Mohammad Jamal Tabbara, Solutions Architect Manager at Infoblox explains that DNS security remains the first line of defense, as ransomware and most malware use DNS at one or more stages of the cyber kill chain
Ransomware attacks have stepped up and it has become one of the most damaging threats today. Ransomware attacks are being more frequently carried out by nation-states and organized crime and causing millions in dollars of reputational damage, recovery expense, extorted ransom payments, loss of revenue, inability to use critical infrastructure, and much more. New strategies such as Ransomware-as-a-Service are being used to take cybercriminals’ attacking capacity to the next level.
Given the increasing tide of ransomware attacks, and the threat of burgeoning investment by threat actors in ransomware-as-a-service platforms, organizations are more and more concerned about protecting their IT assets by adopting and implementing the best practices in cybersecurity management at a organizational scale. Infoblox, on the basis of its experience in helping companies to protect their core IT services and orchestrate their cybersecurity posture, recommends:
- Backup data, system images, and configurations, regularly test them, and keep the backups offline. Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if network data is encrypted with ransomware, systems won’t be able to be restored.
- Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware, in a timely manner.
- Orchestration is a key point. It is highly recommendable to use a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.
- Leverage DNS as a first line of defense: DNS security must also be a critical part of any organization’s ransomware defense. Ransomware and most malware use DNS at one or more stages of the cyber kill chain. DNS may be used during the reconnaissance phase when it is a targeted attack. DNS is also used in the delivery phase as potential victims unknowingly make DNS queries for IP addresses involved in the attack. DNS will also be used in the email delivery process when the ransomware propagates via spam campaigns. The exploitation phase may involve DNS queries when the victim’s system is compromised and infected. DNS is also frequently used when an infected system checks in with the command and control (C&C) infrastructure. Using threat intelligence and analytics on your internal DNS can detect and block such nefarious activity early before ransomware spreads or downloads the encryption software.
- Network segmentation: There’s been a recent shift in ransomware attacks – from stealing data to disrupting operations. It’s critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety-critical functions can be maintained during a cyber incident.
- Test organization’s incident response plan: There’s nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
- Check your security team’s work:Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
In conclusion, organizations have a responsibility to protect themselves and keep their organizational resources, employees and partners safe. It’s up to us to build a strong security posture, through the orchestration and the use of security intelligence, but also by adopting a series of best practices which involve the whole organization. In the pathway to achieve that, don’t miss the critical role that a secure management of DNS have in the process.