Heidi Porter, Chris Moyer, EngageU 2022
Table of Contents
- Introduction: Background and Importance
- Understanding the Ransomware Threat
- Real-Life Ransomware Attacks
- Ransomware Anatomy and Attack Vectors
- Building a Robust Defense
- Simulating Ransomware Attacks for Preparedness
- Detection and Response: Best Practices
- Using Rootkits to Hide Data: A Countermeasure
- Planning for Incident Response and Business Continuity
- The Future of FileMaker Security
- Key Takeaways
Introduction: Background and Importance
Heidi Porter and Chris Moyer, seasoned experts in FileMaker security, presented on the topic of ransomware protection at EngageU 2022. Both Porter and Moyer have extensive experience in the FileMaker ecosystem and are dedicated to educating users on best practices for securing their systems. They emphasized that security is no longer just about protecting data but also about planning for a resilient recovery after an attack.
Understanding the Ransomware Threat
What is Ransomware?
Ransomware is a type of malicious software that blocks access to a computer system or data, usually by encrypting it. Once infected, the victim is then extorted to pay a ransom in exchange for the decryption key needed to restore access. Attacks can have severe financial repercussions, as well as lead to data breaches and reputational damage.
Why FileMaker Servers Are Vulnerable
FileMaker servers, commonly used by small and medium-sized businesses, often lack the extensive security measures employed by larger organizations, making them susceptible to attacks. Additionally, many FileMaker servers operate on Windows systems, which are frequently targeted by ransomware due to their popularity and widespread use.
Real-Life Ransomware Attacks
In 2016, one of Porter and Moyer’s clients was severely affected by ransomware. Their entire network was locked, including the FileMaker server. Fortunately, they had off-site backups, but the recovery process highlighted the need for better preparedness. Since then, Porter and Moyer have been on a mission to enhance their knowledge of ransomware and the measures needed to safeguard against it.
Ransomware Anatomy and Attack Vectors
Stages of a Ransomware Attack
- Infiltration: Attackers often gain entry through phishing emails or unpatched vulnerabilities.
- Burrowing: The malware establishes a presence within the network, possibly feeding data back to the attackers.
- Expansion: Ransomware spreads across the network, seeking valuable data to encrypt.
- Exfiltration and Extortion: Attackers may extract sensitive data before encrypting it, leveraging this for additional extortion.
- Encryption and Demand: The ransomware encrypts data and demands payment for the decryption keys.
Top Entry Points
- Phishing Emails: Emails with malicious links or attachments are a common way for ransomware to enter a system.
- Weak Passwords: Simple or reused passwords provide an easy entry point for attackers.
- Unpatched Software: Exploiting known vulnerabilities in outdated software is a frequent tactic.
Building a Robust Defense
Server and Network Security
- Segmentation: Divide your network to contain infections and prevent ransomware from spreading.
- Secure Access Points: Ensure only authorized devices and users can access sensitive systems.
- System Hardening: Remove unnecessary services and applications to reduce the attack surface.
Backup and Recovery Strategies
- Immutable Off-Site Backups: Use backup solutions that prevent modification to ensure you have clean copies of your data.
- Redundant Backups: Keep multiple copies at different locations. Backups should be done regularly and verified for integrity.
- Regular Backup Drills: Regularly test your backups and restoration processes to ensure reliability during an actual attack.
User Training and Awareness
- Phishing Simulations: Conduct regular training and simulations to teach employees how to identify and avoid phishing attempts.
- Access Controls: Restrict access to sensitive areas of the system based on user roles to minimize potential damage.
- Multi-Factor Authentication (MFA): Require MFA for all users, especially for those with elevated privileges.
Simulating Ransomware Attacks for Preparedness
Understanding Racketeer and Ransomware Simulation
Racketeer is a ransomware simulation framework that can help FileMaker administrators understand and prepare for real attacks. By setting up a controlled environment with Racketeer, organizations can observe the behavior of ransomware and adjust their defenses accordingly.
Step-by-Step Simulation
- Setup Racketeer: Deploy both the agent (infected system) and the command and control server (attacker) on separate virtual machines.
- Initiate Attack: Launch a ransomware simulation by sending commands from the control server to the agent, simulating how attackers gain control over a system.
- Observe Impact: Monitor how the ransomware interacts with FileMaker server files and observe any potential vulnerabilities.
- Evaluate Response: Use the insights gained to strengthen network monitoring and response protocols.
Detection and Response: Best Practices
Setting Up Behavioral Monitoring
- Monitor File Access and Changes: Use tools to detect unusual activity in key directories, such as unexpected file modifications.
- CPU and Network Monitoring: Ransomware often uses significant CPU and network resources; sudden spikes can indicate an attack.
- Centralized Log Management: Collect logs from all systems and review them regularly for signs of suspicious activity.
Know Your Normal: Identifying Anomalies
Understanding baseline activity levels on your network helps identify deviations that may indicate an attack. For example, if there’s a sudden surge in CPU usage or network traffic during off-hours, it could suggest that ransomware is actively encrypting data.
Advanced Detection with Honey Pots and Trap Systems
A honey pot is a decoy system set up to lure attackers away from critical systems. Once attackers engage with the honey pot, it can provide valuable information about their tactics and alert administrators to an attempted breach.
Using Rootkits to Hide Data: A Countermeasure
How Rootkits Work
Rootkits are tools that allow malicious programs to remain hidden on a system, often by masking files and processes from the operating system. Though usually associated with malware, rootkits can also be used defensively to conceal critical data from ransomware.
Case Study: Rootkits in Action
Porter and Moyer demonstrated using the r77 rootkit to hide FileMaker directories from ransomware. By making the server’s directories invisible to enumeration attempts, ransomware may be unable to locate and encrypt essential files.
Planning for Incident Response and Business Continuity
Developing a Disaster Recovery Plan
- Identify Key Systems and Data: Determine which assets are essential for business continuity and prioritize their protection.
- Establish Clear Roles and Responsibilities: Assign specific tasks to team members to streamline response efforts during an attack.
- Regularly Update and Test the Plan: Ensure that the disaster recovery plan remains effective as the organization evolves.
The Role of Cyber Insurance
Cyber insurance policies can help cover the costs associated with a ransomware attack. Insurers may require organizations to have specific security measures in place to qualify for coverage, making it essential to understand policy requirements and ensure compliance.
The Future of FileMaker Security
As ransomware tactics evolve, so too must FileMaker security measures. Moving forward, Porter and Moyer encourage FileMaker users to stay informed of emerging threats and to invest in advanced defenses. Regularly simulating attacks, improving user training, and implementing layered security are vital steps in staying ahead of ransomware.
Key Takeaways
Ransomware poses a significant threat to FileMaker servers, but a proactive approach to security can mitigate the risk. Porter and Moyer’s recommendations provide a comprehensive strategy for defending against attacks and ensuring that if ransomware strikes, FileMaker administrators are prepared to recover quickly and effectively.
