Protect Against Ransomware Using Forescout CounterACT – Part 1: Windows Patching

December 20, 2019

Ransomware is the most diabolical type of malware. It encrypts the files of the infected computer as well as files across the network until a ransom is paid to the bad guys for the decryption keys. It is the most urgent cybersecurity challenge that affects organizations of all sizes. It can strike any organization at any time. There have been hundreds of reported ransomware attacks in the United States and those are only a small portion of the victims with countless more that are not publicly known. Many victims pay the ransom in order to get access to their data again. The City of Riviera Beach, Florida acknowledged that in June 2019 they and their insurance company paid $600,000 to get encryption keys from cybercriminals after being infected with ransomware. Hancock Health in Indiana did the same when they paid $55,000 to unlock 1,400 files encrypted by the ransomware. Although capture and prosecution are unlikely, the FBI indicted the creators of the SamSam ransomware in November 2018, alleging the two Iranian cybercriminals profited $6 million from their malware. In June 2019, the creators of the GrabCrab ransomware announced they were shutting down their ransomware-as-a-service after collecting, according to them, $2 billion in payments. There does not appear to be an end to the financial motivation and paying victims for the cybercriminals to continue using ransomware. It will only continue to be the most destructive and costly form of malware in 2020.

This article is the first in a series detailing Forescout CounterACT as a tool to defend against ransomware. At its core, CounterACT is a network access control (NAC) solution that, due to its agentless capabilities, can see, control and respond to all managed and unmanaged devices on the network. It provides an accurate device inventory, continuous compliance enforcement, policy-based access control and rapid response to security incidents. Using CounterACT can be a preventative as well as a reactive solution for ransomware.

A fundamental aspect of endpoint security is patching. Windows servers and workstations are vulnerable to ransomware and particularly vulnerable when they are not patched with the latest operating system updates from Microsoft. If a device isn’t compliant, it has no chance against ransomware. The need to patch is never going away. Unfortunately ransomware isn’t going away either. It only takes one non-compliant device for the entire network to compromised.

Too often, organizations’ patch management strategies are manual, time consuming, incomplete, not prioritized, prone to failure and operate in the dark. Devices cannot be seen without agents and even with agents there are no guarantees of comprehensive functionality and deployment. Scanners alone are slow, sporadic and only provide a snapshot in time. When patching is scheduled that device may no longer be connected to the network.

The human element is also a factor. Scanning, the deployment of agents and patching are vulnerable to the fragility of the human aspect of the process. Frank Abagnale, famed FBI consultant, cybercrime expert and former criminal, summarizes the human element with his often-quoted statement about breaches. “Every breach occurs because someone in that company did something they weren't supposed to do, or somebody in that company failed to do something they were supposed to do.” The breach of Equifax is a perfect example. Despite multiple annual cybersecurity assessments delivered directly to the CEO detailing thousands of unpatched applications and devices, many with critical vulnerabilities, Equifax repeatedly failed to act. The personal information, including Social Security numbers, of 145 million consumers was stolen from the credit reporting agency by the still unknown cyber attackers in 2017.

For both large and small organizations, across organizational silos and distributed networks, Forescout CounterACT finds and identifies network connected devices, endpoints and servers, operating systems, installed applications as well as their patch status automatically, in real-time, and continuously. There is no need for massive scheduled scans looking into the darkness of the network that miss devices. CounterACT assesses the manageability of all Windows devices and determines their compliance condition including the patch status. Equally important, the agentless CounterACT solution also confirms that each Windows device has been rebooted in order to apply those patches. Automated or manual actions can be taken to remediate any devices that require patching or rebooting to apply the patches. CounterACT integrates with WSUS, SCCM, scanners, and asset management systems. It can also run custom scripts to automate the remediation of any device. Notifications can be sent to a SIEM, ticketing system or the help desk. Automated remediation actions can be structured by such conditions as the time of day, device type (workstation or server), network segment, office location or region.

The strategic goal is 100% patch compliance, but this target will be difficult and sometimes impossible to achieve. CounterACT can minimize the exposure of the non-compliant devices. It can take restrictive actions for devices that are not patched, cannot be patched or that are woefully out of date. These actions can include disabling USB ports, restricting a device from the Internet, blocking unmanaged or unpatched endpoints from joining the network or putting them in a quarantine VLAN until automated or manual update efforts can be applied.

Windows patch compliance is just one aspect of Forescout’s powerful ransomware defense. In the next article, we will examine how Forescout can integrate with anti-virus solutions to proactively enforce compliance and take reactive action when a device has been compromised.

If you need assistance to defend against ransomware or want to see how a Forescout CounterACT proof-of-concept can secure your network, contact me at