Prescribed Domains for Ransomware Preparedness
By Colette Burke, Security Services Lead & Mitchell Bearry, Information Security Analyst
Prevention is the first order of the day when it comes to Ransomware Preparedness. These ransomware prevention tactics and governing principles can serve as a playbook for your organization to shore up your defenses so that a ransomware perpetrator cannot gain an advantage in service of their attack.
The Importance of Backups
At TraceSecurity, we believe the foundation of your ransomware preparedness program is your backups. If a ransomware threat actor is able to access and encrypt your production systems, whether they be workstations or servers or other important applications, you want to ensure that your information will be safe and accessible in another place. This means following the 3-2-1 backup rule: Maintain 3 copies of your data (1 primary and 2 backups); keep your data on at least 2 types of storage media (local drive, NAS, tape, etc.); and store at least 1 of these backups offsite (secure storage, cloud, etc.).
We cannot stress enough that when it comes to the threat of ransomware, the strength of your backups boils down to their complete isolation from your production systems. Ransomware threat actors, when afforded the opportunity to lock-up the primary copies of your data, will stop at nothing to corrupt your backups as well. And for your organization, without access to up-to-date and uncorrupted backups of your systems, your ransomware response is hamstrung from the start.
We will go into greater detail on backups as a part of the Response and Recovery section; however, we wanted to introduce it as a part of prevention due to the preparation necessary to plan and implement a robust backup program.
System Hardening & Software Updates
To prevent unauthorized access to your networks and systems, some steps your technical team can take fall under system hardening and software updating measures. With all the possible managed devices that fall under your organization's purview, you should maintain a vulnerability management program that scans those devices for known vulnerabilities and gives you the structure to prioritize and remediate those vulnerabilities to reduce your overall risk.
In a similar vein, patch management procedures are going to provide your team with the framework to apply software updates in an organized and vetted fashion. By taking these vulnerabilities and out-of-date software off the table, you are reducing the attack surface for a ransomware perpetrator, giving them fewer and fewer footholds in their uphill climb to gain unauthorized access to your systems.
Segmentation, Permissions, & Access Control
While we are on the topic of infrastructure, we also want to stress the importance of documented, approved data flows, paying special attention to network segmentation. A properly segmented network with security zones and access controls could be the saving grace against ransomware software spreading from system to system.
You should have a strong grasp on the access permissions assigned to your users, abiding by the principles of least privilege as well as separation of duties. Every level of permissions should be structured to give as little power as possible to a ransomware threat actor potentially compromising that account. Your organization will also want to audit any file share permissions in place and lock down any connections that are no longer needed or can be replaced by other, more secure means of communication.
Remote Desktop Protocol (RDP) also represents a crucial entry point for the enterprising ransomware actor, with some industry professionals colloquially referring to it as the “Ransomware Deployment Protocol.” In 2020, RDP was the initial attack vector in 50% of ransomware deployment cases; and while in 2021 RDP accounted for 30% of total ransomware exposures, that's still more than double the next most common exposure.
All of these facts mean your organization needs to stay on top of IT best practices for configuring and authenticating to this protocol, especially as businesses continue to navigate the remote work landscape.
If there is one thing we've learned from current events in ransomware attacks, we need to pay particular attention to the supply chain and how your organization depends on third party vendors and managed service providers. Compromises like SolarWinds or Kaseya are only predictable in their eventuality–anyone can and will be a target of ransomware or other malicious threats.
You can insulate your organization from this threat by maintaining an effective vendor management program; conducting due diligence on prospective vendors, verifying BCPs for existing vendors, and maintaining detailed logs and monitoring over your vendor's activity on your network are all essential parts of making sure your organization does not fall victim to the same level of attack your vendors can and do face in this day and age.
