Malware Prevention Guide
Introduction
This guide includes information from Webroot on how to secure your environment against malware and ransomware attacks. It contains advice and recommended practices to improve cyber resiliency and reduce the attack surface. This information represents over a decade of compounded information from Webroot's experience investigating threats.
Cybersecurity should be managed with a layered approach. Simply protecting your endpoints with anti-virus software and calling it a day isn’t enough. You also need a strong file backup solution, an incident response plan, strong password policies, a way to secure DNS, good user cyber hygiene and security awareness and should consider network monitoring and data integrity.
Reduce the attack surface
Reducing the attack surface involves proactively identifying and addressing all the security related issues possible. And while it doesn't eliminate the threat of attacks, it can help reduce the duration and frequency of security issues. Having a plan in place to respond to cyber incidents is key to securing your environment. The suggestions included in this document are designed to make your attack surface as small as possible.
Can endpoint security stop 100% of threats?
We are often asked this leading question: “Which endpoint security solution will offer 100% prevention and protection from malware?” The simple answer is none. Even the best endpoint security (which we pride ourselves on innovating and striving towards providing) will only be 100% effective most of the time.
Threats constantly evolve
Cybercriminals are in the business of finding ways around endpoint security and constantly evolve their methods of attack to succeed. Each day, different malware campaigns create new variants of infections. These are then repackaged or delivered in a way to remain undetectable by antivirus.
Value of endpoint security
Reputable endpoint security solutions use real-time anti-phishing to stop email links to phishing sites, web browser protection to stop browser threats, and web reputation to block risky sites that might only occasionally be unsafe. They also employ methods to monitor endpoints for malicious code actively running, running in memory or in files on the system.
Webroot Endpoint Security
Webroot offers an endpoint protection solution that uses cloud based definitions to monitor and stop threats from impacting endpoints. The Realtime shield prevents malicious code from executing, the Web Threat shield protects browsers and the Evasion Shield prevents infections from scripts. It integrates with many RMMs and is an effective layer in fight against malware and ransomware.
Incident Response Plan
An incident response plan is a critical piece, a well thought out plan will improve reaction time to cybersecurity incidents and help reduce the damage and downtime. A properly designed incident response avoids the need to implement disaster recovery options. There are several elements to an incident response plan:
- Planning. What types of events are we at risk for? Do we have adequate people and technology to monitor for those events? Is everyone properly trained?
- Defining what an incident is and ensuring alerts are in place. What types of alerts are involved and where are they sent? Are the alerts effectively relaying information about incidents?
- Monitoring, response and action. What are the steps to take for each type of incident? Are escalation paths defined? Have you tested your responses? Do the people involved understand the importance of quick action?
- Charting the flow. This helps to properly train all involved people and uncovers gaps in process. Are all the right people involved? Is the flow during fully staffed times different than off hours or holiday periods?
- Analyzing incidents. This is part of continuous improvement. When a security event happens, review it to look for ways to improve the response.
- Testing the plan. Don't wait for an incident to test your responses. Testing a plan will often uncover gaps that are not obvious. It is far better to uncover a gap in testing than in response to an actual incident.
Backup Strategy
When considering how to back up data, the approach most generally recommended is the 3-2-1 backup strategy. In this strategy, there are 3 total copies of each file. The first copy of the file is stored on a computer or server, the second copy is created and stored onsite by your local backup solution and the third copy is stored offsite either on external media or in the cloud.
Carbonite Backup Solutions
Carbonite offers a variety of cloud based backup solutions that can help to automatically secure your data in the cloud. They provide backup solutions for endpoints, servers and Microsoft 365 data in addition to system migration, availability and restore solutions.
Monitoring alerts and taking quick action
Alerts enable security software to relay information on important events and they need to be closely monitored. They are an integral part of any incident response plan. Alerts often require corrective or follow up actions and IT staff should be properly trained to know how to react to each alert type. Faster reaction time helps limit the damage associated with a security event. Avoid alert fatigue by carefully creating alerts and only sending them on meaningful events.
MDR solutions
Managed detection and response solutions offer a way for MSPs and businesses to outsource the close management of security alerts. They employ expert staff that manage your security for you, watching alerts and starting cleanup or containment efforts as needed. Their fast action prevents infections from spreading and ensures that you as the customer have all the relevant facts related to a cybersecurity event.
Webroot is proud to offer an MDR solution for MSPs (Managed Service Providers) through a partnership with Blackpoint and one for SMBs (Small - Medium Business) through a partnership with Opentext.
Additional Resources
Strong passwords and a strong password policy can greatly reduce your risk from malware and ransomware attacks. Microsoft users can manage the passwords for user and service accounts using Active Directory.
