Ransomware is still a top concern for many businesses and organizations. The proliferation of Ransomware is less about noble pursuits from a cause or a political issue, but as with most things, it is all about the “money”. One of the best things you can do is plan for and be prepared for the possibility that Ransomware will affect your organization. In this post, I aim to share my perspective on how to prioritize your efforts. In almost every case, the most essential item is the asset of data, so prioritize protecting it in your prevention strategy as you are simultaneously working on your remediation strategy. Utilizing the NIST Incident Response Framework is an effective way to address Ransomware.
Preventative basics
- Regularly conduct IR exercises to flush out what works and what does not in your incident response planning.
- There is no substitute for an incident exercise to help you be prepared
- Do tabletop minimally, but also look to do actual exercises as well
- Regularly perform Data Backups (offline is a must) and Recovery Planning/Testing
- Regularly update your systems and software
- Use vulnerability scanning to ensure that subcomponents of software are not overlooked.
- Access Controls and Network Segmentation
- Use a tool if you have it, but any segmentation is better than nothing if budget constraints exist
- Think about the design here, e.g. don’t put IoT devices on the same network segment, and allow any access to any systems
- Deploy XDR/EDR/ADR depending on your mission operations needs.
- Regularly conduct Security Awareness Training for employees
- Conduct this using gamification if possible
- Or whatever your employees find engaging, not off-putting
- Deploy cloud-based email Security Controls to help defend the most used vector
- Use as many controls as possible that don’t impact your business!
Detection and Analysis
- Instrument systems, networks, and logs, and analyze for suspicious activity or anomalies.
- Use Data Loss Prevention systems to identify/stop data that should not travel out of the organization
- Use intrusion detection/prevention systems (IDS/IPS), security information and event management (SIEM), and threat intelligence to provide current threat insight
- Identify and analyze indicators of compromise (IOCs) and attack precursors
- Triage and prioritize alerts based on potential impact
- Document incident details and evidence collection
- Notify appropriate stakeholders and escalate as needed
Containment, Eradication, and Recovery
- Contain events using a short-term isolation strategy to limit incident spread
- Remove malicious files, unauthorized access, or malware from affected systems
- Rebuild them if necessary
- Ensure even if rebuilt nothing persistent remains (See Validate Systems)
- Apply patches or configuration changes to close vulnerabilities
- Restore systems and data from clean, verified backups (if needed)
- Validate systems are clean and fully functional before returning to production
- Monitor for signs of reinfection or residual threats
Post-Incident Activity
- Document the entire incident lifecycle for compliance and post-mortem
- Conduct a post-mortem review
- Report to management and regulatory bodies
- Update incident response plans, policies, and controls based on findings
- Provide additional training based on incident outcomes
Summary
Planning for any IR, even if it isn’t Ransomware, is just as lengthy a process. Continue to Evolve Your Integrated Technologies (Part of Adevonix Motto) to address concerns and risks as you find them. I added some key items in the prevention stage that are essential for data backups. However, what I provided is not all-encompassing, so don’t think you’ve got everything covered by using this blog post as an end-all be-all. My recommendation is for you to look at every step using a Failure Mode Event Analysis (FMEA) with the context of your business’s operations. This way, you are thinking proactively about the possibilities, and you will likely be in a better shape than most. As I mentioned, this post doesn’t cover a comprehensive process, but it aims to get you thinking about how to handle Ransomware and other malware incidents when you encounter them in your career.