Interrupt and Track Ransomware Attacks
Northern offers a valuable layer in your Ransomware protection strategy. Through the capabilities of Northern’s Software Solution (NSS), customers are able to interrupt attacks by blocking the creation of files with associated file types, get alerts when attempts to save these types are blocked, and view information about past attempted attacks in a dashboard.
This solution offers a potent layer of protection in the fight against Ransomware attacks. When coupled together with additional approaches and tools, your company can establish a robust and resistant defence against this type of criminality.
Northern’s software is capable of blocking the saving of specific file types (file extensions), logging and alerting when these policies are triggered, and providing information about these activities in management dashboards.
The configuration of the software is straightforward, and is performed using pre-configured packages and Northern’s PowerShell Toolkit. After configuration, the list of file extensions to be blocked must be maintained by the customer; a regular process of reviewing and updating the list of blocked extensions should be implemented to keep pace with the changing threat. The list of blocked extensions is best maintained by creating simple extension lists and utilizing functions of the PowerShell Toolkit to import them.
Once implemented, the solution will:
- Continuously monitor for, and block, attempted saves of prohibited file types.
- Send alerts to the threat response team with information about the attempted attack (file extension blocked, account used, etc.).
- Provide regularly updated dashboards that allow for patterns to be identified, and show the effectiveness of the work being done.
Blocking Attempted Attacks
For the target platforms that offer the necessary interface (see Requirements below) NSS can be configured to block the creation of files according to their extension – File Block policies. This capability is being used to prevent Ransomware from encrypting and saving files with a new file extension; the Ransomware is paralysed as its attempts to save encrypted versions of your users’ data are denied.
By implementing a regular process of updating NSS’ configuration, through the user interface or the Northern PowerShell Toolkit, customers are able to continuously maintain policies as the Ransomware threat changes – adding new file extensions to block new Ransomware types. Ransomware that uses a random extension, retains a file’s original extension, or uses an extension that is not currently configured to be blocked, will not be detected.
Alert When Attacks are Blocked
Normally, the software is configured to send an email to the the threat response team within two minutes of the File Block policies being triggered. (This interval can be shortened or lengthened.) These alerts provide information to guide their response, such as the account(s) that were used to attempt these writes, the number of attempted writes, and the file extensions that were blocked.
NSS leverages the audit trail that it maintains about File Block activity to populate these alerts. One controlling factor in the content of this log, and therefore the content of alerts, is the information that the target platform is able to deliver. Northern’s Professional Services team will be able guide you in determining what information can be included in your alerts.
Example of a simple email notification delivered by this solution:
It is important to be able to both block attacks, and gather data about the attacks that have been blocked. This information is vital if patterns are to be found, so that long-lasting solutions can be implemented, and it enables the security team to monitor the effectiveness of the processes put in place and report that effectiveness to relevant stakeholders.
Northern’s self-service, and fully role-based-access compliant interface can be configured to display both overview and detailed information about activities of the File Block policies put in place. This configuration is achieved, very simply, by importing pre-configured settings.
Dashboards can also be configured to show information about successful past attacks – giving location, owner, creation date, etc. information about files with Ransomware-related extensions in the same self-service interface.
The table below shows the tasks involved in implementing this Northern solution, the time required, and who is responsible to perform each task*:
|1||Import configuration settings and describe workflows||2 hours||Northern|
|2||Edit/confirm Northern’s default list of extensions to block||1 hour||Customer|
|3||Run PowerShell Toolkit commands||0.5 hours||Northern|
|4||Maintain list of extensions to block as threats develop||1 hour per review||Customer|
|* The exact list of tasks involved, and the time required for each, will depend on a customer’s specific circumstances. Contact Northern’s Professional Services team for information about what woould be necessary in your organization.|
Ransomware protection can only be achieved by establishing multiple layers of security, process, and awareness. Northern offers one of these layers – a software solution that interrupts, alerts on, and tracks attempted attacks over time.
If you are already a Northern customer, and you are using the software for both quota functionality and file system analysis, then there is no need to prepare new application infrastructure or prepare new application IDs. There are no requirements to change the current IT infrastructure. You should not need to seek advanced approval, or complete a detailed Change Control process. This is a straightforward, no-nonsense way to improve Ransomware protection for your organization.
|NSS Deployed||Version 9.91 or later|
|SQL Database||SQL Server 2012 or later|
|NSS Solution Area(s)||Centralized File Service Management (CFSM)|
|Supported Platforms||NetApp CDOT, NetApp 7-Mode, NetApp Cloud Volumes ONTAP, Dell EMC PowerStore/Unity/VNX, and Hitachi Vantara HNAS|
If you wish to start using NSS to interrupt and track Ransomware attacks please contact your Account Manager, or the Professional Services team, to schedule the first action: import configuration settings and describe workflows.