Op-Ed: Using decoys to protect against ransomware attacks

The numbers and sophistication of ransomware attacks are increasing, and more organisations are focusing attention on the best methods to prevent them from succeeding. The situation is particularly challenging because some cybercriminals use more advanced attack techniques to evade or disable security software tools and deploy ransomware on precise targets.

Such attacks also go beyond indiscriminately encrypting any data they come across. Instead, cyber criminals target data that is critical to a particular business. These attacks require criminals to conduct lateral movement activities such as stealing credentials, discovering network assets, probing for open ports, querying Active Directory for critical objects, and escalating access privileges.

Endpoint detection

Conventional IT security tools, such as endpoint detection and response (EDR) systems and endpoint protection platforms (EPP), are essential components in the ongoing fight against ransomware.

Advanced EDR solutions examine process flows and chains to see if something looks unusual, and these types of observations can also be helpful after an attack. As security teams investigate an incident, EDR can provide insights into process flows it mapped during the event. EPP also provides capabilities such as automated patch management, maintaining devices remotely, and protecting endpoints from attacks.

However, one must understand that such tools do not stop all types of attacks. They do not detect all ransomware attack and propagation methods, especially lateral movement. To successfully defend against newer and most sophisticated ransomware attacks, organisations must have a layered approach that supplements EDR, EPP, and other legacy tools with additional capabilities.

Such a strategy needs to cover critical areas, including:

• Data protection: Organisations must protect data so that cyber criminals cannot find or access it. Security teams have long made it a priority to deploy multiple layers of data protection. However, with ransomware attacks becoming more sophisticated and destructive, protecting data has become even more critical. A vital part of this strategy component is protecting endpoints that generate and house so much of an organisation’s data. Early attack detection can lead to substantial cost savings.
• Endpoint security: It’s essential to leverage endpoint protection functions to effectively prevent attacker lateral movement by anticipating attack methods and efficiently derailing these efforts. For example, by combining Active Directory query redirections with deceptive credentials and shares, organisations can feed attackers false information and quickly redirect them away from production assets.
• Decoy use: Design the organisation’s IT infrastructure so that attackers cannot see real files, folders, removable storage, or network shares, but rather the decoys it has put in place. If cyber criminals cannot find production data, they cannot infect and encrypt it.

An organisation can create an environment where every endpoint becomes a decoy designed to disrupt an attacker’s ability to break out and further infiltrate the wider network. It can achieve this without requiring agents on the endpoint or causing disruption to the endpoints or network operations.

VIEW ALL

Following this approach, an organisation’s IT security team receive alerts for any lateral movement activities while at the same time misdirecting the attack into the decoy environment. Then, the environment can collect forensic evidence that will speed up adversary intelligence development and attack analysis.

The organisation can even configure the decoy environment to feed the ransomware unlimited data to stall the attack, preventing it from moving on to other production targets.

An ongoing threat

Clearly, ransomware will pose an increasing and long-term threat for Australian organisations of all sizes, meaning that both senior management and IT security teams must understand the importance of implementing multiple layers of protection.

Unfortunately, there is no single means of defending against all ransomware attacks. However, an approach that combines traditional tools with newer solutions featuring deception-based detection within the network can bolster cyber defences.

Taking these steps will give an organisation the best possible chance of detecting ransomware attacks before they cause disruption and damage. Diverting cyber criminals towards decoy resources and away from critical files and applications is the best road to take.

Jim Cook is the ANZ regional director at Attivo Networks.