Ransomware Defense Using Forescout CounterACT – Part 4: Containment


June 29, 2020

For the City of Atlanta, March 22, 2018 is a day that will not be forgotten anytime soon. Early in the morning of that day, servers and data across the city network were encrypted by SamSam ransomware. One-third of the City’s applications were down due to the ransomware. The attackers asked for $51,000 in bitcoins to provide the decryption keys to unlock the ransomware.

Not only is Atlanta a major American city but also home to the busiest airport in the world, Hartsfield-Jackson. The airport is owned and managed by the City as well as the largest employer in Georgia. The ransomware outbreak would eventually impact the airport too.

This article is the 4th in a series detailing Forescout CounterACT as a tool to protect and defend against ransomware. The first article can be found here. At its core, CounterACT is a network access control (NAC) solution that, due to its agentless capabilities, can see, control and respond to all managed and unmanaged devices on the network. It provides an accurate device inventory, continuous compliance enforcement, policy-based access control and rapid response to security incidents. Using CounterACT can be a preventative as well as a reactive solution for ransomware.

Previous installments of this series focused on preventative capabilities of Forescout. This part will provide an overview of Forescout’s reactive capabilities and its ability to take automated and action. Ransomware can inflict its damage within seconds. A solution like Forescout CounterACT is necessary to stop and contain the infection. Anything less than a swift and automated reaction to an outbreak will be too slow to prevent network-wide devastation.

Forescout CounterACT has multiple methods for blocking, containing and quarantining devices. Through integration with network switches, the NAC can apply an access control list (ACL) to an access port or an endpoint. It can also move a device to a quarantine virtual LAN (VLAN). Additionally CounterACT can completely disable the switch port by turning it off. Other integrations with VMWare, wireless controllers, endpoint detection and response (EDR) solutions, VPN concentrators and firewalls provide additional methods of response and control. Without using any integrations, by monitoring mirrored traffic, Forescout is also able to apply a virtual firewall to endpoints that require containment as well.

Specific endpoints can be restricted with an ACL on a switch port based upon IP or MAC address. This method has many benefits such as not interfering with a VoIP device that is connected to the same switch port or being able to block devices on a backbone switch when the device is directly connected to a downstream unmanaged switch. Access ports can also be restricted with an ACLs. The ACL is applied to the switch port and is not dependent on the IP address of the endpoint. The use case would be for a guest network connection such as in a conference room. Or to restrict a port immediately prior to the DHCP assignment.

The request to contain an infected device can come from Forescout’s own threat detection capabilities, or from an integrated EDR product like FireEye or CrowdStrike, or an anti-virus solution such as McAfee or Symantec, or a secure email gateway or from a SIEM (where the alert could have originated with a product that Forescout does not directly integrate with yet) or from a manual action by a SOC analyst.

Very fast containment is vital to stop the endpoint as well as files and other devices across the network from becoming encrypted. Typically when ransomware launches, it reaches out to its Internet connected command and control servers to retrieve encryption keys. The malware uses those keys to encrypt the files on the host computer as well as on network connected drives. If the ransomware cannot connect to the command and control servers, it will be unable to encrypt any files.

Using its wide variety of containment methods, CounterACT can block an infected device from accessing the Internet, a portion of or the entire network, or any other network connected device. Containing the infected device quickly will thwart it from communicating with its command and control server or infecting other devices or network files.

Forescout’s integration is also bi-directional. It can share IOCs between EDRs, request an EDR to contain an infected device, provide host and threat information to a SIEM or to a security orchestration, automation and response (SOAR) platform for further action, or request a vulnerability management product to scan an infected host. Forescout can take further action based upon the results on the scan.

The SamSam ransomware infested nearly all the Atlanta city agencies, knocking out the judicial databases, online-bill payments for the water utility and the airport Wi-Fi. The infection spread far beyond court schedules and public wireless network. Elected officials and city employees reported losing years’ worth of correspondence. Footage from dashboard-mounted cameras in police cars was destroyed.

Atlanta decided not to pay the ransomware. They reasoned that paying bad actors only allows the behavior to continue. Instead they spent one year of effort and $7 million to recover but the City used this dreadful experience to transform its cybersecurity infrastructure as well as its entire network. The recovery accelerated the replacement of legacy systems with faster and more secure technology. The City successfully hosted the Super Bowl the following year. You can read more about the recovery and Atlanta deploying Forescout CounterACT in this article from the Wall Street Journal.

Containment is just one aspect of Forescout’s powerful ransomware defense. In the next article, we will examine how CounterACT can integrate with vulnerability scanners.

Is your organization prepared for a ransomware attack? If not, contact me at ghedge@castleventures.com.