Back to the Basics on Threat Vectors and Ransomware

Christine Barry

When you’re thinking about cybersecurity and protecting your company from ransomware and other threats, you can’t think in terms of a specific method of attack. What we know and continue to learn about cyberattacks is that they evolve quickly. Ransomware threat actors have had decades to improve their skills and build their criminal platforms and infrastructures. Many businesses and other organizations are still trying to catch up.

While we cannot anticipate every possible attack scenario, we can operate on a handful of assumptions that we’ve observed throughout the world over the past several years:

  1. An attack on your company is likely to start with an email attack that may already be underway. Email is still considered “the number one threat vector” because it works so well. Phishing attacks are most common, and malicious links and attachments are possibilities. These attacks generally have two purposes:
    1. Steal authorized user credentials to be used for login attempts
    1. Infect the network directly with malware downloaded to an endpoint that is attached to the network
  2. Your online forms, e-commerce sites, and other Web applications are being scanned by bots right now. Threat actors look for vulnerabilities, open ports, and other opportunities to gain administrator access to your application. They may attempt to log in with credentials stolen through a successful phishing attack, or with credentials purchased through a data dump. The application threat vector includes these attacks as well as attacks on APIs and mobile applications.
  3. Bots are attempting to penetrate your network, and they never stop hunting for a poorly secured door. The network threat vector is constantly changing, scaling up and down as companies add smart devices to their networks or move their domains and resources to the public cloud. A secure network strategy will consider every edge of the network, including resources like the smart thermostat, the self-serve kiosk, and users who now work from home. Even if the threat actor enters your network through an email or Web application attack, your network security is still in play:
    1. Segmenting your network will stop threat actors from moving laterally through the network and gaining access to your entire set of data and user accounts. Network segmentation works like a water-tight door on a ship; it contains the threat to a smaller space and minimizes the damage of the breach.
    1. Intrusion detection and prevention systems, data leak prevention, and other real-time security features can detect pre-configured patterns, anomalies to learned patterns, and other activities that indicate an active threat. Administrative alerts and reporting will enable IT teams to act as soon as possible.
  4. There are attacks that are sitting out there in the wild, waiting for your users to step into sight. These reside in the Web threat vector and include the following:
    1. Drive-by downloads and social media attacks, which are attacks that automatically download in the background when a vulnerable user system visits a compromised website or social media platform. Victim devices normally have outdated browsers or some other unpatched vulnerability.
    1. Infected ads can attack a device used to visit a legitimate site. In this scenario, a third-party ad company has accepted an infected ad and placed it on a legitimate website that sells advertising. The ad company may be a trusted partner to the website, but it made a mistake in accepting the malicious ad.

Planning Based on Threat Vectors

It’s simply not possible to anticipate every type of attack, so security plans must be based on threat vectors. In the context we’ve discussed here, it would look like this:

  1. Protect your entire email deployment. Whether it’s in the cloud or on premises, it’s still vulnerable to phishing attacks and malicious attachments and URLs. Your defense here must be able to identify likely phishing attempts, stop advanced threats and other malicious attachments, and allow administrators to respond quickly to threats that get past defenses. Users should receive ongoing training so that security remains top of mind.
  2. Applications are subject to so many automated attacks that robust automated protection is required. This includes protection from attacks like DDoS, brute force, credential-stuffing, OWASP and zero-day attacks, and many more. Advanced bot protection will also protect the site from spambots and scraping. Your company can’t set up separate defenses for each of these attacks. A powerful and properly configured web application firewall will protect your applications from all these bots and attacks.
  3. A firewall is a common technology, and almost every workstation or networking device that connects to the Internet provides some firewall protection. It’s good to have these firewalls, but if you lack a network-wide firewall solution, you should consider yourself as having no firewall at all. The network firewall that you need will defend against advanced threats, bots, intrusion, DDoS attacks, malware, and more. Features like network segmentation, application control, and secure remote access must also be considered, and your firewall should be able to defend on-premises, multi-cloud, and hybrid deployments.
  4. Web security and filtering solutions defend users against web-borne threats like drive-by downloads and infected ads. This solution should not only defend against the latest threats, but also include features like social-network regulation, remote filtering, and visibility into SSL-encrypted traffic.

Since this post is based on threat vectors, we haven’t discussed the importance of a good backup. It should go without saying that you have a data backup in place that considers the location and value of your data, as well as how much data you are willing to recreate if you must perform a data restoration. (Think of this in terms of minutes, hours, days.) Unfortunately, we cannot “go without saying” because backups are often configured once and then never reconsidered or tested, even though data may move to new locations or simply decline in value while more critical data goes unprotected. It’s best to think of backups as data protection and a critical piece of your cybersecurity and business continuity.

Barracuda offers solutions to protect these threat vectors and your data from advanced threats like ransomware. Their simple Ransomware 1-2-3 strategy lays out a complete defense against ransomware, and Barracuda Advanced Threat Protection provides the updates needed to make sure our solutions can defend against the latest ransomware variants. Contact Connection today to learn more.

Christine Barry is Senior Chief Blogger and Social Media Manager at Barracuda. Prior to joining Barracuda, Christine was a field engineer and project manager for K12 and SMB clients for over 15 years. She holds several technology and project management credentials, a Bachelor of Arts, and a Master of Business Administration. She is a graduate of the University of Michigan.