Use these password best practices improve your organization’s cyber security:
- Define and enforce a strong password policy. Here are minimum requirements for a strong password:
- 8 characters minimum
- Contains letters and numbers
- Contains uppercase and lowercase characters
- Contains at least one punctuation mark or symbol
- Cannot be re-used (no password used in the last 10 times)
- Expires and needs to be refreshed every 90 days
- Implement Multi-Factor Authentication (MFA) and Single Sign-On (SSO)
- MFA - Authentication method that requires two or more forms of verification from a user. This prevents an attacker from being able to use only a stolen password to log in.
- SSO – Authentication method that allows secure access to company resources using one login and password. SSO is decentralized, managed by a dedicated application and allows users to move freely and securely through company resources.
- Consider using a Password Manager
- Password managers help users manage their accounts and have many benefits:
- Creates complex, randomly generated passwords
- Makes it easier for users by storing the credentials for multiple accounts
- Eliminates the human habit of reusing passwords
- Counteracts brute force and phishing attempts
- Data is encrypted and recoverable
- Can be configured to work with MFA
- Train users to recognize phishing email and websites.
- Users can be tricked by phishing emails or websites into providing credentials. Webroot offers Security Awareness Training to educate users on phishing attacks and can be used to run phishing simulation campaigns to test users. Smart users are more resistant to falling for phishing scams of any kind.
- Provide each user and administrator with their own account and password.
- This allows proper tracking and auditing of login and change events.
- Do not forget about service accounts.
- Apply the same standards to service accounts as to user accounts, require complex passwords and update them periodically.
- Do not write passwords down to make processes easier.
- Even though this may allow for work to be accelerated, all accountability is lost when this happens.
Additional Resources
Microsoft:
Other:
Patches - Application and Operating System Updates
Applications and operating systems are constantly releasing patches, which fix bugs or address security vulnerabilities. Security vulnerabilities can provide back door access for threats to exploit, resulting in infections that can bypass security software. Keeping software patched and updated eliminates identified vulnerabilities, making systems more difficult to access and infect.
Applying Patches
Most software includes options to automatically download and apply patches. Microsoft offers the Windows Server Update Services (WSUS) which enables administrators to deploy the latest Microsoft product updates. There are third party patch management applications that assist with the task and many Remote Management and Monitoring (RMM) applications can help.
Additional Resources
Cybercriminals constantly scan the internet looking for systems with commonly used remote desktop ports, then brute force them with common and stolen username and password lists to gain access. Port scanning and brute force attacks have also been observed on other ports used for interactive remote access such as 443 and 22, but are less common. Once access has been gained, the intruder has complete control of the compromised system and can disable protections, deploy variants of ransomware, create user accounts, and download other unwanted malicious software.
We recommend securing the RDP and other protocols or disabling them entirely and blocking them at the firewall.
Steps to take to secure RDP:
- Restrict RDP to an approved IP address.
- Require MFA for any remote connections and audit regularly.
- Change the port for RDP from the default (3389) to a different, unused port.
- Consider lowering the threshold of incorrect password attempts, but be careful and understand how it may make Denial of Service (DoS) easier to execute if you do.
- Use a brute force prevention service or application
- Define and use a strong password policy. You can use GPO to enforce password policies when using Windows.
- Monitor logs looking for multiple failed login attempts. Knowing that you are being targeted and gathering information from the attempts will help you to employ additional layers of protection to combat the threat.
To change the port for RDP when using Windows:
Execute the following from an elevated command prompt on the server hosting RDP:
REG ADD
"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /t REG_DWORD /v PortNumber /d XXXX /f
The parameter “XXXX” is the port number you would like to move RDP to. It is recommended to choose a random port number that is not in use and outside of the 33XX port range.
Once completed, block RDP entirely (port 3389) via your firewall and restrict RDP access to an approved IP address.
Additional Resources
Microsoft:
DNS Filtering
DNS filtering is the practice of blocking access to certain websites for a specific reason. Sites may be blocked due to them being malicious or because the owner of the network doesn’t want traffic going to them (time-wasting or work inappropriate sites).
Webroot DNS Protection
Webroot offers the
Webroot DNS Protection service for filtering DNS traffic. Webroot uses URL information from
BrightCloud, an industry leader in URL classification data.
BrightCloud is constantly re-evaluating websites, looking for malicious sites and ensuring that categorizations are accurate.
Two major benefits associated with the
Webroot DNS Protection service include:
- Malicious sites are automatically blocked, keeping users safe from threats they don’t even know exist.
- The use of customizable policies to allow and block websites based on category.
The Webroot DNS Protection service is an effective layer in the fight against malware as it can prevent a malicious attack from ever starting.
Humans - weakest link in the security chain
The weakest link in any security system is the human element. Humans are prone to making mistakes and errors in judgement and can be ‘fooled’ into opening emails, clicking links or visiting sites that they shouldn’t. This is a constant threat vector, with continuously evolving tactics.