One of the strongest ways you can prepare your organization for an attempted ransomware intrusion is not at the application level or at the infrastructure level, but at something much more nuanced and tricky to manage - the human level. The people who work for your organization can be both your strongest asset but also your weakest link in the armor that is your information security program. All it takes is one unsuspecting employee clicking on a phishing link or downloading a malicious attachment to open up the system access a ransomware attacker would need to encrypt your organization's important data.
That is why security awareness training as well as phishing simulation testing are the key to educating your employees on the latest and greatest threats, appealing to different learning styles as well as experience levels to get everyone on the same page. Employees should receive feedback upon completing a phishing test, either recognizing them for their correct handling of the perceived threat, or providing them remedial training to help them avoid phishing attacks in the future. You should also make sure to educate your employees on the importance of strong and unique passwords, as well as the use of multi-factor authentication (MFA) as an extra layer of protection for their user accounts.
Email Security Solutions
Alongside your remote social engineering training regimen, your organization's anti-spam and anti-phishing filtering systems should provide a strong line of defense protecting your employees from the outside. Implementing SPF in conjunction with DMARC can help to stop email spoofing in its tracks. Authenticating email sender addresses can also be accomplished through DKIM by comparing digital signatures to organization DNS records.
For your web environment, you can put in place secure DNS to protect your systems from DNS cache poisoning; in addition, you may want to implement one or more forms of content filtering to cover your bases in terms of the internet browsing that your employees conduct throughout the business day. All of these technical controls can filter out the worst threats that ransomware attackers put out there, thereby allowing your employees to put their best foot forward in their security awareness.
The second step in preparing for a ransomware attack is Detection. If you are unable to prevent the attack from occurring, the next best option is to have the means to quickly and efficiently learn of its existence so that measures can be implemented to stop it in its tracks before any further damage is caused.
The period of time between the point at which ransomware infects a device and the time at which it can spread throughout the rest of your network is extremely short. Unless you have a dedicated SOC team watching your network 24/7, your only hope of detecting and stopping it before too much damage is done is through automated solutions.
Software such as IDS/IPS, endpoint protection solutions, anti-malware software, content and spam filtering, SIEM solutions, and other similar applications have the capabilities necessary to first detect, and then block, quarantine, isolate, or stop potential attacks before they fully infest your network. However, no single solution is completely adequate to secure your network and detect ransomware. As previously mentioned with SolarWinds and Kaseya, even the companies hosting these security solutions can be affected by malware.
As a result, the principle of defense-in-depth, or layered security, comes into play here. By employing multiple brands of different types of solutions, you can help mitigate the risk of one of the applications missing a potential attack. In the case of the security software itself being compromised, retaining multiple solutions from different vendors will allow them to scan each other to detect if a portion of your shield against this threat becomes infected.
In addition to these solutions, there are other applications available which may indirectly aid in detecting a potential ransomware attack. The first of these is integrity checking/file monitoring software. This solution is software capable of analyzing the hashes of installed programs to determine if they were modified during download, and that checks firmware and other information to verify their legitimacy. If the hash of the program listed on the company's website is different than the hash of the program after it was downloaded, then the software was likely intercepted by an attacker and modified to be malicious before being passed on.
Using a SIEM solution or IDS, you could then potentially trace the source of the interference and determine the attack vector responsible. File monitoring software will allow for auditing of the network and can generate alerts if any file or folder is accessed by a user who does not have the necessary permissions. This kind of alert can help determine if ransomware is trying to install itself on the network, or alter the contents of files on a device.
A performance and capacity monitoring solution can also be used to detect a potential attack. Normally used to check on the health of your devices, these solutions could also allow you to see if the CPU, memory, and disk usage, as well as other factors, are showing a sudden spike or increase in utilization that may be indicative of an attack. Monitoring systems using this method will allow you to check for ransomware attacks as well as other forms of malware.
Finally, a software inventory can aid in quickly learning of ransomware that is already on your devices. Through constant scans of all devices on the network, the solution can determine if any applications or software that are not allowed on certain devices have been downloaded and/or installed, and alert appropriate response personnel of this information.
