The most effective strategy for stopping ransomware attacks relies on preventing them from ever entering your organization. The number of applications and services businesses require to operate continues to increase. The result is an increased attack surface with ineffective protective measures, including the network, SaaS-based applications and endpoints. As threat actors become more skilled, new attacks are being deployed faster than vulnerabilities can be remediated or patches implemented. Consequently, organizations need to start thinking holistically about their security platform.
Legacy cybersecurity approaches have primarily focused on detection and remediation, but this is no longer effective. To prevent a ransomware attack, a shift in practice from detection to prevention is essential. Stop attacks before they can infect organizations and cause harm. Organizations must have the appropriate security architecture in place to enable this shift, which has three key elements:
1. Reduce the attack surface
2. Prevent known threats
3. Identify and prevent unknown threats
In order to reduce the attack surface, you must gain full visibility into traffic on your network, across applications, threats and user behavior. It is likely that if you don’t know what is happening on your network, an attacker does and will use that as a way to get in. Classifying activity allows you to make the right decisions about what should be allowed, and it highlights unknown events that require further investigation. With this visibility, you can take actions, such as blocking unknown traffic, identifying advanced attacks, or simply enabling only the applications that have a valid business purpose.
Once the traffic has been delimited, application- and user-based policies need to be enforced. There are an infinite number of permutations for these policies that limit access to certain applications for certain groups of users and for certain portions of the network. With high visibility and the right policies, a large majority of the methods attackers use to deliver malware attacks on your network can be cut off.
To further reduce the attack surface, you need to block all dangerous and potentially dangerous file types. Although not all file types are malicious, those that have a higher probability of being malicious should be blocked. After dangerous file types have been blocked, policies aligned to your risk tolerance need to be implemented. Users should be prevented from connecting non-compliant endpoints to critical network resources.
After you have reduced your attack surface, the next step would be to prevent known threats. To do this, you need to stop known exploits, malware, and command-and-control traffic from entering your network. Once those have been stopped, the cost of executing an attack rises and, subsequently, reduces its likelihood by forcing attackers to create new malware variants and launch new exploits against lesser-known vulnerabilities.
You also need to prevent users from inadvertently downloading a malicious payload or having their credentials stolen by preventing access to known malicious and phishing URLs. Blocking these threats removes them from the equation entirely. Once these known threats have been blocked, you need to scan for known malware on your SaaS-based applications, as they are increasingly leveraged to deliver threats. Any identified malware and exploits from the scan should be blocked. The same should be done for known malware and exploits on the endpoint.
Once the known threats have been blocked, it is imperative to identify and block any unknown threats, as attackers continue to deploy new zero-day exploits and develop new ransomware variants. The first step would involve detecting and analyzing unknown threats in files and URLs. As new files are submitted, it is essential to detonate, analyze and look for malicious behavior in something that has never been seen. Additionally, you need to automatically push the protections down to different parts of the security infrastructure as fast as possible in order to prevent threats from becoming successful. This should include context to understand the attacker, malware, campaign, and indicators of compromise associated with the attack. Once unknown threats or trends of suspicious behavior have been identified and blocked, block unknown malware and exploits on the endpoint to ensure that all access points are secure.
The ultimate goal of this process is to turn the unknown into known and improve the security posture with new protections at a faster pace than attackers can develop their malware and exploits – across the entire attack lifecycle.