Malware, ransomware, wipers, whatever you want to call them, they’re quite adept at spreading - whether across the web or laterally across your internal network.
From stopping the initial point of infection to narrowing its path of destruction, here are some tips from the US-CERT (United States Computer Emergency Readiness Team) to help organizations of all sizes stay safe:
Infection Prevention
Taking steps toward good security hygiene can help prevent initial malware infection.
Apply patches - Among others, the Petya/NotPetya malware leveraged a few Windows vulnerabilities to compromise systems that did not have a critical security patch from March 2017, MS17-010. Updating your systems as soon as you’re able to (especially with critical patches) can protect your operating systems from known vulnerabilities.
Set strong spam filters and scan emails - Phishing emails with malicious attachments are sent by threat actors to users with the intent to install malware on their computers. Set up filters to stop these emails from reaching users, and scan emails to filter executable files from reaching users, in addition to detecting threats.
Disable macro scripts - Some of those malicious attachments on phishing emails are Microsoft Office documents that contain macro scripts that download malware onto computers (known as macro malware). US-CERT recommends using Office Viewer software to open Microsoft Office files transmitted via email.
Reported in February by researchers, a new macro malware was observed checking for macOS or Windows on victims’ computers, then using embedded Python code to download a malicious payload targeting their specific operating system, according to BleepingComputer.
Develop and practice employee education - Train users on how to identify scams, malicious links, social engineering, etc. Run internal phishing simulation campaigns to identify risks and potentially vulnerable devices with free phishing tools.
Authenticate inbound email - US-CERT recommends using Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC) and DomainKeys Identified Mail (DKIM) to prevent email spoofing, which can deceive recipients into trusting fraudulent senders.
Stop or Slow Lateral Movement
After an attacker gains a foothold within your systems, they may use stolen credentials and lack of proper network security architecture to move laterally and your environment, seeking out sensitive data. Here’s how to make it more difficult for them to do so:
Use least privilege - Configure access controls, manage privileged user accounts and only give administrative access to those that absolutely need it to carry out job functions. In the Petya/NotPetya attack, the malware used a tool to collect cached credentials, then scanned networks to find vulnerable machines to infect. A single infected system on your network with administrative credentials could allow for attackers to move laterally and spread malware, as The Register noted.
Limit admin logins - Microsoft explains in more detail how frequently logging into accounts with local admin privileges and keeping active sessions open across multiple machines could allow for easier lateral movement.
Limiting admins to logging into admin accounts only when they need to perform administrative tasks can help reduce risk. Admins should log into standard user accounts, without privileges, as normal practice. Two-factor authentication also increases the difficulty for intruders to steal and reuse credentials to gain access to network devices, according to US-CERT.
Strong password policies - Use unique and strong passwords that are changed frequently, and never use hard-coded or default passwords. NIST’s latest Digital Identity Guidelines publication recommends a minimum of eight characters and a maximum of up to 64, and encourages the use of passphrases (longer sequence of words or text) for stronger security.
Use two-factor authentication (2FA) - Implement a secondary form of authentication to stop attackers from using stolen passwords to move around between systems and applications in your environment. Avoid SMS-based 2FA (as it can be bypassed in a number of ways), and opt for the more secure methods of Universal 2nd Factor (U2F) or push-based authentication.
Advanced solutions allow you to create controls that block access based on location, user or device on a per-application basis. That way, you can choose which user groups should have access to different applications and data, based on the level of sensitivity.
Proper network segmentation - To reduce the impact of and reach of a breach, minimize where you store critical information and restrict access to these systems. Define different network zones based on risk profiles and role-based controls, as SearchSecurity stated.