Ransomware: Mitigating The Threat

Ransomware: Mitigating The Threat

Jun 29 2017

I’ve been seeing a lot of posts that jump to conclusions that everyone would be safe from ransomware if they had patched all of their systems. Does this sound too good to be true? Yes. Does it sound realistic? No. There’s a lot more to it than that.

Firstly; not all organisations have the budget or resource to spend the entire day patching their systems, making sure their AV is up to date, checking their IDS, responding to every single incident, and remediating every single vulnerability as it is discovered. These things take time, money and resource, and must be addressed in such a way that the rest of the business can continue to function with minimal impact. It’s not a perfect choice for some, however the security function is a risk function and must be seen as an enabler which is dynamic enough to work flexibly with differing budget and resource constraints.

Firstly, there are no absolutes. Second, there is no one size fits all silver bullet solution to solve this problem of ransomware.

A risk is best mitigated when multiple controls are implemented which effect all different variables of the risk; such as the vulnerability, the threat, the severity of impact, and the frequency of a risk event.

Lets look at these risk variables in the context of the recent ransomware outbreaks.

  1. 1. The Vulnerability – The operating system. Obviously patching is the best mitigation. But lets face it; when was the last time you walked into an organisation and found every single system patched up to date? I don’t think this is possible. Especially with larger organisations. Furthermore, patching only addresses known bugs and not the unknown ones, so this approach, whilst effective, can be somewhat limited.
  2. 2. Impact / Severity – Loss of critical data, and business processes which rely on that data. Regular backups and well documented, and up to date business continuity processes which are properly understood and followed by staff are the best way to mitigate the impact.
  3. 3. The Frequency – How often outbreaks occur is commonly due to user awareness on how to identify the various forms of threats and respond in accordance with known processes. So a user armed with the knowledge on how to respond is a good way to mitigate the frequency, and this requires ongoing training programs in cyber security awareness.

 

But what I want to talk about in this article is The Threat.

If we can imagine the threat as some malicious party with some sort of malicious intent or other motivation which I described in Building Hacker Personas, then we are able to better understand the source of the threat. These threats, which are best dealt with in the physical world by law enforcement, can also be addressed in the virtual world by anyone armed with a little bit of technical knowledge. The further we can mitigate these threats and their source, the less expensive all other strategies become.

Mitigating The Threat

Almost all ransomware and malware can be tracked back to some source IP address or address range of C&C servers or email servers. And there are a bunch of open source IP lists which you can apply to your firewall to block them.

Personally, I use Emerging Threats IP lists which are refreshed and updated every day:

  1. 1. Known Compromised Hosts: This ruleset is compiled from a number of sources. It’s contents are hosts that are known to be compromised by bots, phishing sites, etc, or known to be spewing hostile traffic. These are not your everyday infected and sending a bit of spam hosts, these are significantly infected and hostile hosts. Sources include: Brute Force Blocker.
  2. 2. Firewall Block Rules: This dynamic IP list contains block rules from Spam nets identified by Spamhaus (www.spamhaus.org), Top Attackers listed by DShield (www.dshield.org), and also known ransomware C&C servers at Abuse.ch.

 

If you are using an IPtables based firewall, then there are scripts written in both bash, and perl here, which automatically refresh your firewall rules for the above block lists. Just set up a crontab to run the script overnight – something like this;

0 0 * * * /path-to-my-updatescript.sh > /dev/null 2>&1

How do I create a Dynamic Firewall Rule in pfSense?

Any decent firewall should have the ability to add a dynamic IP list, but here’s how its done in pfSense:

  1. 1. Navigate to the Firewall->Alias->URLs section as below:

2. Click Add to create an Alias. Give the alias a name, description (optional), and select the Type as URL Table (IPS). Paste in the URL of the IP blocklist mentioned above, and select the update interval as every 1 days in the pull down menu.

3. Now its as simple as creating firewall rules contained with this alias you have just created. I’ve created a rule on my WAN interface as per below to block the source. But I also have a rule setup internally to block outbound traffic destined for anything in those lists:

4. Finally, you can verify that the rules are in place by hovering over the rule in the console after saving. It should look like this:

Conclusion

There you have it. Dynamic firewall rules which update automatically on a daily basis to help mitigate the threat of ransomware and other malicious actors by blocking their source. For other solutions which help with the fight against ransomware, Core Sentinel can help. For over 15 years we have been successfully working to improve the security posture of various organisations. Call today for a free quote.

Hack-proof Your Systems.