Over the past several months we’ve had a number of clients approach us to see if we could lead a tabletop incident response (IR) exercise*. The request itself isn’t unusual, we run these sessions regularly, what was unusual was that ALL of the clients wanted to focus the exercise on ransomware.Ransomware has become a regular boardroom topic. In a recent Ponemon report, 60 percent of respondents say the risk of spear-phishing and ransomware attacks has increased since COVID-19. Among the > 2000 survey respondents, the most common reason they expect to suffer an attack is that “ransomware attacks are getting increasingly hard to stop due to their sophistication”.
*An Incident Response Tabletop Exercise is a Cybersecurity mock drill or a cyber-attack simulation exercise. An attack scenario that is extremely relevant to the business is simulated during the workshop.
While we are always happy to help our Clients, and enjoy running the tabletop sessions with them, in the case of ransomware preparedness, the tabletop exercise is actually the final puzzle piece – not the starting one.
While there is no silver bullet that prevents your organization from being a target of a ransomware attack, the following steps help reduce the probability that it happens to you, and can reduce potential impact.
Security is all about protecting something (data/systems) or someone that you care about from harm or theft. Ultimately, it centers around one basic question: Do you know what data and systems are critical to your business? Any plans and associated security controls that you implement should address the right-sized protection of your critical assets. This holds true for preparing for ransomware as well, so the first stop on the journey is to build your ransomware readiness program around the assets that warrant this protection.
Defense-in-depth is a cornerstone to a robust security program. When we talk about defense-in-depth, we’re talking about the need to build and harden secure systems, keep their patch levels current, periodically test these systems to ensure that they are configured as expected, and to understand if they’ve deviated from the norm. This may include vulnerability scanning and penetration testing when applicable as ransomware often takes advantage of known vulnerabilities.
Ransomware attacks are becoming increasingly sophisticated. Not only are attackers looking to be paid ransom to restore your systems, but they are also exfiltrating sensitive data and holding it ‘hostage’ for even greater amounts of money. Make sure you have built robust access controls (this comes with the basics) as well as encrypting data that is worthy of being encrypted.
We’ve come a long way from the days of anti-virus platforms as they’ve morphed into more powerful anti-malware platforms. Most ransomware makes it into your environment via email attachments/links or through various social media platforms. At a minimum, your anti-malware platform should block suspicious attachments as well as known bad URLs as this may also strip out malicious links that could introduce ransomware into your environment. Even better would be to take advantage of tools that serve as a sandbox/test/approved unknown attachments or links prior to allowing the user to download the file or access the link.
Let’s face it – many organizations do a lackluster job in protecting credentials and we are seeing this more and more frequently, especially with clients whose infrastructure is in O365/Azure (note – nothing is wrong with Microsoft, it’s just that administrators don’t necessarily configure authentication mechanisms with Best Practices in mind). Attackers are often able to trick individuals into providing their passwords – oftentimes through social engineering or clicking on malicious links. The best preventative fix to this is to implement multi-factor authentication – this should go near the top of your list.
I’ve often said that security issues are typically not the silicon, but the carbon. Most successful ransomware attacks occur because a human was tricked into introducing it into the environment. How should the building of ‘the human firewall’ best be addressed? Security awareness training is key – this involves more than just making people read policies and hear stories. It is a common best practice to perform ongoing and regular spearphishing campaigns and to make sure that those you ‘take the bait’ learn from their mistakes.
Seems like it wasn’t so long ago where we used tapes to back up our data. Its relatively slow and clunky nature also provided a natural deterrent against ransomware. As data backups have become more real-time they can be susceptible to ransomware, so make sure that your backup strategy includes the ability to take ‘snapshots’ and that credentialing is resilient. More importantly, make sure that you have processes in place to recover your backed-up data if you were to be a victim of a ransomware attack, and also make sure that you have the ability to effectively rebuild impacted systems.
Effective monitoring involves not only having a well-tuned SIEM solution (or MSSP) in place to quickly alert you if anomalous activity is taking place, but to also have a watchful workforce that follows the mantra ‘if you see something, say something’. They should have the Helpdesk’s (or whomever the first line of support is) phone number and email address at their fingertips in the event of a critical security event. Effective monitoring may also help you determine the breadth of a ransomware attack.
It is common due diligence to make sure you have the right amount of cyber insurance to cover your organization in the event that you suffered a ransomware attack. Make sure that you clearly understand what the policy covers and what it does not cover and ensure that you have the necessary security controls and processes in place as required by your policy. Make sure that your incident response plan outlines exactly how to communicate with your cyber insurance provide, including off-hours support.
Your ransomware readiness IR plan should involve all members of the organization who have skin in the game – so besides the obvious IT and security staff, it should include legal, PR, and executives. This is where those tabletop exercises come in to make sure your organization is as ready as possible – and that you’ve addressed Steps 1-10.
Since COVID has forced most of us into a virtual workforce situation, corresponding IR plans should be refined to address a mainly remote workforce. Note – because ransomware is evolving at an increasingly fast pace, it may be reasonable to revisit your IR plan on a regular basis to make sure that you have the most effective responses/processes in place to address the most recent attacks.
Let’s face it – a ransomware attack can ruin a perfectly nice day and it can also incur extraordinary financial costs as well as brand damage. Given that ransomware has invariably become a key boardroom discussion topic, those responsible for helping protect the enterprise (it is not just the CISO’s job – instead it is everybody’s responsibility to some extent!) can help reduce the probability of a ransomware attack taking place as well as the extent of an attack’s potential damage. These ten steps can provide a strong foundation to point you in the right direction.
Through the month of October, we will be spending time with Onliners and our Clients, providing them with tricks and tips they can use to keep their data protected. We will be sharing some of these suggestions each week - I invite you to sign-up for the emails (it’s only four weeks!) and share them with your family, friends, and colleagues. Click here to sign up!
About Steve Levinson, Vice-President, Risk, Security & Privacy
As Vice President of Online Business Systems’ Risk, Security, and Privacy Consulting Practice and the company's Security Officer, Steve Levinson is building, growing, and leading a collaborative, risk-based, business-minded security consulting team.
Online’s RSP practice focuses on governance/program management, including PCI, ISO, HIPAA, vulnerability management, data protection, and virtual CISO services.
To contact Steve or our RSP team please email firstname.lastname@example.org.