While all of these automatic solutions to detect malware can be very helpful, the most proactive way to stop a ransomware attack will always be effective security practices by employees. At the end of the day, it is the human aspect that will be targeted by ransomware threat actors the most, since we are the weakest link in any organization.
PurpleSec, a website that compiles cybersecurity statistics, found that 21% of ransomware attacks have involved a social aspect such as phishing. Ensuring that your employees are well-trained in spotting and reporting suspicious emails, phone calls, visitors, websites, and other common attack vectors is important when detecting the source from which ransomware could occur. No one checked the identification of the service technician; was he really from AT&T? Are you sure the link in the email you received is really from the CEO? Being able to notice and properly report anything that might be out of the ordinary will help to detect a ransomware attack while it is still in its infancy of affecting your network.
That is why cybersecurity awareness for employees is so highly stressed in all of TraceSecurity's services – any publicly available information that you can find, an attacker can find and use to their advantage. This information can be used to craft the perfect phishing email with a link to unknowingly download ransomware onto the company network, or to put together a disguise to wear before entering the building and claiming to be from a trusted vendor.
While you cannot 100% guarantee that all your employees will detect dangerous actions, by conducting cybersecurity awareness training and tests such as phishing, vishing, and onsite social engineering campaigns, you will be able to ensure that everything possible is being done to properly train even the most technology-illiterate individuals. And perhaps more important than the recognition of the threat, you must also train your employees on the follow-through, including clear incident reporting guidelines to ensure that potential breaches or compromises are elevated to the necessary personnel as soon as humanly possible.
Response & Recovery
This domain represents where things have taken a turn for the worse. An attacker was able to circumvent your prevention solutions and has breached the network. Due to further actions by this party, or misconfiguration internally, your detection solutions did not alert you in time to fully secure your organization against the attack and to purge your systems of this threat actor's presence.
Your fears have finally come true and there is a ransomware payload deployed on your network, locking down your computers, encrypting the data, and demanding a large number of Bitcoin or other cryptocurrency as payment to decrypt your files. If such a scenario occurs so as to render your Prevention and Detection solutions ineffective, the next phase to implement is Response & Recovery. This section focuses on how to recover your files and prevent further damage.
Your response to a ransomware attack is just as critical as your preparation beforehand; make the wrong choice, and you could cause even more harm to the network than the attackers. If some of the following controls are in place, it can help ensure the recovery of lost data and negate the need to pay the ransom entirely.
Backups After a Breach
The first step to establishing a solid chance for recovery of your data is through backups. As previously discussed, all necessary data should be backed up, whether that is from critical systems like servers, shared drives, network device configurations, or other devices. Workstations should also be backed up if employees are storing sensitive information locally. For critical systems, a regular, complete backup of the entire device, including the operating system, applications, settings, and all other necessary data should be done.
All backups should be encrypted, stored either off-site or in the cloud, and tested at least monthly to ensure that file restoration is working properly. With good processes in place, you can know that in the event of a ransomware attack, it would be relatively simple to isolate the affected devices, do a complete wipe, and restore the entire system from scratch.
In addition to the restoration of your systems from an attack and the purging of the ransomware software from your network, you should also be investigating the attack to determine how it was carried out. Additional factors such as the systems affected, the vulnerabilities exploited, and the accounts compromised, are just some of the ways in which you can identify the source of the intrusion and plug the hole to ensure the attackers cannot use the same vector again.
It is important to realize that if ransomware gangs get in once, as soon as you pay the ransom and they decrypt your files, they can and will attempt another incursion. Their logic is, if you have paid once, there's a good chance you will pay again. According to CBS News, a study from Cybereason states that 80% of ransomware victims are hit with a repeat attack. That is why it is critical to patch the system or vulnerability used by the bad actors to get in the first time. If they decide to attack again, then they will have to find a new way to leverage the systems, buying your network team more time to fully secure your devices.
In order to make certain that this restoration process can be performed in adequate time and using cost-effective resources, a few documents should be established to define the standards and track the entire process.
