Ransomware Protection Part 1: Hardening Strategies to Secure Your Enterprise
Ransomware isn’t going anywhere any time soon. According to numbers from the FBI and Infoblox, the number of DNS domains associated with ransomware–in addition to the amount of money ransomware is raking in–are both skyrocketing.
The goal of this guide is to provide you with a variety of suggestions for hardening your enterprise network against ransomware attacks. Some of these may be easier said than done, but all of them will help defend your enterprise and your users against ransomware and other malware variants.
Quick Note: During the course of my research, I have been fortunate enough to find some great resources for defending against ransomware. Also, if you’ve already read my other post, some of the content featured here will more or less be considered review.
User Awareness on Phishing
Ransomware has traditionally been distributed via phishing emails with weaponized office documents attached. These office documents are often disguised as invoices, business documents, legal notifications, shipping notifications, and others. They’re purposefully designed to make the victim feel like the document contains important business from someone, regarding something of a critical nature.
There are several guides available online for spotting phishing e-mails. Check them out, along with doing some other research, and adapt their message to your user security training.
Although, you should keep in mind there’s way more to user training than that. One thing these guides seem to have in common: the expectation that your users are already technically savvy, familiar with the terminology, and will actually notice the slightest imperfection in phishing messages.
Users Are Humans, Not Robots
The fact of the matter is, your users are busy people with a million other things going on. Sometimes the extent of their knowledge about computer security is that it’s the job of some nebulous team–in a company they never see–that enforces (what they believe are) arbitrary rules, and gets in the way of them doing their job. Now, they have to do your job too?!
Before you bust out the torches and pitchforks, stop for a minute and put yourself in the user’s shoes. Try to spot the phishing email. Go ahead; I’ll wait.
Users and Phishing Problems
Even with the best training, phishing emails are extremely hard to detect. The vast majority of users will not be able to tell the difference between what is real and what is a phish. I got a 9 out of 10 on that phishing quiz, and I’d like to think I’m fairly good at what I do.
The point is, even for those who’ve had years of security experience, there are times when even they aren’t able to spot all of them. What chance do you think your user base, who has tons of other things they have to get done in a given day, are going to fare as well or better? Do your best. Continue teaching your users the terminology and how to spot phishing attacks, but don’t only rely on one-time technical guides alone.
Limit Trust and Always Verify
Critical thinking is important to teach when it comes to phishing messages. Some of the articles I linked touch on this, but just barely.
Some things you should encourage your users to think about:
- Were you expecting an email from the organization?
- Do they normally send you an attached document when you receive invoices/shipping/tracking/whatever notifications?
- If so, is this the normal file type they attach? Are there misspellings, changes in the message formatting/appearance, etc.?
- Last, but certainly most important, teach your users to limit their trust, and always verify. Have your users contact the person or organization an e-mail claims to represent, ask if they actually sent them an e-mail. For example:
User: “Hey, Bob from ABC. Did you send me this email with “XXX” subject, and XYZ attachment?”
User: “That’s weird, I have an e-mail that said it came from you guys today, and you’re saying you didn’t send it.”
Bob: “Okay, thanks.”
Hopefully, after this phone call, Bob forwarded the message to your company’s spam alias (you do have an alias for users to forward spam/phishing emails for the security team to analyze them, don’t you?), or to the security staff to analyze the message, or at a minimum deleted the message. If so, score one for your security training.
Stop Blaming the User
What do you do if user education fails and users still manage to get infected? First and foremost, what you should NOT DO is panic, get angry, and blame the users. Instead, practice public outreach with your customers/users, and encourage them to reach out to the helpdesk/IT/Security if they notice anything strange happening after they opened messages.
If user training can’t prevent the attack from happening, user training can at least teach your users to communicate with your IT staff if they suspect something is wrong. Even if it turns out to be a false alarm, I’d rather have users who see something strange and communicate it, rather than say: “Weird. Oh well. Guess it was just a glitch” and continue on like nothing ever happened.
6 Key Points (tl;dr)
Make training relevant
Make awareness training relevant to users’ lives. If you don’t, it becomes another checkbox that your users fill out once a year.
Don’t blame/insult users
Phishing is hard even for trained professionals to spot, let alone your users who have a million other things to do. If they get phished, don’t blame or insult them.
Don’t assume that your users understand technical terminology, or will understand technical methods on how to spot phishing attacks.
Ensure easy reporting
Have an easy method for reporting phishing emails to your security/IT team, such as an email alias/group users can forward suspected phishing messages to.
Promote “trust, but verify”
Appeal to your user’s capability to use critical thinking and/or common sense: question everything, “trust but verify”, etc.
Build a positive community
Make your relationship with your user community positive, so that if they do get phished, or they do notice something strange, they’re more forthcoming about reporting it.
Better Email Security
As I mentioned above, phishing is by and far the most common way that ransomware is being distributed in this day and age. Ransomware phishing attacks typically utilize an office document format with a malicious office macro or script embedded in the document–typically in the form of .doc, .ppt, .xls, .docm, .pptm and .xlsm.
Office macros are essentially embedded VB scripts that can be used to automate tedious tasks and in fact, according to a number of old IT/data entry stories, have resulted in automating people and entire divisions of a business out of a job. Office macro attacks aren’t new and in fact have been around since the late 90’s–ever hear of the Melissa virus?
What can you do to help mitigate the risks?
Disable Office Macros
The first thing most security pros will tell you to do is disable office macros entirely without any notifications.
