For many years, the cybersecurity community has been “it’s not if you’ll be attacked, but when.” This is particularly relevant as ransomware continues to pose a significant risk to organizations. Recent attacks no longer encrypt data but focus on extracting ransom for destruction of the stolen data. These human-operated ransomware attacks often take advantage of security weaknesses such as poorly configured remote desktop protocol (RDP) or inadequate identity and access management (IAM) practices, sometimes utilizing previously compromised credentials obtained through dark web data dumps.
The impact of such attacks has increased leading some organizations out of business. Information Security leaders must ensure that adequate time, budget and effort are allocated to prepare, defend and prevent an incident, while also conducting the requisite detection, response and recovery activities.
Construct a Pre-incident Preparation Strategy
- Assume a ransomware attack will be successful and ensure that the organization is prepared to detect, contain and recover quickly.
- A good backup process and strategy is the primary line of defense for data recovery.
- Educate employees about phishing and social engineering to minimize human error.
- Implement comprehensive security hygiene measures to ensure consistent and continuous assessment of deployed security controls. Remove unnecessary administrative privileges and access to sensitive business applications to prevent account compromise.
Implement Detection and Response Measures
- Utilize advanced tools like SIEM, NDR and EDR to detect and respond to ransomware indications.
- Employ isolation techniques during incidents, using on-device functionality or network-based measures to limit the spread.
- Regularly monitor for changes in backup routines or authorized alterations in system configurations to detect potential breaches.
Build Per-incident and Post-incident Response Procedures
- Establish comprehensive incident response plans that include IT and communication strategies for internal staff and external parties.
- Conduct regular tabletop exercises to practice both business and technical response strategies.
Develop a ransomware playbook outlining specific steps for handling ransomware incidents, from data recovery to making critical decisions like whether to pay ransoms. Engage specialist response teams and third-party negotiation services when necessary.
The tactical recovery steps will vary, depending on the organization and the extent of the ransomware, but will involve:
- Recovery of the data from backups, including verifying the integrity of backup and understanding the data, if any, has been lost.
- Once compromised, using EPP and EDR solutions, as part of the remediation response to remove and isolate the threat.
- Validation of the integrity of a device before it is allowed back onto the network.
- Updating or removing compromised credentials. Without this, the attacker will be able to gain entry again.
- Performing a thorough root cause analysis of what happened and how to include accounting for any data that has been exfiltrated.
- Guidance on making a “pay/no-pay” decision should also be included.
- Should payment be a consideration, it is important to establish a governance and legal process that includes the senior leadership and the board.
