even the average American.”

While ransomware is not new, Director Wray’s comments drive home an important reality; we are all fair game in the eyes of cyber criminals. Attacks against the Colonial Pipeline and JBS crippled operations for both businesses, causing a ripple effect of escalating oil and beef costs, which were felt by nearly every American to some degree, but this is just the start. The FBI is actively tracking around 100 different types of ransomware seen in the wild, with new threats emerging every day. Cyber criminals are keenly aware of the power ransomware places at their fingertips as it allows them to exploit the value of data and systems that would be difficult to monetize otherwise. And, with crypto currency prices at all-time highs, the cost of recovery can be daunting.

Wray’s point about shared responsibility should serve as a wake-up call for smaller businesses who may not see themselves as worthy targets. With that in mind, here are ten ways WatchGuard helps midsize businesses defend against ransomware with layered protection:

1. Block Phishing Attempts Automatically with DNS Filtering. Phishing via email is the most common method for starting a ransomware attack. Blocking malicious emails with spamBlocker on the Firebox and antispam on the endpoint can keep your user’s mailbox free of compromise. Miss an email, and a user clicks a link they shouldn’t? DNSWatch makes it possible to kill command and control channels and block connections to the bad guys. Need to protect users remotely? DNSWatchGO delivers the same protection on a per-user basis, without requiring a VPN.
2. Enforce Strong User Identities with MFA. AuthPoint provides effective multi-factor authentication for your workforce, protecting business assets, accounts, and data against credential theft, fraud and phishing attacks. What’s more the AuthPoint mobile app makes each login attempt visible and its unique Mobile DNA ensures only the original device can perform authentication against sophisticated threats that clone mobile devices.
3. Easily Close Security Gaps with Patch Management. According to Ponemon Institute, 57% of victims of cyber attacks said that applying a patch would have prevented them from being attacked and 34% said that they even knew about the vulnerability before the attack. WatchGuard’s user-friendly Patch Management solution for managing vulnerabilities in operating systems and third-party applications on Windows workstations and servers can help reduce the attack surface against ransomware attacks.
4. Prevent Unknown Application Execution. Our exclusive Zero-Trust Application Service enables continuous endpoint monitoring, detection, and classification of all activity to reveal and block anomalous behaviors of users, machines and processes. Endpoint Protection Detection and Response automatically mitigates the attack, by blocking any unknown application execution until it is validated as trustable by our machine-learning system and/or cybersecurity team.
5. Eliminate Initial Malware Payloads at the Firewall. Firewalls like the WatchGuard Firebox are in good position to block first-stage malware files, like droppers, which often are followed by more malicious assets. The Firebox offers three levels of malware protection: Gateway AV (signatures and heuristics), IntelligentAV (signature-less AI-powered prevention), and APT Blocker (advanced Cloud sandbox).
6. Monitor Active Attacks with Real-Time Endpoint Visibility. By nature, ransomware infects endpoint devices. Having visibility into the event activity on these devices makes it possible to detect and remediate the threats before the damage is done. Endpoint Protection Detection and Response provides clear and timely visibility into malicious activity throughout an organization. This visibility allows security teams to quickly assess the scope of an attack and take appropriate responses.
7. Correlate Telemetry Across the Stack for Greater Context. Cyber criminals are ninjas at sneaking by traditional security systems. They use stealthy, targeted attacks to soften their footsteps and hide in the shadows, making attacks easy to miss. Part of the WatchGuard Firebox, our ThreatSync solution uses a light-weight host sensor, and the power of the Cloud to automatically correlate telemetry data from multiple points in your security stack to rapidly spotlight and kill threats that would have otherwise gone undetected.
8. Halt Unauthorized File Encryption. Host Ransomware Prevention leverages a behavioral analytics engine and a decoy directory honeypot to monitor a wide array of characteristics determining if a given action is associated with a ransomware attack or not. If it’s determined that the threat is malicious, HRP can automatically prevent a ransomware attack before file encryption on the endpoint takes place.
9. Restore Endpoints with Ease. During execution, malware often creates, modifies, or deletes system file and registry settings and changes configuration settings. These changes, or remnants that are left behind, can cause system malfunction instability or even an open door to new attacks. Endpoint Protection Detection and Response, in those residual cases in which malware is allowed to run, restores endpoints to their pre-malware trusted state.
10. Minimize Time to Detection. WatchGuard’s threat hunting and investigation service helps detect emergent hacking and living-off-the-land techniques. Using our security experts, we analyze suspicious cases to find new and unique evasion techniques (known as TTPs) in the event stream. From there, we create rules representing new IoAs that can be delivered to your endpoints to rapidly protect them against new attacks.

In this period of ransom(every)ware, organizations need to realize that threats come in numerous forms and use advanced techniques, even against smaller businesses. Therefore, having a unified security platform that can empower your team to act before any potential vulnerability is exploited and accelerate response in event of a breach, can go a long way in preventing attacks that paralyze business activity.