A strong fort has no weak spots. Does the same go for your defense against ransomware? In this blog we will take a look at what the OSI model tells us about that.
Naarden-Vesting sticks out in the landscape like a jewel. You can recognize it on Google Maps long before zooming in on the canals, walls and bastions. The shape of the fortress is actually based on hard math. Nothing was left to chance. Blind spots were out of the question, just like weak spots. The enemy had to be able to get shot at and stopped from everywhere! And if he did break through somewhere despite that, he would be faced with another line of defense immediately.
But even the strongest fortress is worthless without vigilant defenders. All gates were continuously guarded by archery forces of the town watch. At night, too, they stood guard on the streets, walls and bastions. For every threat, the rest of the civic guard was alerted.
Is your defense against ransomware organized just as systematical? Do you employ multiple lines of defense? From how far away can you see attackers coming? And how do you respond, following that? To answer these questions, you first need a system to provide an overview of your cybersecurity’s structure.
The Cybersecurity Framework which was developed by the American standards institute NIST is an example of such. This describes what you can do to defend your organization against cybercrime. The NIST distinguishes between five activities to do so: identify, protect, detect, respond and recover.
The cyber kill chain by the American arms producer Lockheed Martin looks at it from the opposite perspective, which describes the actions of the cybercriminal in seven steps: from reconnaissance up to actually stealing or damaging data.
In this blog, we will actually turn the analysis around: we do not assume the position of the archers in the civic guard nor the enemy troops, but that of the city which needs to be protected. To this end we will follow the well-known OSI model to see where the vulnerabilities with regard to ransomware are located in the data stream. And which layers can be protected by the many means of defense.
Layers 1-2: bits and frames
We start at the bottom. At first sight, the technology here seems too generic to be able to discern threats. A good firewall however, should be able to identify strange things happening between two switches at the second layer. Events which suggest that a hacker is looking for weak spots, through which he could gain access to plant ransomware.
If you do not have such a detection system available to you, and an unwanted and unexpected ransomware-attack takes place, you can take action against that on the second layer. After all, this is the layer at which you can quarantine contaminated network segments or systems. So, well-organized network access control is important in the battle against ransomware as well.
Layers 3-4: packets and segments
This is the firewall’s traditional domain. Traffic from websites that are still using the old http is stopped, for example. This way, the chances of employees being lured into visiting fake websites by ransomware criminals are reduced.
On these layers the network traffic can be analyzed for suspicious behaviors as well: not just from hackers, but also from malware. For example, a contaminated system which attempts to establish a connection with the server of an attacker. Network Security Monitoring is therefore required.
Suspicious inward traffic can also be detected using an Intrusion Detection System (IDS): this compares network traffic on layer 3 and 4 to known patterns of cyberattacks. An Intrusion Prevention System (IPS) can recognize those too, except it goes even one step further by stopping dangerous packets. If the firewalls functions as the gate, the IDS/IPS checks for and blocks whatever you do not want on the inside of the city walls, from entering.
Layer 3 and 4 are also the levels on which DDoS-attacks take place. These are increasingly accompanied with ransomware. The criminals’ goal then is to obstruct you in your defense and recovery. So, your firewall needs to handle DDoS well.
Layer 5, 6 and 7: data
A modern firewall can in fact, do a lot more. It also is active on the highest layers, for example by inspecting the contents of the traffic. This is of major importance when it comes to ransomware and other malware because just like regular software, they perform their tasks on the top three OSI layers. This means you need to ensure that your firewall is equipped with Advanced Malware Protection.
The other essential resource that protects you against ransomware at this level, is Endpoint Detection and Response (EDR). This software goes beyond what traditional anti-virus does: it not only stops the usual suspects, but can also recognize suspicious patterns.
Using sandboxing, you can check suspicious data or URLs quickly and safely. The so-called zero-days –vulnerabilities which are not yet publicly known or cannot yet be recognized by the equipment– can still be filtered out in this way.
And, you can also combat ransomware preventively on the highest layers. The trouble usually starts with a phishing email or a link to a rogue website. Good email security removes phishing links, a Web Proxy keeps contaminated files out and a Web Application Firewall prevents malware from being downloaded to your webserver.
You can see clearly: both the attack and the defense can be enacted on many layers of the OSI model. It will also have become clear that you cannot function without a good, modern firewall. Of course, one that has been carefully set up with the right configurations.
In this blog we have reasoned from the OSI model, but that obviously provides a limited picture. The data stream is just one aspect of cybersecurity. A good consultant can, together with you, establish the best defense strategy for your organization based on multiple frameworks. So that your fortress too no longer has any blind spots or weak spots!