An Incident Response Plan should be present to outline the steps for event response, from the moment the attack is detected all the way to when reports are written. Additionally, each of these steps should be documented in their application so lessons learned from incidents can be used to update the plan.
A Disaster Recovery Plan encompasses the more general recovery requirements, such as communication procedures, specific recovery procedures for ransomware, and cybersecurity insurance. Contact information for authorized response personnel should also be included, such as internal response teams, law enforcement, regulators, and all other associated third parties that may need to be notified following a ransomware attack.
Finally, the objectives for the resumption of business operations should be defined either within the Disaster Recovery Plan, or in a separate document such as a Business Impact Analysis. Examples of these factors can include Recovery Time Objectives (RTO), Recovery Point Objectives (RPO), Maximum Allowable Downtime (MAD), dependencies of systems, and essential personnel to perform the recovery.
Disaster Recovery Testing
These guidelines in theory are only useful if they work in practice, and that is where disaster recovery testing comes in. A variety of tests exist to help determine the program's effectiveness.
Testing both full restores as well as file restoration from backups guarantee that the organization has the ability to recover all data encrypted by a ransomware attack. Core processor failover tests are used to see if the business can remain operational at an alternate site following an attack. It is important that in the event your RTO or RPO is not met during mitigation of a ransomware attack at the primary location, that an alternate site is in place that can run the core functions of the organization until the main location is brought back online.
Tabletop exercises are the best way to test an organization's response to a ransomware attack and to see if you are truly prepared on all organizational levels. By running through a ransomware scenario with upper management and any involved third parties, you will know if the procedures outlined in the Incident Response Plan and Disaster Response Plan actually work, and whether the RTO and RPO can be feasibly satisfied. Lessons learned from these tests are necessary to update the response plans. As ransomware gangs become more sophisticated and update their own methods of attack, you also need to improve your own controls in place to respond to them.
Another method that can be used to reduce the damage done by a ransomware attack is through cybersecurity insurance. Given the prevalence and efficiency of ransomware in use today, cyber insurance that specifically covers ransomware can be extremely expensive. However, if you are not able to afford the appropriate Prevention, Detection, and other solutions to keep attackers at bay, this contingency may serve as a partial substitute and help compensate for a deficiency in other controls.
Ransomware insurance coverage can help reduce the financial burden of paying a ransom to recover locked-up systems; it can also help to cover the cost of data restoration and/or dealing with stolen or leaked data from a public relations perspective. Make sure to read your policy coverage as thoroughly as possible and understand exactly what will or will not be covered in the event of a ransomware attack.
TraceSecurity's prescribed domains for ransomware preparedness provide the interrelated structure that your organization can benefit from in your ongoing information security efforts. Depending on your particular organizational processes, these functional areas may bleed together in practical application, but the best practices supporting these areas remain essential.
You have your prevention measures which should help keep ransomware attackers on the outside of your business's defenses where they belong, paying special attention to employee training and awareness. You should also invest in multi-layered detection methods to monitor and report on unusual device or network activity. Last but not least, your organization's response and recovery plans should encompass your backup conducting, testing, and restoring; in this regard your organization would be able to bounce back from a ransomware incursion with minimal costly downtime.
Colette Burke, Security Services Team Lead
Colette has over a decade of experience in information and technology, with previous experience as an IT help desk manager supporting a longstanding one-to-one laptop program. At TraceSecurity, she manages the software support team as well as a team of information security analysts who perform our remote security services. She is an integral member of TraceSecurity’s product management team, assisting with the development and enhancement of security service and software offerings.
Mitchell Bearry, Information Security Analyst
Mitchell has been a part of the TraceSecurity team for over two years. With previous experience as a software engineer and a support specialist, he now focuses on risk assessments, IT audits, penetration testing, and social engineering. He earned a Bachelor of Science in Computer Science from Louisiana State University and holds a Security+ certification.