Firewall Best practices to block ransomware

Ransomware continues to plague organizations, with over a third of companies surveyed across 30 countries revealing that they were hit by ransomware in the last year. 

Such attacks are ever-increasing in complexity and adversaries are getting more efficient at exploiting network and system vulnerabilities, leaving organizations with a significant clean-up bill: a global average of an eye-watering US$1.85M – more than double the cost reported last year.

Modern firewalls are highly effective at defending against these types of attacks, but they need to be given the chance to do their job. 

Let’s discuss how these attacks work, how they can be stopped, and best practices for configuring your firewall and network to give you the best protection possible.

Who hackers are targeting ?

The short answer: everyone. 

In a recent survey of 5,400 mid-sized organizations across 30 countries, 37% of respondents said they had been hit by ransomware in the last year. No country, sector or vertical segment is safe.

In the last year, has your organization been hit by ransomware? Yes [base numbers in chart] omitting some answer options, split by sector

If you search the news for “ransomware attack” you will find several new successful attacks occurring every week. The effects are devastating: huge ransomware demands, significant downtime and business disruption, reputation damage, loss of data, and in an increasing number of cases, sensitive company data are being auctioned off by attackers.

How do ransomware attacks get on the network?

Ransomware actors use a wide range of Tactics, Techniques and Procedures (TTP) to penetrate their victims’ networks. Our experts have seen an increase in attacks where adversaries try multiple approaches until they find the chink in the organization’s defences..

How did the ransomware attack get into your organization? Question asked to respondents whose organization had been hit by ransomware in the last year. Base: 2,538 respondents.

The top entry point for ransomware is through files downloaded or sent to users in spam or phishing attacks. 

Don’t leave security in the hands of your users. For these types of attacks, it’s best to safeguard your organization with strong firewall protection.

How do ransomware attack work

  1. Gain Entry: Spam or phishing email with a malicious attachment, or a web download or document containing exploits. Remote file-sharing /management features such as RDP.
  1. Escalate privileges until they are an administrator: Attackers exploit system vulnerabilities to gain privilege levels that let them bypass security software. They may restart and run the compromised host in Safe Mode to do this.
  1. Attempt to disable/bypass security software using highly-tailored files: Failing this, they will attempt to breach the security management console and disable the security system.
  1. Deploy payload: Using an automated exploit Manual network reconnaissance will first look for backups stored on the local network and delete them; making recovery much more difficult and increasing the chances of the victim paying the ransom. They then often exfiltrate sensitive company data for sale on the dark web.
  1. Spread ransomware: Hackers will then encrypt the organization’s data and files utilizing a network and host vulnerabilities or basic file sharing protocols to compromise other systems on the network and spread file-encrypting ransomware.
  1. Leave a ransom note demanding payment for files to be decrypted.
  2. Wait for the victim to contact them via email or a dark web website.

Remote Desktop Protocol or Ransomware Deployment Protocol

Remote Desktop Protocol (RDP) and other desktop sharing tools like Virtual Network Computing (VNC) are innocuous and highly useful features of most operating systems that allow staff to access and manage systems remotely. 

Unfortunately, without the proper safeguards in place, they also provide convenient in-roads for attackers and are commonly exploited by targeted ransomware. 

Not properly securing RDP and other similar remote management protocols behind a Virtual Private Network (VPN) or at least restricting which IP addresses can connect via remote tools can leave you wide open to attackers. 

Attackers often use brute-force hacking tools which try hundreds of thousands of username and password combinations until they get the right one.

How to stay protected from ransomware

To properly protect your organization from ransomware, there are three major initiatives you should undertake.

Upgrade your IT security: Your firewall and endpoint security can protect against attacks getting onto the network in the first place, and if an attack should somehow penetrate your network, they can prevent it from spreading and infecting other systems. But not all firewalls and endpoint security solutions can do this effectively, so make sure you have an IT security system that does.

Ensure you have:

  • Affordable sandboxing to analyze file behaviour as it’s run before it gets on your network.
  • The latest machine learning technology to identify new zero-day variants in any files coming through the firewall.
  • Firewall IPS with live signature updating to block network exploits.
  • Free and easy remote access VPN to enable management of your network remotely without compromising on security.
  • Endpoint protection with anti-ransomware capabilities.

Lockdown remote access and management: When it comes to networks, every opening to the outside world is a potential vulnerability waiting to be exploited by a ransomware attack. Locking down your organization’s Remote Desktop Protocol access, open ports, and other management protocols are one of the most effective steps you can take to secure against targeted ransomware attacks. 

There are numerous ways you can do this. One popular method is to require all users to be on a VPN before they can access resources such as RDP and restrict VPN access to known IP addresses. Also, properly secure and harden your servers, use complex passwords that are changed frequently, and leverage multi-factor authentication.

Segment your network: Unfortunately, many organizations operate with a flat network topology: all of their endpoints connect into a common switch fabric. This topology compromises protection by enabling easy lateral movement or propagation of attacks within the local network since the firewall has no visibility or control over the traffic flowing through the switch.

A best practice is to segment the LAN into smaller subnets using zones or VLANs and then connecting these through the firewall to enable the application of anti-malware and IPS protection between segments. This can effectively identify and block threats attempting to move laterally on the network.

Whether you use zones or VLANs depends on your network segmentation strategy and scope, but both offer similar security capabilities by providing the option to apply suitable security and control over traffic movement between segments. 

Zones are ideal for smaller segmentation strategies or networks with unmanaged switches. VLANs are the preferred method for segmenting internal networks in most cases and offer the ultimate flexibility and scalability. 

However, they require the use (and configuration) of managed Layer 3 switches.

While it’s a best practice to segment your network, there’s no “best” way to segment a network. You can segment your network by user type (internal, contractors, guests), by department (sales, marketing, engineering), by service, device, or role type (VoIP, Wi-Fi, IoT, computers, servers) or any combination that makes sense for your network architecture. 

But generally, you’ll want to segment less trusted and more vulnerable parts of your network from the rest. You’ll also want to segment large networks into smaller segments, all to reduce the risk of threat penetration and propagation.

Leave a Reply

Your email address will not be published. Required fields are marked *