In Search of the Silver Bullet: Agentless Ransomware Kill Switch
We worked with a large financial institution that was the victim of a ransomware attack. An employee received an email containing a malicious attachment and proceeded to download and open it. Chaos ensued. In the next several hours I saw IT managers, SOC analysts, and Network Administrators frantically scramble to coordinate a response, halt the propagation throughout the network, assess the damage, and put critical business components back online.
By the end, we watched IT staff call individual workers and instruct them to crawl under their desks and unplug their computers. Nervous tones turned to outright yelling as Network Admins and IT Managers argued over authority, incident mitigation, damage containment, and recovery.
The organization had a response plan in place. However, it failed to adequately account for the volatility and unpredictability of a time-sensitive information security incident. NIST SP 800–62 Computer Security Incident Handling Guide, suggests that “…it is infeasible to develop step-by-step instructions for handling every incident. Organizations should be generally prepared to handle any incident but should focus on being prepared to handle incidents that use common attack vectors.” The most thoroughly prepared incident response plan can fail when faced with a security breach due to simply having the wrong focus. Organizations should be focused on mitigating attack types, not specific attacks.
This experience, while hectic and stressful, highlighted some large gaps that we feel are common in incident response plans, even those which purport to follow best practices.
Simplicity — Far and away the most common issue we see in incident response plans is an abundance of complexity. Organizations tend to have excessively detailed playbooks with step-by-step instructions. According to NIST, this should be discarded in favor of an attack vector-based approach.
With this concept in mind, we often see organizations struggle to avoid excessive complexity while preparing to respond to the variety of risks introduced by their unique threat landscape.
For example, any mature information security program will have ensured an appropriately segmented network based on function, risk tier, etc. While this is a sound approach to network security, it is inadequate when faced with the rapid network propagation of modern ransomware algorithms. Incident response teams need a way to dynamically modify network access and security policy across the network in a simple way. Simplicity breeds adaptability and broad applicability in the face of a volatile and unpredictable threat environment.
Centralized Response — A critical component of incident response is centralization. As the second's tick by in the event of a ransomware attack, a security practitioner can practically feel a business lose money and suffer perhaps irreparable reputational damage. With such a time constraint in place, a scattered, disparate response plan is wildly inadequate. Such an approach will lead to slow, error-prone responses, thereby costing organizations time and money.
Consider, for example, a decentralized response attempting to mitigate the damage as a vicious strain of malware chews through their environment. Their network may have been appropriately segmented, however losing an entire VLAN would still be catastrophic to the business. So what then do they do? Do they proceed to ask Network Admins to begin manually closing switch ports and removing individual endpoints? Even with the most efficient and experienced team, responses will be slow and mistakes will be made. Or worse still, do they ask individual employees to physically unplug their machines? Organizations need a better approach.
Authority — No incident response plan worth its salt exists without an attempt to delineate authority in the event of a security breach. However, in our experience, the established authority hierarchy remains largely fragile and inefficient. Even if response plans are read and understood (a big if in a busy technology environment), these hierarchies often fail. Critical members are often unavailable on short notice, and redundant authority is rarely established and understood. Incident response plans can be difficult to find and may suffer from poor version control. This can lead to confusion in trying to establish an approved path forward while precious seconds tick by.
An Innovative Approach
Airgap solutions streamline the incident process. With the patented Ransomware Kill Switch™, Airgap offers organizations a single command console that enables IT administrators to immediately halt malware propagation enterprise-wide.
With respect to simplicity, the Ransomware Kill Switch™ offered by Airgap offers a single-click response with can offer complete containment of malware and breaks the cyber kill chain among inter and/or intra-VLAN lateral communications. It doesn’t get any simpler than that. IT or OT personnel don’t need to be concerned with performing several large, complicated, disparate steps to mitigate the damage of malicious software. No manual removal of endpoint or closing of switch ports. This solution enables admins to make enterprise-wide modifications to security policy, up to and including complete network lockdown with one click, with per-device granularity. Fast, simple, and error-free.
In addition to one-click simplicity, the Airgap admin console is the pinnacle of centralization. It offers a one-stop location for enterprise-wide visibility and policy modification. From this console, admins can dynamically and holistically modify security policy on their network based on perceived risk at a given moment. Organizations need not be concerned with a scattered, scrambled response. One stop. That’s it.
Lastly, the establishment of authority in the event of a security incident remains a fundamental, proactive step organizations should take. The establishment of not just what calls to make, but who should be making those calls can be performed well in advance of an actual incident. This step is critical for lowering response time and reducing the risk of mistakes. The clear delineation of this authority can be established easily within the Airgap admin console. Admins with the authority to modify risk levels can receive permission to do so at their discretion.
Unique in the industry, Airgap offers an innovative approach to network security that has the potential to revolutionize the modern approach to incident response. For more information or schedule a demo, please visit https://airgap.io/.