In addition to knowing never to pay cyber ransoms, here are nine other points to evaluate your organization’s preparedness against attacks.
Threat actors have also become very effective at encrypting data so that victims have to pay the ransom for the decryption key.
So, the bonus is on business leaders to ensure that their operational processes and security measures are robust enough to prevent ransomware attacks in the first place.
Here are nine tips to keep ransomware attacks at bay:
- Make IT hygiene a priority
It is crucial that you gain visibility into every endpoint and workload running in your environment and then keep any vulnerable attack surfaces updated and protected, especially as remote-working becomes more commonplace.
This a ‘hygiene-first’ perspective provides the power to drill down and proactively clean out your environment – and an effective solution should give your company the ability to:
⚫ Add defense-in-depth: Implement real-time detection policies to monitor for anomalous credential behavior use, including detection of lateral movement. In addition, enable risk-based conditional access to trigger multi-factor authentication (MFA) for human and service accounts without adding burden to users, ensuring higher compliance.
⚫ Identify gaps in your security architecture: IT hygiene provides visibility into what hosts are running in the environment and whether they are protected. Having complete visibility enables effective deployment of security architecture and ensures no rogue systems are operating behind the walls.
⚫ See what (and who) are running in your environment: Proactively identify outdated and unpatched applications and operating systems so that you can manage your application inventory and solve security and cost problems simultaneously. Account monitoring allows you to see who is working in your environment and ensure they are not violating their credential permissions (including detection of tools or behavior trying to subvert those policies).
System administrators remain highly targeted, and combined with poor password renewal policies, credential theft is a harsh reality. With insight into password updates, you can prevent credential creep by removing old administrative accounts or making sure users update their passwords regularly. Taking this a step further, visibility into unusual admin behavior or privilege elevation can prevent silent failure by tipping off your security team as soon as something suspicious occurs.
⚫ Ensure user compliance: Consistent and ongoing user education can ensure that password best practices are followed, and ridding the network of old accounts (including service accounts) can mitigate the risk of ‘credential creep’ from data of former employees.
Once you have full visibility and understanding of your environment, your organization can identify hygiene-related security deficiencies and resolve them immediately. From there, security teams can quickly pivot to address the critical elements of comprehensive endpoint protection: prevention, detection, hunting and threat intelligence. - Plug the security gaps that internet-facing applications can leave
Threat actors exploit single-factor authentication and unpatched internet-facing applications, so multi-factor authentication should be adopted as a priority.
For example, one ransomware threat actor routinely targeted systems with Remote Desktop Protocol (RDP) accessible from the internet. Less sophisticated threat actors operating ransomware variants such as Dharma, Phobos and GlobeImposter frequently gain access through RDP brute-force attacks. - Elevate email security
Gaining an initial foothold into a victim organization through a phishing email is the most common tactic for ransomware groups. Typically, these suspicious emails contain a malicious link or URL that delivers the ransomware payload to the recipient’s workstation.
Implement an email security solution that conducts URL filtering and also attachment sandboxing. To streamline these efforts, an automated response capability can be used to allow for retroactive quarantining of delivered emails before the user interacts with them.
In addition, organizations may want to restrict users from receiving password-protected zip files, executables, javascripts or Windows installer package files unless there is a legitimate business need.
Adding an “[External]” tag to emails originating from outside of the organization, and a warning message on top of the email’s body can help remind users to use discretion when handling such emails. - Improve endpoint resilience
Threat actors will often leverage a number of endpoint exploitation techniques. These vary from exploiting poor active directory (AD) configurations to leveraging publicly available exploits against unpatched systems or applications. Here are some key system-hardening actions for defenders to implement. It is important to note this is not an exhaustive list, and system hardening should be an iterative process.
⚫ Ensure full coverage across all endpoints on your network for endpoint security products and for the endpoint detection and protection (EDR) platform. Each endpoint security platform should have strict anti-tampering protections and alerting in place if and when a sensor goes offline or gets uninstalled.
⚫ Develop a vulnerability and patch management program.
