Ransomware is the “gift” that keeps on giving – and not in a good way.
The Sophos report The State of Ransomware 2022 makes for rather disappointing reading: 66% of the 5,600 respondents said their organizations had been hit by ransomware in 2021, nearly double the previous year, with 46% of organizations hit by encryption ransomware having to pay a ransom to get their data back.
As long as the ransoms are paid, the lure of crime remains. It’s a difficult cycle to break. Despite the attention and concern about ransomware, many organizations are simply not prepared for it when it strikes. Likewise, they can’t and won’t let their businesses flounder either. They pay, or their business dies. You can see the dilemma.
So how do you break this cycle? By companies doing everything they can to prevent it from trapping them in the first place. And if they are unlucky enough to get caught in the trap, being able to spot it quickly, limit the blast radius, and recover quickly, without having to pay the ransom to get back to normal, is key. In short, they must become more resilient.
There are many things to consider when thinking about business resilience in the context of ransomware, but here are some key areas to focus on.
Easier said than done in this age of everything hybrid. Your employees are no longer necessarily confined to an office. Likewise, neither are your servers or your data – a combination of cloud and on-premises now creates an amorphous and complicated attack surface.
And the hyper-connected world doesn’t stop there: how many of your suppliers are also connected to your network? All of these interconnects add up to a heavy attack surface that must be enumerated, assessed, monitored, and maintained. Remember that the bad guys only need one way in.
What are your crown jewels, your strategic assets? If you don’t keep up to date with your asset inventories, service catalogs and data, how on earth can you be sure everything is covered, especially if no one tells you when they change? (Handy tip: offline backups are somewhat difficult for ransomware to penetrate, while no backup is a fool’s bet. Back up important stuff. Properly!)
know your enemy
What I’m not saying here is to rush in and build a state-of-the-art threat intelligence capability, because there’s a little more to it than that – a conversation for another time. . But it is certainly pragmatic to at least have an eye on the outside world.
What activity is currently taking place, what sectors are of particular interest, what techniques do they employ and what vulnerabilities do they exploit are all important questions if you want to take a proactive stance. Even sharing knowledge among industry peers is a good place to start.
Build the right walls
Your architecture is an important consideration in the fight against ransomware. If your network design is representative of a single, open-concept warehouse, all the threat actor needs to do is walk in and then gain access to all areas. Inhibiting a threat actor’s lateral movement and limiting the magnitude of impact if it releases a payload could mean the difference between a minor inconvenience and an extinction-level event.
Creating a separate environment that takes into account who you are as an organization and what you are in terms of data assets is not an overnight job, but it should be a fundamental principle of your security architecture.
Keep your cyber hygiene levels high
The obvious place to start here is to emphasize the importance of keeping everything well maintained. Strong and secure configurations based on least privilege coupled with an effective patching regime go without saying, but are not without challenges either. If you must take a priority approach to this, my advice is to start with your Internet resources and ask yourself some obvious questions about them: Is this resource properly owned, patched, and maintained? Should it be pointed to the internet? Should remote access services such as RDP be enabled (probably not, in all likelihood)? Why are Telnet, SSH, W3C services enabled if no one is actually using them?
Vulnerability scanning and penetration testing go hand in hand with all of this, giving you an independent view of your weaknesses. Just be sure to do something useful with the output. The pen test isn’t just for ticking a box on your ISO certification, and ignoring the advice and then getting nailed is not a good idea.
The ability to filter spoofed emails, emails with malicious content, and emails from known malicious origins is important as it is a key vector of initial attack by ransomware gangs . But this absolutely must be complemented by an effective security culture, which educates, supports and encourages staff to be aware of potential threats and report them in a timely manner.
Make sure you have appropriate and up-to-date endpoint protections in place. Your 10-year-old antivirus product simply won’t cut it in the fight against modern ransomware. Start by looking at the endpoint detection and response (EDR) market – there are some amazing products out there. And if you’re not rocking a security operations center (SOC), I recommend a managed solution (MDR) if your budget can stretch there.
Build a response a plan. Test the plan. Refine the schedule
Despite all your best intentions, there is always the possibility of compromise. It’s a reality. It is dangerous to speak of attack in the context of if; you should now always speak in the context of when. This feeling must flow through your business and be supported by a concerted effort to actively develop, test, and maintain plans for how you would react if the worst happened to you.
A rapid and coordinated response is essential to understanding the attack, containing it, limiting the damage and recovering while keeping the lines of communication tight, succinct, timely and relevant – both inside and outside the organization. A well-mastered and well-maintained plan can get you there, and a well-honed plan inspires confidence that you can and will recover, but never be complacent.
A final word on the role of cyber insurance. Insurance alone can’t protect you against ransomware, but a good insurance product will complement some degree of financial protection with services that can help you prepare (and respond). Services include incident response advice, expert legal and communications advice, regulatory assistance and online health checks.
I’m sorry to say – and it bears repeating – that ransomware isn’t going away anytime soon. As long as there is money to be made and the victims are “willing” to pay, it will persist. The best thing you can do for your organization is to recognize the clear and present danger, keep it in people’s minds, and encourage everyone in the company to take it seriously and play their part in ensure business resilience and security.
#Security #Tank #stop #ransomware #preparation #medicine