Summer is barely over, but given the myriad of highly publicized ransomware attacks that have taken place this year alone, it’s probably pretty likely business leaders everywhere are desperately trying to ensure that no ransomware attackers can get into their systems. And while it’s great that more organizations are starting to take cybersecurity more seriously, if you are placing all your emphasis on defending against outside threats you’re ignoring the very important question: what happens if attackers do make it inside? Then what? You may think that if hackers make it into your system it’s already too late, but that is far from the truth. Between gaining access and executing the ransomware, there is a middle phase to the attack in which attackers move around networks, gain access to administrative credentials, and locate the data they are going to encrypt and/or steal. Attackers can spend months moving throughout a network before actually launching the attack. Defending the middle is therefore essential to protect against suffering a ransomware attack.
In fact, according to a recent report by Coveware, it may be a lot more important to focus on defending the middle than just trying to keep the bad guys out. After analyzing data from multiple ransomware attacks, Coveware discovered that while attackers use a variety of means to gain access to a victim’s system, what the hackers do once they are inside is always the same. “As our data shows, 100% of the cases where we were able to collect triage observations found privilege escalation and lateral movement tactics employed.” And the tactics used in the middle phases are actually pretty limited. Once inside, if only one of the attacker’s tactics fails, it becomes a lot more difficult to pull off the attack. According to Coveware, “inhibiting a threat actor from escalating privilege or moving laterally is equally if not more important than preventing initial [entry].”
Because the tactics used to move around a victim’s network are pretty limited, that also means just a few protective measures could be the thing that stops the hackers from launching their ransomware. Here are 3 things businesses can do right now to defend the middle:
Multi-Factor Authentication For Domain Controller
A system’s domain controller is the part of your network that allows or denies access requests to your network. It’s essentially the seat of your access controls. That means if hackers gain access to your domain controller they can give themselves access to pretty much anything they want. To prevent this, it’s essential to set up multi-factor authentication for your domain controller. What’s more, it’s vital to use a mobile authentication code-based MFA rather than on hard MFA tokens. According to Coveware, “100% of ransomware attack victims LACK true multi-factor authentication for the domain administrator accounts.” So setting up MFA for your domain controller could be the thing that saves you from a ransomware attack.
Disable the Command Line
The command line is a back-end tool that allows IT administrators to build scripts that run automatically and perform complex tasks on a system’s network. It’s also an essential part of how ransomware attackers make changes to your system and move around your network. Coveware found that ransomware hackers rely heavily on the use of command lines to automate various parts of the ransomware attack. Disabling command line and scripting capabilities means hackers can’t rely on automatic processes to carry out their attack, making their efforts that much more time-consuming and costly.
Network Segmentation
Imagine taking everything you have and putting it in a single locked room. If someone breaks in, everything you have is now gone. That’s exactly like what having an unsegmented network is like. In order to make things harder for the bad guys and keep your data as safe as possible, it’s essential to separate different parts of your network from each other. That way, even if an attacker gains access to one part of your network, they aren’t able to get anywhere else.
In the past few years, new approaches to cybersecurity such as defense-in-depth and cyber resilience are becoming increasingly popular among cyber experts. In essence, both of these approaches argue that just protecting your systems from the outside is not enough. It’s vital to not just hope no one breaches your defenses, but that you have protections and plans in place for when someone does make it inside. Defending the middle is one strategy for taking on a defense-in-depth approach to cybersecurity, and it could be the thing that stands between you and a full-blown ransomware attack.