By default most recent versions of Microsoft Office disable macros, but have a nice little notification bar that says: “Hey! Macros are disabled. We need you to enable them to read the content of this message”. Combine this with the fact that ransomware phishing docs are designed to make the user want to enable macros: “This document is protected by X security feature. Click enable content to view”, “This document may be incompatible with your version of office. Click enable content if you are experiencing problems viewing the content of this document”, and so on.
Believe it or not, however, there are some business units or organizations that actually need office macros to do their job effectively. Maybe nuking macros for everyone and everything is… well, a bit ham-fisted for those who still need to utilize macros in their business.
- Disable office macros for business units, or groups in your business, who do not need it. This requires you to figure out workflows for the different business units in your organization. Figure out how they do automation and see if it’s feasible to disable macros for that group.
- Disable office macros for macro-enabled files downloaded from the internet. The latest version of Office (2016) now (finally!) allows administrators to do this. If you’re a an organization rolling out Office 2016, consider making use of this new feature.
- Disable office macros unless they are digitally signed. Office can be configured to trust macros from a particular local network location and/or digital signatures can be issued for macros that are considered critical to business processes, workflows or tasks.
Other Types of Phishing
What do you do about phishing attachments that aren’t office documents/macros?
Changing file associations for executable scripts is a very clever way of preventing scripts from executing. Windows is super helpful in that if there is a script file that windows can execute, double-clicking it runs the script using the Windows Scripting Host engine. No warnings, no problems!
File associations are used by windows to determine what file extensions are opened by what programs. You can change file associations through group policy. For starters, take a closer look at default file associations for .bat, .cmd, .hta, .js, .jse, .msh, .msh1, .msh2, .mshxml, .msh1xml, .msh2xml, .ps1, .ps1xml, .ps2, .ps2xml, .psc1, .psc2, .reg, .vb, .vba, .vbe, .vbs, .ws, .wsc, .wsf, .wsh–these are all file extensions associated with scripting on windows. Experiment with changing their file association to open with something a little more innocuous, like notepad.exe. That way, if users are phished, instead of running the script a notepad window with the contents of the script will pop up instead.
While we’re talking about file attachments and file formats, you may want to take initiative and block all e-mails any of the attachments above, as well as other commonly abused file formats.
Adopt an Enterprise File Sharing Platform
Normally, I’m not a fan of cloud file hosting or sharing services. However, you can’t deny their ubiquity and the fact that your user base more than likely uses them or tries to use them–with or without company approval.
Consider adopting an enterprise file sharing platform and using that as the official standard for exchanging files over the internet instead of e-mail.
Most cloud file sharing solutions offer the ability for you to share links to a file so your users can share their files with third parties, and they also offer the option to share links to a third party for them to securely upload files to your users as well. Eliminating e-mail as a file storage and sharing solution doesn’t completely remove the risk of phishing attacks (attackers could still attempt to send emails with malicious links), but it does all but eliminate the risk of malicious document phishing as an attack vector.
Default file associations for some scripting languages are set to execute using Windows scripting host as soon as they are double-clicked.
10 Key Points (tl;dr)
Disable macros where possible
In order to figure this out, you may need to meet with different business units to determine if and/or how they are used. Typically, macros are used by data entry positions and/or accounting/finance business units to automate data input, calculations, etc.
Remove re-enabling option
If you choose to disable macros, don’t give your users the option of re-enabling them. Most weaponized documents play into this and try to coax the user into clicking the “Enable Content” button. Here is a guide on disabling macros in MS Office. If you want to make this mass-deployable (e.g. group policy) You’ll need to get the right ADMX template for the version of MS office in your enterprise.
Implement Group Policy feature
The newest version of Microsoft Office allows you to configure Office to never enable macros in documents downloaded from the Internet. If you are rolling out Office 2016, consider implementing this feature.
Consider digitally signed macros
If disabling macros is not an option, consider implementing digitally signed macros and configuring Office to not allow unsigned macros at all.
Change default file associations
Change the default file associations for Windows scripting file extensions to ensure that malicious files, that take advantage of windows default file associations, are not executed if a user downloads and clicks on them from a phishing attack. This article shows you how to do so through Group Policy. You’ll want to pay attention to the following file types at the very least: .bat, .cmd, .hta, .js, .jse, .msh, .msh1, .msh2, .mshxml, .msh1xml, .msh2xml, .ps1, .ps1xml, .ps2, .ps2xml, .psc1, .psc2, .reg, .vb, .vba, .vbe, .vbs, .ws, .wsc, .wsf, and .wsh
Block specific file types/attachments
Block e-mail messages with abused file formats attached to the message. Check out this list for suggestions on file types to block. Also consider blocking .zip, .rar and .7z files.
Implement an email quarantine
Implement email quarantine for legacy document file formats and/or macro-enabled documents, so that users have to confirm with IT that a quarantined message is legitimate before it can be released to them.
Utilize blacklisting solutions
Utilize mail blacklisting solutions (e.g. SenderBase, Spamhaus, etc.) to blacklist known spam/malicious relays.
Implement a Sender Policy Framework
Implement SPF — an email validation system designed to detect email spoofing — and block email for domains that do not utilize SPF records.
Configure external email messages with tags
If your mail server allows, configure email messages received from external systems to be marked with a tag in the subject line (E.G:[External] Subject Line) to make users aware that the message originated from a third party and to treat anything contained in or attached to that message with caution.
Check out Part 2 of this network hardening guide, next!
About Hurricane Labs
Hurricane Labs is a dynamic Managed Services Provider that unlocks the potential of Splunk and security for diverse enterprises across the United States. With a dedicated, Splunk-focused team and an emphasis on humanity and collaboration, we provide the skills, resources, and results to help make our customers’ lives easier.
For more information, visit www.hurricanelabs.com and follow us on Twitter @hurricanelabs.