Defeating Ransomware – 6 problems to resolve pre-emptively
Being impacted by ransomware is something that most wouldn’t wish on their worst enemy. The impact and shock of being affected by ransomware is so severe and grave that people have drawn parallels to a heart attack or cardiac arrest. Everybody is prone to the risks of ransomware, but when it happens that first time, it takes people aback and is always a surprise. For the immediate time subsequent to the attack – potentially hours – enterprises are on their own.
It’s a time of unpredictable trauma which several enterprises find paralysis-inducing, which is exactly what the assailant’s intentions are. This magnifies the impact and after-effects of the attack. Ultimately an escalating number seek assistance, assigning value to the know-how, prowess, and experience of a service provider that’s observed others go through the same mill several times prior.
- The incident response plan has to be evaluated.
When a client engages with a security service after a ransomware attack, it’s always a chaotic scenario where the customer’s capacity to carry out business has totally ceased. This is usually the first time they’ve ever been impacted by an outage of this sort or of such gravity.
The initial hit is to the IT unit itself as a functional unit. Most of the time, the IT team feels guilt for having had such a scenario occur in their organization, and that induces a sense of fear which spreads across the team like an infection. The most critical oversight is not the lack of an incident response plan, but the fact that it’s not undergone rigorous stress testing, beginning with the communication and decision-making chain of command. Therefore, you are required to consistently evaluate your cybersecurity response plan, combined with the humans and the technology that intend to execute it.
You could be lulled into a false sense of security if your sole evaluation stems from communications in a conference room with no pressure bearing down as your business goes dark.
“Who holds the ultimate responsibility for decision making with regards to such an incident?” Typically, you observe a bunch of individuals raise their hands, which is definitely not the best-case scenario. Our recommendation is that you can just have a singular person in charge of the decision-making process.
Only bringing together some personnel from a third party MSSP isn’t adequate. That organization cannot take over your decision-making capacities, a company-elected official must be given the responsibility, in the best-case scenario, it’s somebody who’s observed a ransomware attack as it had happened, in essence, they’re expected to know how such a scenario works, how it plays out.
Communication isn’t only regarding the internal chain of command but who speaks to external providers, partners, and law enforcement.
- A month of logging is inadequate
The first question each victim wants an answer to when an assault occurs is if the assailants are still present within the network and, if so, where they’ve managed to obscure themselves. The first thing the IT team will want are logs which essentially betray the fragments of their movement and tools, strategies, and procedures. (TTPs)
The error in this is that logging does not always collect adequate data on default settings, for instance, the final 30 days on an Active Directory (AD) controller. Sundaresan’s advice is to go beyond what is needed for fundamental compliance and extend logging to several months at least on critical servers. Only then will it be feasible to find out the root of a compromise, fundamental to prevent a repeat incident.
“Attackers can be present on your network for 230 days in some scenarios and the organization’s logs only go as far back as a month. That doesn’t cut it anymore.”
- Where are the assets?
The next remediation activity is patching, which happens to be more difficult than it appears. “More often than not, individuals do not possess an accurate asset inventory. If you are not aware what’s on your network there’s only so much we can do in terms of ceasing propagation,” she states. “The moment you query them if it’s updated, there’s usually an uncomfortable silence.”
With regards to attack recovery, the only worthwhile asset inventory is one that operates in real time, including an asset each time it is observed. Enterprises cannot secure what they cannot observe or don’t know about, which includes not just physical devices but cloud repositories, storage, applications, and all kinds of servers.
Real-time asset discovery has been feasible for years with online asset inventory engines provided as a service just one instance of how this does not have to be an onerous undertaking. This will sync with the enterprise’s ServiceNow configuration management database (CMDB).
- Backup is brilliant – if it’s been evaluated.
All organizations mandates backups but not all backups are as beneficial in the scenario that ransomware strikes. The first issue is that enterprises don’t always evaluate them. That implies making pessimistic assumptions about the state of the network itself.
“Backup is a no-brainer, but you have to evaluate it from the perspective of being able to bring the systems back up without access to specific resources.”
The conventional core of backup is the 3-2-1 format, where enterprises make backups on differing variations of media in differing locations, which includes offline and off-site. However if one or more of those is in some manner derailed – a connectivity problem created by the attack, say – that technique begins to display its frailty.
“Time and again enterprises believe they have evaluated the backup, but they have not evaluated it frequent enough under realistic settings. Also, the practice of recovery causes discoveries of other frailties in your preparations. Typically, these are discovered in the quality of the backups, which consequentially create improved backups for when you really require them”. The simplest method to embed more comprehensive evaluation is, Sundaresan states, to delegate accountability to somebody.
- Paying is not a simple way out.
Paying up or refusing to pay the ransom has been a point of debate from the earliest attacks ten years ago, and the problem appears to be nowhere near resolution. Giving in to the ransom merely opens the door for future trouble – it implies that you’re under control, and it’s never good to be controlled. Freedom is paramount.
Specialists suggest not to cough up the ransom as your probability of data retrieval are partial, and that’s the best case scenario – yikes. More critically, you’re providing them additional ammunition to go after you. Another point of concern is that making payments an aspect of the cybersecurity strategy risks undermining the kind of controls which might make this not needed to begin with.
You might as well take that money and make investments in cybersecurity and minimize your risk exposure.
- DIY defence is obsolete
A dominant block for many lesser enterprises has been marshalling the required investment and skills to defend themselves. However, the DIY approach is not required in an era of MSSP services, argues Sundaresan. “When you require surgery, you go to a surgeon. You are doing yourself a disservice by thinking you have to carry it out all by yourself.”
Equally, selecting an MSSP isn’t simple in an overcrowded marketplace. Specialists recommend to look for a partner which can not just tell you what the issue is but rectify it as well. But due to the fact that is changing quite swiftly as new attacks crop up, that demands a provide be capable to demonstrate that it can invest and innovate with the passage of time.