Technical Tip: Best Practices against Ransomware

david_pereira · ‎08-20-2024

Description

This article describes some useful tips to avoid the devastating effects of a ransomware attack.

Scope

FortiClient, FortiEDR, FortiGate.

Solution

To avoid the devastating effects of a ransomware attack, it is recommended to follow these recommendations (as part of a larger defense in-depth strategy):

Make sure real-time scan is enabled and configured to scan files both on read and write.
Make sure the endpoints are configured to download antivirus signatures each hour (to receive the latest antivirus updates without delay).
Make sure a cloud-based scan is enabled (so the endpoints can check the reputation of potentially dangerous files).
Make sure sandbox scan is enabled (so the endpoints can analyze potentially dangerous files).
Make sure anti-ransomware is enabled.
Run a full scheduled scan each week (to detect any malicious files that may have passed inadvertently during the previous days).
Make sure the endpoints have the most recent FortiClient version (to benefit from the latest protection enhancements).
Install the latest security updates each month (so malware cannot exploit vulnerabilities already patched).
Backup the user data each day (so in case a ransomware attack is successful the damage is limited).
Do not give admin permissions to the users (so malware cannot escalate privileges easily).
Rebuild any machine that has experienced a ransomware attack (to make sure it is completely clean; before rebuilding ask for permission from the compliance and forensic specialists).

Useful Resources.

Prevention:
How to Prevent Ransomware
10 Steps for Protecting Yourself From Ransomware
How to Prevent Evolving Ransomware Attacks

Amid a Ransomware Attack:
Ransomware Response Checklist: A Guide for CISOs
Six Steps To Stopping Ransomware Damage

Below are some recommendations to avoid ransomware attacks:

Pishing:
Google has tracked quite a spike in phishing sites. 350% increase from January to March of 2020 year.
Solution: Protecting Email - FortiMail.

How FortiMail Prevents Ransomware & Phishing:
Virus Outbreak Protection.
Sandbox Analysis.
Content Disarm & Reconstruct.
Select Protect.
Impersonation Analysis.
Preventing Access to Malicious URLs.
FortiGate Web Filtering - Policy Controls.
Block access based on specific words or patterns.
Enable SafeSearch.
FortiGuard Web Filtering: Sorts billions of pages into a wide range of categories that are possible to apply policy to in the FortiGate.
FortiMail Click Protect: Additional security through FortiMail that provides real-time URL analysis to ensure attackers have not weaponized a site after scanning.
Preventing Execution.
FortiGuard Adv. Malware Service: Blocks known and unknown threats coming from multiple attack vectors and leverages. FortiSandbox Cloud for dynamic analysis of unknowns.
FortiClient EMS and endpoint control.
FortiMail – Content Disarm & Reconstruction: Files are deconstructed and analyzed, removing elements that do not match firewall policies.
FortiEDR - Detection & Response: Machine learning anti-malware and behavior-based detection technology. Automates response and remediation with customizable playbooks.
FortiSandbox Cloud – Unknown Threats.
Deep File Analysis.
Built to identify zero-day and previously unknown malware through a combination of technologies.
Intelligence sourced from FortiGuard labs research.
Distributes the latest threat intelligence across the platform, updating 'Known' malware lists.
Preventing Malicious Access and Lateral Movement.

Secure Access – Wired and Wireless Protection: Extends security from the FortiGate NGFW to FortiSwitch and FortiAP so any data traveling via wired or wireless receives the same inspection as if it were being inspected by the NGFW.
FortiClient EMS and endpoint control.
FortiGate Intent-Based Segmentation: NGFWs inside the perimeter ensure threats cannot spread and expand across the network.

Any additional requirement should be forwarded to the Partner or Fortinet Professional Services.

Note that the Fortinet´s TAC Support works on a break and fix mode. No configuration analysis is supported by TAC.

Some recommendations for the FortiGate:

Segmentation: segregate intellectual property and personal data to keep that information secure in the case of a successful attack.
It will ensure malware and compromised systems will be contained in a specific section of the network.
IPS: If having any internal server that allows access from the public, it is possible to enable the IPS features to all related policies.
It is also possible to apply IPS in policies between the internal segment and the server segment. Monitor or block signatures with medium to high severity.
It can be necessary to fine-tune it if a false positive occurs.
Intrusion prevention
Administration Guide | FortiGate / FortiOS 6.4.0 | Fortinet Documentation Library.
Application Control: Block high-risk categories such as P2P and Proxy. Apply it to the policy that allows users access to the internet.
Application control
Administration Guide | FortiGate / FortiOS 6.4.0 | Fortinet Documentation Library.
Web Filter: At FortiGuard category-based filter, block Security Risk and Unrated categories. Apply it to the policy that allows users access to the internet.
Web filtering
Administration Guide | FortiGate / FortiOS 6.4.0 | Fortinet Documentation Library.
Antivirus: FortiGuard Antivirus protects against the latest viruses, spyware, and other content-level threats.

AntiVirus
Administration Guide | FortiGate / FortiOS 6.4.0 | Fortinet Documentation Library.

Note that enabling too many UTM features will put pressure on the FortiGate. It can be necessary to monitor the CPU and memory usage over time and fine-tune it if needed.

Refer to the links below for more information on Fortinet approach regarding ransomware:

To protect the organization's network from ransomware or any other threats, it is not possible to depend on the features of the firewall only.

Here are some necessary guidance to do to protect people and the organization: