Ransomware: Playing an Effective Defense
By Andrew Paulette
In this final installment in our series on ransomware, we will discuss what you and your organization can do to protect yourself from the threat of ransomware and how to mitigate the damages, both financially and to your organizational reputation, if you find yourself the victim of an attack.
Organizations now find themselves fighting against sophisticated cyber criminals who have grown from their successes and are further motivated by the potential for profit. As always, institutions can reduce their attack surface by practicing good cyber hygiene – keeping their systems, software, and antivirus patched, creating a robust data backup and recovery plan, and teaching users to be suspicious of any links and attachments in emails.
That said, none of these techniques are a silver bullet against ransomware. What happens when the ransomware becomes file-less, making it more likely to evade antivirus protection? How useful is a data backup against the threat of doxware?
At its core, defending organizations against ransomware requires the thoughtful planning of a cybersecurity professional who understands the current threat landscape with insights as to how the threats are evolving. Organizations will have to move beyond simply responding to incidents; they must mature their organization’s security operations plan to ensure cyber best practices and precautions are implemented from design to production and operations. Security can no longer be an afterthought; it must be a priority throughout the organization. To help move to this point, organizations should consider the following questions:
1.) How much is your most important data worth to you? Identifying the value and maximum acceptable outage (MAO) of systems/data helps organizations understand how much they should truly be spending to protect it. Every asset has its own unique value – from a company’s blog and social platforms, to its proprietary data and critical systems – each asset and piece of data must be assessed to understand its value, and to understand its value when combined with other data or assets. Prioritize protection and recovery efforts for those systems that are the most valuable to the organization.
2.) Can I make this system/data more difficult to access? For data and critical information systems that are of upmost importance, consider further restricting access, adding controls to regulate how data can be edited, or air-gapping a system altogether to substantially reduce the threat of ransomware. In the case of the luxury hotel previously mentioned, their solution for handling future risks to their key entry system was simple – during their next modernization cycle, they did away with the digital locking system to remove the risk to their organization altogether.
3.) Is my data recovery method tested? Organizations need to not only develop strong data backup and recovery plans, but also test them on a recurring basis to ensure that these solutions are not only effective in theory, but also in practice.
4.) Are my staff prepared to handle ransomware? Even an organization with a mature set of technical controls to defend their network is at risk of becoming the victim of a ransomware attack if their employees are not properly educated about the current risks in cyberspace. Ensure that some form of cyber awareness and training is implemented, either specific to your organization, or through free online training such as Cybrary’s End User Security Awareness training. In addition to teaching your users to be vigilant for signs of social engineering, organizations also need to consider how to respond in the event of a ransomware attack – while larger organizations can rely on an in-house operations center to assist, smaller organizations may not be able to devote a large number of employees to incident response. If your organization is smaller, consider employing a Security as a Service (SECaaS) to assist with threat analysis and incident response.
5.) How will I disclose potential data breaches/ransomware incidents? Even with proper planning, no organization is immune. Ensure that your organization has a plan in place not only for recovering your IT infrastructure from a ransomware incident, but also notifying stakeholders affected by these incidents. Recent history is rife with organizations paying the consequence for not practicing good incident reporting, such as the developing story of Spiral Toys, which, despite being warned of data breaches to their CloudPets toy line as far back as Dec. 20, 2016, did not report the breach to authorities until it was publicly disclosed by security researchers on Feb. 22, 2017.
Unfortunately, the profit behind ransomware ensures that the cost of these types of attacks will not diminish in the near future. Ransomware is a successful source of profit, and its international, anonymous nature makes it difficult to regulate through national law enforcement and policy. Until an effective solution is found to stop ransomware, businesses will have to contend with the evolving threat. Fortunately, cybersecurity vendors are learning from the attacks and analyzing the poor security configurations of organizations to add effective ransomware protection to their products, some of which are offered for free. For smaller organizations, individually installing programs such as Cybereason’s Ransomfree, or working with the “No More Ransomware” initiative in the event of an incident may soften the blow and reduce the profits earned by cybercriminals. And any reduction of criminal profits is good, as it discourages further use of ransomware.
Of course, cybercrime innovation will also continue. Even if cyber professionals develop a successful and cost effective remedy against ransomware, criminals will pursue another avenue to make a profit. Cybercrime will always exist; it will take a concerted effort from the majority of end-users, businesses, and both national and international law enforcement to create a marketplace that is too risky for cyber criminals to enter.
In the meantime, individual organizations will have to continue to weigh the value of their assets, information and IT infrastructure, and take the right steps based off this valuation of each spoke of their business. While the threat of ransomware cannot be truly eliminated, the risk can be greatly diminished through basic steps such as good cyber hygiene, training users, creating backups, and reducing attack surfaces. In short, you don’t need to make your business bullet-proof – instead, make the cost of “doing business” against your organization unprofitable for cyber criminals, and they will take their business elsewhere.