What We Do
How we do it
Resources
SECURITY ADVISORIES
May 11, 2022
CVE-2022-26923 - Active Directory Domain Services Elevation of Privilege Vulnerability
THE THREAT Microsoft has disclosed a new vulnerability impacting Active Directory Certificate Services (ADCS) tracked as CVE-2022-26923 (Active Directory Domain Services Elevation of Privilege Vulnerability). If exploited successfully, an authenticated attacker can escalate privileges in environments where ADCS is running on the domain. eSentire is aware of technical details and tooling [2] for…
Read More
View all Advisories →
Company
ABOUT ESENTIRE
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1200+ organizations in 75+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
LATEST PRESS RELEASE
May 17, 2022
Cybersecurity Leader eSentire Continues Its Commitment to Rigorous Security Standards Earning PCI DSS Certification
Waterloo, ON, May 17, 2022 — eSentire, the Authority in Managed Detection and Response (MDR), maintains one of the most secure and robust IT environments of any MDR provider in the industry. To that end, eSentire today announced that it has received the Payment Card Industry Data Security Standard (PCI DSS) certification, considered one of the most stringent and comprehensive payment card…
Read More
Partners
PARTNER PROGRAM
e3 Ecosystem
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Learn more
ECOSYSTEM PARTNER RESOURCES
Apply to become an e3 ecosystem partner with eSentire, the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Search
Resources
Blog — Mar 01, 2018

How can you fight ransomware? Solutions to 11 common ransomware failure points

Speak With A Security Expert Now

Ransomware is an increasingly appealing cyberattack method. Compared to traditional methods, ransomware typically involves fewer steps and a more direct route to payment (which is the goal in this case). And nowadays, with publicly available toolkits, it's easier than ever for cybercriminals to develop effective ransomware. This leads to a continual evolution of ransomware variants, which is what helps them evade the security defenses working to detect them.

Somewhere along the path of attack, ransomware breaks into a network at the point where defenses are down (or weak). This is referred to as a failure point. As we know, successful ransomware and malware-based attacks are crafted to allow them to evade traditional defense checkpoints. Below we list common failure points and their solutions to help you prepare for future ransomware attacks.

Common failure points and their solutions

FAILURE POINT SOLUTION

The firm’s upstream email simple mail transfer protocol (SMTP) provider did not scan attachments for malicious content.

#4

The firm’s next generation firewall did not identify the attachment as malicious (or questionable) content.

#1, #4

The firm’s local email system (e.g. Microsoft Exchange) did not scan attachments for malicious content.

#4

The end user was not sufficiently trained to identify a phishing email (with malicious content).

#5

The user’s workstation (or mobile device) did not flag the malicious content (through anti-virus or other endpoint protection methodology).

#1

If the delivery vector was a macro hidden within an Office document (the most common delivery method), macros were enables within Office (or the user was enticed to enable them manually).

#4, #5

The user’s workstation did not have restrictions places on the execution of downloaded content.

#3

The firm’s next-generation firewall and/or Intrusion Prevention system did not recognize and/or block the command-and-control traffic (including key generation) of the malicious code (particularly important if the remote IP addresses were previously known to be bad).

#1, #4

The firm did not detect (through filesystem analysis) that a specific user was modifying a large number of files rapidly.

#3, #6

Depending on how many files were affected by the infected endpoint, it is a possibility that the end user had more access than they necessarily needed to execute their job.

#3

During the restore process, some newer data/files might have been not backed up due to a gap in backup rigor.

#2

These failure points may seem very specific and hard to avoid – but don’t despair! We’ve provided solutions to help you overcome each of them.

1. Ensure all systems are up to date

This may sound obvious, but it’s extremely important and easy to overlook. “All systems” includes all workstations, servers (including internal and DMZ) and mobile devices. Always perform patches whenever and wherever possible. Use tools like anti-virus, anti-exploit (for ex, EMET), application whitelisting (for ex, AppLocker) and mobile device management software. And finally, restrict downloading of applications and payloads (for ex, Network Application Control).

2. Ensure backups of critical systems and data are successful and available

This solution is two-fold: test regularly for content accuracy and back up important data offline. Do these often. Attacks can (and often will) come when you least expect them, and the more recently you backed up data, the less likely you will have lost data.

3. Restrict access

You can avoid a lot of unnecessary anxiety by following this solution. Very few employees need access to everything. In fact, only select employees with specifically the “need to know” should be able to access highly-sensitive information, and only then, in accordance with the company policy and job function. Knowing this, it would be a good practice to enforce “least privilege” access throughout systems. It’s also important to segment networks. This includes restricting workstation-to-workstation access and utilizing a jump box for important and critical parts of your network. Finally, log and investigate any access attempts to shares that get denied, as this could very well be early signs of an infestation.

4. Reduce susceptibility footprint

Under this solution, there are four practices to consider. First, reduce inbound vectors (for ex, personal email) as these can make the network susceptible to different attack vectors. Second, disable macros within Microsoft Office if they’re not needed; and in a similar vein, use Microsoft Viewer when you don’t need to edit Office documents (especially if/when viewing suspect documents). Finally, investigate options to improve/harden upstream SMTP attachment scanning and quarantine, as this will help flag anything suspicious before it goes any further.

5. Training

Effective training is key. Encourage your employees to be skeptical when it comes to opening emails and clicking on files. One way to do this is through ongoing and interactive security awareness training, in addition to weekly reminders and postings about the importance of data security. Regular phishing tests can’t hurt either – they’re a great way to gauge the overall security awareness and vigilance of your employees, and the success of your training program.

6. Alerting

Although it’s the last solution on the list, alerting is as important as any other tactic you can use. One that is particularly important to implement is behaviour-based alerting when a certain threshold of files is modified. Also, be sure to have a comprehensive Continuous Monitoring/Embedded Incident Response methodology. Alerts must be investigated; it doesn’t help if the warnings fall on deaf ears.

Conclusion

While these solutions by no means guarantee you’ll never experience a ransomware attack, they’re a step in right direction. Applying these solutions to any failure points you’ve identified will reduce the chance of ransomware getting into your network and disrupting business, which is what we all want.

Between running a business and protecting that business, it’s a lot to keep track of. With Managed Detection and Response, our SOC can be a great resource to monitor operations when you can’t. We’ve got your back. Let us know what we can do to help.

View Most Recent Blogs
eSentire
eSentire

eSentire is the Authority in Managed Detection and Response, protecting the critical data and applications of 1200+ organizations in 75+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events. Combining cutting-edge machine learning XDR technology, 24/7 Threat Hunting, and proven security operations leadership, eSentire mitigates business risk, and enables security at scale. The Team eSentire difference means enterprises are protected by the best in the business with a named Cyber Risk Advisor, 24/7 access to SOC Cyber Analysts & Elite Threat Hunters, and industry-leading threat intelligence research from eSentire’s Threat Response Unit (TRU). eSentire provides Managed Risk, Managed Detection and Response and Incident Response services. For more information, visit www.esentire.com and follow @eSentire.