by Mike Davis - Contributor CISO, ExactlyIT 07/08/2021
© Elevate Xchange all rights reserved 07/08/2021
Ransomware is a top threat to minimize; especially as it continues to grow, morph and become even more virulent and effective. Why classify it as Existential – for starters, governments have categorized it as destructive as terrorism overall, plus the asymmetrical advantage criminals have, putting the defenders at a significant disadvantage. This summary paper is meant to consolidate the main elements and key protections as serve as ‘talking points’ to those who manage the business and protect all its assets.
Though this threat can be scary, it can also be reasonably well-managed (there is no guarantee even close to 100% in cyber as well all know) – where you must invest in it with the same resolve as the criminals do to attack you.
Problem overview. Now that Ransomware has the attention consumers (e.g., loss of gas availability. meat production, water safety, etc), the risk has widespread attention. This is a very wide topic, so we only list the top contributing factors herein, not all the significant (and for the most part incalculable) organizational damages it can cause – as we assume those are well known at this point.
Key ransomware factors:
It is now a triple threat - (1) loss of data availability (encrypted), (2) data breach extortion (exfiltrated sensitive data) and (3) extortion of your partners and clients for their data stolen from you.
Ransomware as a Service (RaaS) – it is now a commodity service that can be easily bought and then executed on any entity at any time. It is also much more targeted now, not just a wide mass email to thousands, with gobs of social media data available, the phishing attacks are well done (and getting better with AI / ML too). The company is also assessed for its ability to pay, including those with cyber insurance.
Cybercrime is a business – they are well organized, have business plans, share data and now we discover they are supporting startup cybercrime entities as well. They are thriving as they reinvest into more effective methods, and tools – not to mention that they are essentially immune from the law or any real punitive repercussions (another story in itself)
Asymmetrical advantage – the above factors show they have the upper hand for the most part. It goes back to the adage that they need to find one vulnerability and we need manage 1000s… As well as being a well-organized, high profit and low risk business (with no stakeholders to account to).
So, what to do? While this is as they say, a “wicked” problem, it is not hopeless - the risk can be significantly reduced by an aggressive ransomware risk reduction program – show your resolve, initiate a ransomware task force! There are a lot of ransomware support resources, mitigations to follow, etc. (a few links are listed at the end); whereas those are best reviewed and then integrated into your own tailored, ransomware risk reduction program. Within the program you will have researched all potential risk reduction measures and weighted their utility, then prioritizing their mitigations. Like all programs, ensure it is resourced, managed, tracked, and reported frequently. This is where you need to make this risk reduction effort a priority or not – convince leadership that the company future could well depend on this effort – because it can. If you cannot, then redo the message and keep trying.
What are the key mitigations? As mentioned, review the major ransomware support references and build, tailor your own; whereas there are some common items to ensure are assessed, and in many cases must be verified / audited if need be (for example, have IT proved they can restore critical data, and just what data do they store, where?). The ransomware mitigations effort must be aligned and part of your overall risk-based security strategy, which must also account for data leak/breach, resilience, etc. That is why your formal risk register must keep track of all the risks, priorities, status, etc. – as most of us have a lot of risks, with the top business risk value efforts being done first. So, there it is – your top MUST DO task – use a risk register to account for all your risk assessment efforts; use it to show stakeholders the overall organization’s risk story – how their key business success factors are being supported.
As for what matters - it all does, and of course it depends, as the relative risks vary by environment and some measures can be “good enough’ while resources are used elsewhere to drive that risk down. The dozen items listed below are but one view, as many others exist, yet these tend to be key in both ransomware risk mitigation and overall risk reduction in general. That said, please skim the resources below and decide what matters for your environment – collectively they will capture a risk-based ransomware protection plan.
Methods | Mitigation details / status / discussion |
Verify ‘Secure’ Backup | Verify BU is “Secure’ – that it is immutable’ so that intruders cannot disable or encrypt them – of course the restore process must be verified and practiced frequently – a must do. |
Data leak/breach protection | A fundamental capability for every entity to have in place –as when the attackerssteal your data, they can extort you to pay, and they frequentlypost data to prove it. This then also applies to any partners or clients that had their data stolen too – CIS CSC control #3.. |
Verify IAM / access control | Update yourIAM policy (PAM, Passwords, remote access, etc.) thenassess all key IAM threat vectors – ensure they are accommodated and monitored (especially AD changes) .MFA everywhere as an objective. Assess / enable conditional access. CIS CSC # 6 and 5. |
Email security / URL filtering | Verify the email security end-to-end security capabilities; use the stringentmodes. Enable the URL/web siteblocking to prevent users going to knownbad sites in the first place. Of course, this is predicated on having a client NGAV. CIS CSC control #9 |
Cyber hygiene / patching | Update your TVM standard – verify VM program coverage and effectiveness. Use a risk-based asset inventory / vulnerability management strategy. CIS CSC #1 and 2 |
Phishing training effectiveness | Most attacks start with users. Update your SETA plan - provideransomware training materials + VIP course (for BEC) + increase targeted email notes & phishing campaigns |
Cloud Security Optimization | Assess and verify all embedded cloud technical security mitigations – using the cloud security policy, to include monitoring. Include browser security - Key focus is managing extensions / plugins / active code. |
CSIR / incident response effectiveness | Update your CISR plan - Immediate actions & Comms + add in a specific ransomware use case and better IT & SEC integration (RACI) and inDR/BCP too |
Other infrastructure protections | Manage PowerShell and RDP scripts – assess others (Telnet, FTP, etc.) + enhanced logging. Segmentation - Need a strategy & plan (there are many methods) – include IoT and “OT” |
MS ransomware features | Assess / enable all the existing features withing the E3 license (and WIN10) + Implement O365 & Azure secure score recommendations + WIN 10 feature called 'Controlled folder access.' + Verify EoL blocks all key extension / executables + Use“password less” (e.g., Authenticator app)+ implement a group policy with software restrictions to block executable files in the %appdata%, %localappdata%, and temp folders. And oOthers… |
Attack Surface Reduction (ASR) / threat vector minimization | Draft a plan. Add deception methods (Like CANARY / tokens); Restrict macros (use MS AMSI for Office VBA or use using Office Viewer software), Restrict executables (in MS, use applocker) and enable MS attack surface reduction (ASR), and others… |
Cyber Insurance | Not only for the cost coverage, but they have vetted resources to use, plus expertise on CSIR / forensics–NOTE - This is much harder to get now, underwriters require more proof. |
This is but one list of mitigations, there are more. Review the resources for other risk mitigations and update your list of mitigations, as it is the combination of them that has multiplicative efforts on reducing the threat vectors.
Resources:
https://www.nomoreransom.org/ Go here first - The National High Tech Crime Unit of the Netherlands' police, Europol's European Cybercrime Center, as well as two cybersecurity firms - Kaspersky Lab and Intel Security - have announced NoMoreRansom.org to offer a one-stop shop for battling Ransomware infections.
https://csrc.nist.gov/CSRC/media/Publications/nistir//draft/documents/NIST.IR.8374-preliminary-draft.pdf
for more guidance.