User Education
User education and training are the best ways to help your users be security responsible. Keeping users aware of the latest trends used in ransomware and phishing attacks will help them make better decisions. Savvy and informed users are much less prone to being tricked by socially engineered attacks. Running tests against users allows you to measure their readiness and schedule more training as needed.
Webroot Security Awareness Training
Webroot offers Security Awareness Training (SAT) to assist with the ongoing process of user focused security education and testing. The benefits of SAT include:
- Simulated phishing campaigns that use real-looking, customizable email messages and lure pages to test users.
- Training campaigns on relevant, trending security topics to educate users on a broad variety of security related topics, with more courses being added constantly.
- Report data available for campaigns to help admins track progress.
- Integration with Microsoft Azure AD for automated user management.
Script based attacks
Script based attacks are especially difficult to detect and prevent, due to their highly evasive nature. This type of attack has been steadily increasing and has become much more common in recent years. Malicious scripts leverage applications already present on a system, known as Living off the Land Binaries or LoLBins, to compromise systems and gain access. Some of the applications exploited include powershell.exe, java.exe, excel.exe, but there are many others. Another tactic of script based attacks is being file-less and infecting through complex memory actions. This makes it harder to detect as there is no file for a traditional antivirus solution to scan.
Webroot Evasion shield
The Webroot Evasion shield provides protection against script based attacks by using patented techniques to detect and prevent malicious scripts from executing. It protects against many types of scripts and also from file-less attacks that often evade other malware detection software. On Windows 10, Webroot helps provide enhanced protection for file-less scripts, obfuscated scripts, and other sophisticated script based attacks.
The Webroot Evasion shield is included with an active Webroot Business Endpoint Protection license. If you are a current user of Webroot (Thank you!),
see these instructions to enable the Evasion shield. If you are not using Webroot to protect your devices from malware,
please visit our page for more information on purchasing or starting a trial.
Many malware attacks start through email attachments. Malicious attachments may use scripts to deliver payloads and once a user opens it, the payload is deployed and the system compromised. Disabling scripts can be a very effective way to stop malware and should be considered in high-risk situations. It should be carefully considered, as it may cause some disruption in day-to-day operations for users.
Option 1: (Windows) Disable Windows Script Host
Windows Script Host (C:\Windows\System32\WSCRIPT.exe) is a system application that interprets script files. When a script is run, it executes the script through this program. Because of this, you may want to disable WScript Host entirely.
The listed instructions need to be executed per device.
Manually - 64 BIT systems:
To disable Windows Script Host, execute the following in an elevated command prompt:
REG ADD "HKLM\Software\Microsoft\Windows Script Host\Settings" /v Enabled /t REG_DWORD /d 0 /f /reg:32
REG ADD "HKLM\Software\Microsoft\Windows Script Host\Settings" /v Enabled /t REG_DWORD /d 0 /f /reg:64
To re-enable Windows Script Host, execute the following:
REG ADD "HKLM\Software\Microsoft\Windows Script Host\Settings" /v Enabled /t REG_DWORD /d 1 /f /reg:32
REG ADD "HKLM\Software\Microsoft\Windows Script Host\Settings" /v Enabled /t REG_DWORD /d 1 /f /reg:64
Manually - 32 BIT:
To disable Windows Script Host, execute the following in an elevated command prompt:
REG ADD "HKLM\Software\Microsoft\Windows Script Host\Settings" /v Enabled /t REG_DWORD /d 0 /f
To re-enable Windows Script Host, execute the following:
REG ADD "HKLM\Software\Microsoft\Windows Script Host\Settings" /v Enabled /t REG_DWORD /d 1 /f
Option 2: (Windows) Disable Macro execution
Office Macros can be beneficial to some work environments, however in most cases they are not necessary and create a security risk. Some ransomware may attempt to utilize macro scripts within documents as a vector for malicious payload delivery. Macro execution is controlled by settings in the Trust Center.
The instructions included are for a single device, it is also possible
to use GPO to disable office macros for the entire domain or just to selected devices.
- Open the Trust Center (From any Office App – File > Options > Trust Center).
- In the Trust Center, click Macro Settings.
- Make a selection, options include:
- Disable all macros without notification
- Macros and security alerts about macros are disabled.
- Disable all macros with notification
- Macros are disabled, but security alerts appear if there are macros present. Enable macros on a case-by-case basis.
- Disable all macros except digitally signed macros
- Macros are disabled, and security alerts appear if there are unsigned macros present. However, if the macro is digitally signed by a trusted publisher, the macro just runs. If the macro is signed by a publisher you haven't trusted yet, you are given the opportunity to enable the signed macro and trust the publisher.
- Enable all macros (not recommended, potentially dangerous code can run)
- All macros run without confirmation. This setting makes your computer vulnerable to potentially malicious code.
- Click OK to complete the process.
Additional resources
Microsoft: