Ransomware Protection Requires a Multi-Layered Strategy
Ransomware attacks are on the rise, and are increasing in complexity and magnitude. The median size of the company targeted and the size of the ransom demands are increasing as well.
Several high profile examples in the press recently include:
- Colonial Pipeline Company – Hackers shut down the pipeline supplying almost 50% of the oil to America’s East coast for 5-days demanding a $4.3m ransom.
- Health Service Executive (HSE) – the state-funded health-care provider, was hit by a “ransomware” attack. The attackers threatened to release stolen data, including confidential patient records, unless the HSE paid $20m.
- Quantra Computer a Taiwanese manufacturer for Apple – hackers obtained schematic designs and other Apple intellectual property threatening to release it publicly if Apple didn’t buy it back.
In short, Ransomware is a huge threat to organizations and it’s therefore incumbent on IT to protect their organizations from this threat as much as possible. In our view, Ransomware protection needs to be multi-layered and should include four main strategies:
91% of all cyberattacks begin with a spear phishing email, commonly used to infect an organization with ransomware. Therefore, It’s vital that organizations have an awareness program that prepares employees to recognize and neutralize social engineering attacks and human error.
We’ve all seen emails claiming to be from a bank, or the CRA trying to solicit personal information from us. The right thing to do is delete that item, but not every user handles these situations the same way. And these types of emails are becoming more sophisticated and tougher to spot. There are several tools designed to assist an organization with security awareness training the one we recommend the most is: Managed Security Awareness Training from Arctic Wolf® (Arctic Wolf Whitepaper). Arctic Wolf® provides a managed solution through a Security Concierge which ensures continuity of the program. The program includes: Awareness Training, Phishing Simulation, and Dark Web Monitoring. We find this service to be the most comprehensive and the most turnkey offering in this space.
 91% of cyberattacks begin with spear phishing email,” https://blog.knowbe4.com/bid/252429/91-of-cyberattacks-begin- with-spear-phishing-email
As part of a multi-layered security plan, we recommend several lines of defense.
Backup and Recovery: some consider backup and recovery of your data the last line of defense against ransomware attacks. Veritas® for instance, recommends prioritizing it as a part of a comprehensive cybersecurity strategy. Your data is like the gold bars inside Fort Knox – this is the prize the bad guys are after. Veritas® offers a broad range of features and products to help organizations protect, detect and recover from a cyberattack.
In terms of an organization’s backup ecosystem, Veritas® recommends keeping in mind five best practices:
- Version Management – keep software/firmware versions current – ensure all patches are applied.
- Identity & Access Management – implement two-factor authentication, and roles-based-access control, along with good password management practice
- Immutable storage – prevent ransomware from encrypting or deleting backups using immutable and indelible storage technology
- Data Encryption – at rest and in transit – prevents ransomware from stealing or making your data public, and protects data from being compromised in the network
- Configuration – build a secure backup environment
- Deployment – build resilient backup architecture i.e. follow 3-2-1 rule: keep 3 copies of data, on two different media types, with one off-site.
While the previous ransomware prevention steps can help in mitigating an organization’s exposure to ransomware threats, they do not provide perfect protection. Protecting against this ransomware that “slips through the cracks” requires a specialized security solution. In order to achieve its objective, ransomware must perform certain anomalous actions, such as opening and encrypting large numbers of files. Anti-ransomware solutions monitor programs running on a computer for suspicious behaviors commonly exhibited by ransomware, and if these behaviors are detected, the program can take action to stop encryption before further damage can be done.
Check Point’s Anti-Ransomware solution defends organizations against the most sophisticated ransomware attacks, and safely recovers encrypted data, ensuring business continuity and productivity. Anti-Ransomware is offered as part of Harmony Endpoint – Check Point’s complete endpoint security
Think of detection, like a home security alarm. Organizations require a robust detection system as part of their overall security profile in order to detect a breach or security event in order to take action. Often, ransomware attacks start with a small breach weeks or even months earlier. Once inside the network, bad actors move around inside the network to prepare to set the stage for the attack. Detection systems should perform the following activities:
- Ensuring Anomalies and Events are detected, and their potential impact is understood
- Implementing Security Continuous Monitoring capabilities to monitor cybersecurity events and verify the effectiveness of protective measures including network and physical activities
- Maintaining Detection Processes to provide awareness of anomalous events
The respond function is akin to having Police or Fire authorities being dispatched to your house after the alarm goes off. The Respond Function includes appropriate activities to take action regarding a detected cybersecurity incident and includes the ability to contain the impact of a potential cybersecurity incident.
The response strategies for cybersecurity events must accomplish the following outcomes:
- Ensuring Response Planning processes are executed during and after an incident
- Managing Communications during and after an event with stakeholders, law enforcement, external stakeholders as appropriate
- Analysis is conducted to ensure effective response and support recovery activities including forensic analysis, and determining the impact of incidents
- Mitigation activities are performed to prevent expansion of an event and to resolve the incident
- The organization implements Improvements by incorporating lessons learned from current and previous detection / response activities
While some organizations have an internal SOC (Security Operations Centre) team capable of responding to threats effectively and in a timely manner – most organizations do not. This is where a Managed Detection and Response (MDR) service comes in.
Ironclad works with Arctic Wolf to provide this service to our customers. Arctic Wolf® Managed Detection and Response (MDR) solution provides 24×7 monitoring of your networks, endpoints, and cloud environments to help you detect, respond, and recover from modern cyber-attacks.
IT Security is a journey and not a destination – new threats like Ransomware are constantly emerging and evolving. The goal is to continually improve your resiliency to these threats by pursuing a multi-layered approach including: Educate – Protect – Detect – Respond. Protect helps keep the bad guys out, Detect tells you when the bad guys have gotten in, Respond so you can recover from and mitigate the damages from a breach event. If you’re looking to increase your resiliency to Ransomware or other cyber-threats contact us and we can help.