Due to the rash of headline-stealing ransomware attacks over the past year, ransomware preparedness has become a board-level issue for most CISOs. There is a lot of advice out there on how to prevent, detect, contain, respond to, and recover from a ransomware attack.
These are the ten ransomware tips I have found to be most effective.
Top ten Ransomware Tips from a CISO
1. Utilize multi-factor authentication (MFA) for privileged user accounts
For ransomware to encrypt an organization’s critical data, it must have access to it. One of the most common ways attackers obtain that access is by stealing and using the credentials of privileged users (often by phishing a system administrator).
One of the best ways to prevent a successful ransomware attack is to make sure stolen privileged credentials are useless to the attacker. Mandating multi-factor authentication for privileged users is the easiest way to accomplish this objective.
2. Implement measures to keep ransomware out of your environment
One way to avoid a devastating ransomware attack is to make sure that the ransomware does not make it into your environment in the first place. The entry point is often email, either as an attachment or via a download from a clicked malicious embedded link.
A good email security solution (whether gateway or API-based) will greatly reduce email borne ransomware from getting into your environment.
3. Implement measures to stop ransomware from detonating / executing
If ransomware does make it into your environment, you will want to stop it before it can do its damage. A good next generation endpoint security solution, comprehensively deployed to every host, is a ‘must have’ in 2021.
Since ransomware is constantly evolving, your endpoint security software should leverage non-signature-based mechanisms for detection such as deep learning, behavioral heuristics, and other techniques proven to detect unknown bad.
4. Segregate your network and consider adopting a zero-trust architecture
If ransomware does detonate within your environment, then you want to contain the damage as much as possible. Traditional network segmentation, i.e., dividing your network into segregated security zones, is extremely helpful. For even better protection, consider implementing microsegmentation technology or adopting a zero-trust architecture.
5. Simulate ransomware attacks
How do you know if your prevention strategies will work? You don’t unless you test them. Two great ways to test your ransomware defenses are through purple team exercises and attack simulation software. Most security firms with red teams can simulate common ransomware strains. Many breach and attack simulation tools can do the same.
6. Airgap backups and / or use immutable storage
If all the above fails, and your organization is victimized, your focus will turn to recovery. Smart attackers will target your backups. If your backups are compromised, you will have no way to recover your data other than paying the ransom.
Make sure to harden, i.e. lock down, your backup system. Consider air-gapping your backup system, using traditional offline media, e.g. tape, or immutable (non-rewritable) online storage.
7. Have a good ransomware response plan
For all aspects of a ransomware containment, response, and recovery, you need a plan. Most botched ransomware responses occur because the victim organization is “winging it”. Your ransomware playbook should cover roles and responsibilities, third party assistance, decision criteria, communications, etc.
Consider using a trusted third party, such as outside counsel or your incident response firm, to assist you with the development of your ransomware response playbook.
8. Conduct ransomware preparedness exercises
One the biggest factors determining the extent of damage and the business impact of a ransomware attack on your organization is the speed and quality of your response to it. Stated simply, practice makes perfect.
You should conduct regular functional and tabletop exercises so that your organization’s ransomware incident response playbook can be executed from muscle memory. These exercises also tend to reveal weaknesses in your plan that can then be corrected to improve your response.
9. Transfer residual risk to an insurer via a cyber insurance policy
If your organization does not already have a cyber insurance policy that covers ransomware attacks, consider adding it. In addition to paying many of the expenses associated with a ransomware attack, most insurers can facilitate ransom payments (if needed).
But be warned. Due to the recent rash of ransomware attacks, many insurers are increasing underwriting standards, decreasing coverage, and raising deductibles and premiums for cyber insurance policies (if they continue to offer ransomware coverage at all).
10. Don’t forget about third parties!
Organizations are more reliant on third parties than they have ever been. No matter how prepared your organization is for a ransomware attack, there is little you can do if a critical third party vendor falls victim to a ransomware attack and is unavailable for an extended period.
That is why it is important to have a robust third-party risk management program (TPRM) that includes a thorough review of the ransomware resiliency measures each critical third party has adopted. Beyond that, you will want to ensure your business continuity plans include contingencies for extended unavailability of critical third parties.