⚫ Follow AD security best practices:
⚪ Avoid easy-to-guess passwords with weak authentication methods
⚪ Avoid having regular domain users with local administrator privileges, and local administrator accounts with the same passwords across the entire enterprise or large portions of the enterprise
⚪ Limit workstation-to-workstation communication. While this can be achieved using group policy objects (GPOs), it can be also achieved through a number of micro-segmentation software options
⚪ Avoid sharing privileged credentials. Poor security practices include shared administrative accounts and using administrator accounts for personal or day-to-day business activity that does not require administrator privileges - Ransomware-proof data with offline backups
The most important idea to consider is that threat actors have targeted online backups before deploying ransomware to the environment. For this reason, the only sure way of salvaging data during a ransomware attack is through ransomware-proof backups.
For example, maintaining offline backups of your data allows for a quicker recovery in emergencies. The following points should be considered when developing a ransomware-proof offline backup infrastructure:
⚫ Offline backups, as well as the indexes should be completely separate from the rest of the infrastructure
⚫ Access to such networks should be controlled via strict access control lists (ACLs), and all authentications should be performed using MFA
⚫ Administrators with access to both offline and online infrastructures should avoid reusing account passwords and use a jump box when accessing the offline backup infrastructure
⚫ Cloud storage services, with strict ACLs and rules, can also serve as offline backup infrastructure
⚫ Emergency situations such as a ransomware attack should be the only time the offline infrastructure is allowed a connection to the live network - Restrict access to VMI
Recently, threat actors have started to attack virtualized infrastructure directly.
This approach allows for targeting of hypervisors that deploy and store virtual machines. As a result, the endpoint security products installed on the virtualized machines are blind to malicious actions taken on the hypervisor. - Deploy a robust identity protection program
This helps the IT team to understand on-premises and cloud identity store hygiene (for example, Active Directory, Azure AD), ascertain gaps, and analyze behavior patterns and deviations for every workforce account (human users, privileged accounts, service accounts), detect lateral movement, and implement risk-based conditional access to detect and stop ransomware threats. - Develop and pressure-test an Incident Response Plan
Recognizing threats and responding quickly and effectively can be the difference between a major incident and a near miss. Incident response plans and playbooks help facilitate that speedy decision making. Plans should cover all parts of the response effort, across the organization.
For the security team, they should provide aids to decision-making so that front-line responders do not overlook important details while triaging alerts. They should also outline the extent of the security team’s authority to take decisive actions—such as shutting down business-essential services—if a ransomware attack appears imminent.
For the crisis management team, plans should identify who will be involved and what their roles and responsibilities are. It should also tee up important decisions, like when to activate an incident response retainer; whether to notify insurance carriers; when and how to involve in-house or outside counsel; and discussing ransom demands with executives.
Consider conducting regular tabletop exercises to test the incident response plan and processes. Some organizations may benefit from simulated exercises such as ‘purple team’ engagements, where red teamers mimic ransomware operators’ actions on objectives, including data exfiltration and ultimately ransomware deployment. Regular exercising of the incident response plan, both planned and unplanned, such as utilizing a red team to conduct a mock attack operation, is recommended. - Know when to ask for help
Calling in experts to help investigate, understand and improve the situation can make the difference between a minor incident and a major breach.
In some instances, organizations become aware of threat actor activity within their environment but may lack the visibility to address the problem or the right intelligence to understand the nature of the threat. It is better yet to seek out expert assistance before it becomes a mandate.
A technical assessment from a third party can help to proactively identify and understand factors about your organization’s network that could make future ransomware incidents more or less likely. It may take different forms, depending on your current needs and security maturity.
For instance, if you experience an intrusion that was confined to a specific network segment or specific business unit, an enterprise-wide compromise assessment can give confidence that the attacker did not move into parts of the environment that were beyond the scope of the initial investigation.
Alternatively, an IT hygiene assessment can identify weak passwords, Active Directory configurations or missed patches that could open the door to the next attacker.
All in all, getting educated about the latest threats and seeking help by activating an incident response team may allow for detection and remediation before threat actors are able to deploy ransomware or exfiltrate data from the environment. This is crucial in dealing with modern digital threats, where even momentary lapses can have severe consequences for organizations.
