Endpoint Protection

Introduction

This is the fifteenth in my Security Series of Connect articles.  For more information on how to keep your enterprise environment secure using often-overlooked capabilities of Symantec Endpoint Protection (and the OS upon which it functions), see Mick's Greatest Hits: Index of Helpful Connect Security Articles. This article was last updated in November 2017.

This article shares some tips and actions that can be taken to make your organization (both environment and employees) better capable of dealing with your next inevitable encounter with ransomware.

Inevitable?

Yes.  Computer Ransomware has been around since 1989's AIDS Trojan.  For many years this family of threats was rare.  In the past couple years, though, malware which locks or encrypts computers and demands payment has become an epidemic.  The threat actors behind the many variants have a strong financial motive to continue creating new samples and attacking as many victims (both at random and targetted) as possible.  My crystal ball says Ransomware is not going away any time soon. 

So, ensure your defenses are up!  The more measures you take now, the better prepared you will be.  Each of the recommendations below will reduce the risk of a successful Ransomware infection. 

(Of course, nothing can completely eliminate the risk... see SEP Times in the City: A Helpful Symantec Endpoint Protection Analogy for a mildly amusing illustration.)

What Your Infrastructure Can Do

1. Don’t give every end user administrator user rights.  The principle of "Least-Privilege" has been recommended forever- it's time to put it into practice. 
   
   Implementing Least-Privilege Administrative Models
   https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/plan/security-best-practices/implementing-least-privilege-administrative-models   

2. Carefully control write-access permissions to remote files.  Use Access Control Lists to specify what actions your users can perform against files. If the only permission a user account has is Read Only, it's not possible for ransomware running as that user to corrupt anything.
   
   Best practices for basic NTFS permissions on a share
   https://social.technet.microsoft.com/Forums/office/en-US/c6242159-d15d-417e-91f8-eb19c0da3a35/best-practices-for-basic-ntfs-permissions-on-a-share?forum=winserverfiles

3. Use FSRM to block ransomware's changes to your file servers.  Most file servers are sabotaged when an infected laptop or workstation on the network has a remote drive mapped.  FSRM will not save that desktop, but it will prevent the shared reource on the file server from being corrupted and raise an alarm.
   
   Protect your File Server against Ransomware by using FSRM and Powershell
   https://gallery.technet.microsoft.com/scriptcenter/Protect-your-File-Server-f3722fce?tduid=(20a69f8ccbbd96b722925b5ddec0d859)(256380)(2459594)(TnL5HPStwNw-Zy7_Vi7bCaEBMnCq.fWQsg
   
   (Please note: the script above is not from Symantec nor is it supported by Symantec.  I am just giving it and its author some well-deserved due credit.  I hear it's been a huge help to some companies.)

4. Back your data up!  If it is destroyed by ransomware- or a tornado, fire, whatever- you can restore it and carry on.

5. Keep those backups where they cannot be hit!  An air gap between the data and the backup copy means that no ransomware, worm, hacker or other hazard can get to it.  Another approach is to burn your backups to DVD or other storage medium that is then write-protected.

6. Mail Security!  Take it Seriously.  Don't just purchase a product, leave everything at its defaults, and assume you'll be safe.  Configure it to use Rapid Release definitions, strengthen its policies, implement Disarm, and block the attachments which are always malware.  This is incredibly effective when done right.

   Support Perspective: W97M.Downloader Battle Plan
   https://www-secure.symantec.com/connect/articles/support-perspective-w97mdownloader-battle-plan

7. Patch against Drive-By Downloads.  Surfing with old browsers and old Flash plugins?  Here's a cute cartoon for you.
   
   
   

8. Use all SEP components.  IPS and SONAR have saved a lot of bacon.  Give them a shot at saving yours.
   
   Ransomware protection and removal with Symantec Endpoint Protection
   http://www.symantec.com/docs/HOWTO124710
    

9. Use SEP's optional Application and Device Control (ADC) policies.  These can make it more difficult for Ransomware to run.
   
   Strengthening anti-virus security to prevent Ransom-ware derivative (Trojan.Cryptolocker family, etc.) infections
    

10. Configure the environment not to run unsigned Macros.  If you MUST allow Macros, only allow signed ones.
    
    Plan security settings for VBA macros for Office 2013
    https://technet.microsoft.com/en-us/library/ee857085.aspx

11. Lock down RDP.  If your server's username and password are compromised or can be brute forced, an attacker can Remote Desktop in and perform any action they wish.  That includes disabling security features and then downloading ransomware. It happens.
    
    Securing Domain Controllers Against Attack
    https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/plan/security-best-practices/securing-domain-controllers-against-attack  

12. Avoid Mapping Network Drives. Some ransomware can even sabotage unmapped shares.  So, hide your network shares!

13. Use the latest SEP. SEP 12.1 is still supported, but SEP 14 includes new, additional technologies which can block malware.  The more roadblocks and lines of defense in front of the ransomware files, the better!

Most Powerful of All: What Your People Can Do
 

1. Read Your Logs.  The SEPM provides excellent intelligence on what is happening in your environment.  For example, it can provide a report on “system infected” IPS events.  Don’t just ignore them!  Especially if IPS is fighting off a cryptolocker, isolate that computer and submit to Security Response the malware which is causing the malicious traffic. 

2. Test Your Disaster Recovery. When was the last time you checked how swifly you could restore from a backup and get people working with that known-good data?  It's a slight inconvenience to run "fire drills" but they are always worthwhile before a real emergency strikes.

3. Test Your Users.  Do they know how to react to suspicious incoming emails?  Find out!  &: )

4. Educate Your Users!  Saving the most powerful point for last....

• Never enable Macros to view any incoming mail attachment!  Don't click Enable to allow the "hidden contents" to display, don't enter in a password to see the document's hidden message, don't be fooled by any enticing message.

• Have Windows configured to “show known file types." Instruct end users not to open anything with more than one extension.

• Save mail attachments to a folder from which .exes are not permitted to run (ADC policy can create one) and open them there if they appear genuine.

   

Conclusion

Many thanks for reading!  I hope this article helps. 

If not, these will:

Special Report: Ransomware and Businesses 2016
https://www.symantec.com/connect/blogs/report-organizations-must-respond-increasing-threat-ransomware

Businesses most at risk from new breed of ransomware
https://www.symantec.com/connect/blogs/businesses-most-risk-new-breed-ransomware
 

Please leave comments and feedback below.