Adaptive Segmentationmicro-segmentation December 20, 2021

3 Steps to Stop Ransomware From Spreading

Nathanael Iversen, Chief Evangelist

In a previous post, we explored the concept of visibility and how it can help you spot potential paths for ransomware and other malware to spread. Next, we outlined how to visualize, quantify and mitigate risk from vulnerabilities.

With those elements in place, you're now well-positioned to stop ransomware in its tracks, using both proactive and reactive measures.

Here's how.

Best practices for protecting against ransomware

Ransomware wreaks havoc on companies large and small in every major industry. But it has an achilles heel. It typically moves in a very predictable pattern.

First, malware gains entry into an organization's IT environment through a vulnerable pathway. Then, if left unchecked, it spreads, often over weeks or months, spiderwebbing across networks, devices and servers. Finally, somebody flips the switch to activate it once it's in place, and the ransomware appears to pop up out of nowhere.

This process can happen because it's relatively easy to move across most environments laterally because firewalls typically sit on top of data centers and not close to systems they protect.

Stopping the spread of ransomware, malware and other cyberattacks involves a three-step process.

1. Close down risky ports and vectors that ransomware can use to gain that initial entry into your systems.

2. Put up barriers to prevent malware from moving laterally through your environment if it does get in.

3. Improve your post-intrusion response by setting up secondary policies to activate for incident response.

Eliminate unnecessary connections

It all starts with isolating critical assets by eliminating unnecessary communication.

Consider video conferencing, for example. There's usually no good reason for a conference host's laptop to talk directly to another device logged into the conference over RDP or SMB ports. So, administrators can feel free to close those ports on both devices with no impact on anything else in the environment. As another example, in most cases, you can shut down the older and highly vulnerable FTP and Telnet protocols within your environment.

Allowing only necessary communication and eliminating unnecessary paths between devices and networks lets you tighten workflows and machines down to contain ransomware.

You can do it by blocking all communications across individual ports, as in the examples above, for a single application, within a geographical location, or across an entire network.

For best results, you should implement such controls both proactively and reactively.

Closing inbound and outbound ports

Acting proactively means closing any unused ports in your data center or other areas before an attack occurs — just like locking the front door when you go to bed at night.

Acting reactively means responding to incidents with policies in place that you can activate when you know or even suspect the presence of malware anywhere in your environment.

Start by putting protective rings around your highest-value applications or assets. That way, if malware does breach a device or network in your environment, it will stay tightly confined within a small area, leaving the rest untouched.

As we explored in our previous post, some ports present more risk than others and should get the highest priority for closure. These include highly connected ports that perhaps only a handful of servers use to communicate with other systems in a data center.

In most cases, non-management servers should never use vulnerable ports such as RDP and SMB ports that enable peer-to-peer communication. The good news is that such ports make up most of the attack vectors for malware. In other words, if you restrict such entryways as RDP, SMB, and Win RM, you can eliminate most of the malware that pops up in the news.

Also, consider well-known ports used by databases and core services. That list includes applications and services commonly bundled into Linux distributions. Many of these are very old at their core and have vulnerabilities built up over many years.

Fortunately, simple, risk-based controls and policies working on the inbound side of any machine in a data center can help you get a handle on these well-known vulnerabilities to stop malware.

As for outbound ports, most of the servers in the data center have no business talking to the internet or perhaps only in specific, clearly defined ways.

By tightening communication to prevent unauthorized data from leaving the organization, you can stop ransomware's command and control function from phoning home to trigger deadly encryption bombs.

Of course, you can do the same with cloud systems and overly-broad user access permissions. Just limit the outbound traffic, controlling when and how applications, devices, and users communicate with the wider internet. In this way, you can quickly implement ransomware containment strategies.

It's all about isolating infected assets and protecting the rest of your environment. And good visibility of your environment can take you even further by revealing patterns over time.

Use visibility for ransomware protection

In our previous post, we show how Illumio takes in connection data and flow information from routers, switches and other on-premises infrastructure along with clouds and end-user systems.

Illumio uses that information to create application dependency maps for IT professionals and API interfaces for security automation.

This information lets administrators make high-quality, low-regret decisions about what assets should talk to what other assets. They can then develop proactive policies – essentially creating barriers and containing critical assets and systems – that work across machines, cloud-native firewalls, network switches and more to protect against threats.

Bottom line, a breach between two users shouldn't affect other users or assets in the cloud or the data center, and good visibility can highlight such a potential vulnerability before an attack.

Improve post-intrusion response

Illumio also helps with post-intrusion response.

For example, suppose you spot suspicious activity moving through your environment. In that case, you might want to put in barriers to protect your core databases, PCI payment systems, medical records, trading information and other sensitive assets.

What's needed in this case is a containment capability that might be more restrictive than you want to run in day-to-day operations. Its purpose is to stop malware spread at the source.

Before any attack, IT administrators might want to create secondary policies to activate as part of their incident response runbook. The idea is to isolate and protect systems by eliminating connectivity that could result in compromise. Instead, the containment policy freezes further malware propagation, for example, by restricting non-essential RDP communications.

Illumio supports this by allowing administrators to spot traffic flowing in unexpected ways and rapidly implement policies cutting off undesirable connections.

Moving beyond firewalls

With Illumio, you can see workloads running in your environment, whether they're in a data center, in the cloud, or between these environments — for example, between web and databases workloads.

Using this visual map, you can quickly close the door to unsafe traffic. Using RDP as an example of a common way for ransomware to move across workloads, you can create a rule that will block just that traffic. You can also define barriers based on metadata, such as labels for different types of workloads and physical locations.

You can think of these barriers as a kind of reverse firewall. That's because, in firewalls, you typically create rules defining wanted traffic, with everything else disallowed by default. Illumio lets you reverse that workflow to define the denied traffic first. Then you make exceptions to enable communications for individual cases.

And it's all automated, allowing you to create emergency policies that you can launch at a moments' notice to protect your environment from any attack with just a few clicks.

In short, Illumio provides the visibility you need to spot vulnerable workloads and machines, shut down unneeded ports in advance of an attack, and isolate malware infections before they can spread. This one-two punch of proactive and reactive controls helps you to quickly stop attacks from becoming cyber disasters.

Learn more about how Illumio stops ransomware from spreading:

Adaptive Segmentationmicro-segmentation
Share this post: