How can I protect my organization from Ransomware?

Ransomware attacks are becoming more and more common, and they can be extremely disruptive to organizations. These types of attacks involve malware that encrypts the victim's data, making it impossible to access, and then demanding payment in exchange for the decryption key. Unfortunately, these type of attacks are not going away anytime soon - they're incredibly effective in their malicious intent. Somewhere around 40% of ransomware attacks in 2022 received full or partial ransom payment in exchange for decryption of their data. Until the majority of organizations are implementing a proper and robust information security program that covers all aspects of Information Security, we will continue to see these Ransomware Attacks on the rise. In this response, I will outline some of the key steps an organization can take to protect itself from ransomware, based on current best practices and industry standards.

Security Awareness Training

Educate employees: One of the most effective ways to protect against ransomware is to ensure that all employees are aware of the risks and trained in how to avoid them. This can include training on how to recognize phishing emails, how to identify suspicious links or attachments, and how to avoid downloading software from untrusted sources. A large portion of ransomware attacks are the result of targeted (or blanket) phishing campaigns, whether through email or over the phone. You can implement the best security controls money and time can afford, but the workforce is still going to be the weakest link. Ensure your staff are up to snuff on training and awareness, and you can significantly reduce your risk to ransomware attacks.

Patch Management Program

Keep software up to date: Many ransomware attacks rely on vulnerabilities in outdated software. By keeping all software up to date with the latest patches and security fixes, organizations can reduce the likelihood of a successful attack. To have an effective patch management program, you must have a full, detailed, and current inventory of all assets, including hardware and software. With this inventory, you can implement logging and alerting to ensure you have a current one-stop-shop to see what systems and software have becoming out of date. This inventory should be paired with a robust information security intelligence feed - a strong source of current information pulled from multiple reputable sources that contains the latest security news, latest vulnerabilities, and current threat actor tactics. When a new vulnerability is released to the public, you will know, and with your detailed inventory, you will know precisely which systems will need updated/patched, and can enact those changes in a timely manner.

Proper Authentication Mechanisms

Use strong passwords and multi-factor authentication: Ransomware attacks often rely on weak or easily guessed passwords. By requiring employees to use strong passwords and enabling multi-factor authentication, organizations can make it much more difficult for attackers to gain access to their systems. With the ease of access and wide adoptability, there is no longer a good excuse not to have multi-factor authentication enabled for all users.

The rule of thumb for strong two-factor authentication is - Users must present 2/5 pieces of information to be granted access:

• Something you know: An information is classified as something you know if you store it in your memory and can retrieve it when needed. For instance, a password, an answer to a security question or a Personal Identification Number (PIN).

• Something you have: This factor is defines as something you can carry with you. Typically, this will be an RFID token, USB key, ID badge, or your phone. With your phone, you can utilize SMS authentication codes or 2FA apps.

• Something you are: This can simply be defined as Biometrics. Something you are is information that is derived from the individual physically. This can be a retina scan, a handprint, a voice signature, a face capture, or, most commonly, a fingerprint.

• Somewhere you are: While not always thought of as one of the authentication factors, it often goes alongside traditional 2fa factors. For example, this can be a location ping from your phone which pinpoints you at your place of work, or in the correct city, or even the IP address you're visiting from. While not a strong factor by itself, combined with other factors, it can significantly increase reliability of 2FA authentication.

• Something you do: This factor is typically the least utilized, but can be found present in a lot of online applications in the form of "Are you human?" boxes. This factor can observe the cadence of your typing or the way you move your mouse, and can be very powerful as copying someone's mouse movement and typing cadence is extremely difficult, and requires the use of macro malware.

Robust and Current Incident Response Plan

Develop an incident response plan: In the event of a ransomware attack, it's critical to have an incident response plan in place. This plan should include steps for identifying and containing the attack, notifying stakeholders, and restoring systems and data. It should lay out a communications plan so the proper individuals are summoned when an incident occurs, and it should clearly define the role of each individual person. These things must be determined ahead of time - when an attack takes place, without these critical elements, it will be chaotic, and will increase the amount of time your systems are down.

Detailed Backup Plan

Implement a strong backup strategy: Even with the best defenses, it's still possible for an organization to fall victim to a ransomware attack. That's why it's critical to have a robust backup strategy in place, so that if data is encrypted by ransomware, it can be restored from a clean backup. It's important to ensure that backups are stored securely, and that they are tested regularly to ensure that they can be restored in the event of an attack. Since you have a current asset inventory in place, you can create a complete plan consisting of system criticality ( so the most critical systems get restored first ), system stakeholders ( who owns the system ), and detailed procedures for restoring each system specifically. Additionally, your backup plan should be tested on a routine basis - this plan should define the cadence.

Proper Antimalware Solution

Use anti-virus software on all workstations and servers: Anti-virus is critical in detecting and blocking ransomware on a system before it can do damage. Additionally, be sure your anti-virus definitions are kept current. A lot of ransomware attacks utilize the same type of structure and same file signatures, but the attackers will purposefully re-encode them or modify them slightly so the signatures that are currently stored in definition databases do not match, decreasing the odds that your anti-virus solution will detect them. Additionally, Sentinel recommends including specific procedures to ensure when systems are on-boarded, the proper antivirus solution is setup and configured.

Access Control Mechanisms

Implement access controls: By limiting the access that employees have to sensitive data, organizations can reduce the risk of a ransomware attack spreading throughout their network. Access controls should be based on the principle of least privilege, which means that employees should only be given access to the data and systems that they need to perform their job duties. In the event a user account or user workstation is compromised, the breadth of spread from those stolen credentials can be significantly limited, and hopefully halted with a limited scope of compromise.

Well-Define Firewall Rules

Having well-defined firewall rules is essential for maintaining the security of your network. Without proper rules, you can be vulnerable to a range of attacks, including denial-of-service attacks, port scanning, and infiltration by malicious actors. In addition, poorly defined firewall rules can lead to network downtime and reduced productivity, as traffic is unnecessarily blocked or allowed through.

Properly defined firewall rules should be based on a thorough understanding of your network topology, traffic patterns, and security requirements. The rules should be reviewed regularly to ensure that they are up-to-date and effective in preventing threats. The rules should also be designed to balance security requirements with the needs of your users, so that legitimate traffic is not blocked or slowed down unnecessarily.

In addition to defining firewall rules, it is important to ensure that the firewall itself is properly configured and maintained. This includes ensuring that the firewall is up-to-date with the latest security patches, that it is properly integrated with other security systems, and that it is regularly tested to ensure that it is functioning correctly. By taking the time to understand network traffic patterns and security requirements, and by regularly reviewing and updating firewall rules, you can greatly reduce the risk of a security breach.

Stay Connected

Engage with security experts: Finally, it's important for organizations to work with security experts who can provide guidance on the latest threats and best practices for protecting against ransomware. This can include hiring a dedicated security team or working with a third-party security provider. It is crucial to have an expert set of eyes review your security policies, access controls, system configurations, and conduct auditing work including penetration testing and risk assessments. You may feel you have a robust information security program in place, but often times auditors will find forgotten systems or areas that would otherwise go unnoticed, and potentially be utilized by a malicious actor or ransomware.

Some additional resources for organizations looking to protect themselves against ransomware include:

• The National Institute of Standards and Technology (NIST) Cybersecurity Framework, which provides guidelines for managing cybersecurity risk: https://www.nist.gov/cyberframework

• The Cybersecurity and Infrastructure Security Agency (CISA) Ransomware Guide, which provides detailed advice on how to prevent, respond to, and recover from ransomware attacks: https://www.cisa.gov/ransomware

• The Information Systems Audit and Control Association (ISACA) Ransomware Task Force, which has developed a comprehensive set of recommendations for preventing and responding to ransomware attacks: https://www.isaca.org/resources/ransomware-task-force