Today’s ransomware operators are always coming up with new schemes. They’re constantly on the lookout for new vulnerabilities to weaponize, new operating models to take advantage of, and new alliances with other cybercriminal groups to exploit. Their goal is to come up with strategies that enable them to encrypt (and often, steal) your data more quickly, stealthily, and effectively.
In the recent wave of so-called “double extortion” attacks, for instance, ransomware operators have focused their efforts on exfiltrating data as well as encrypting it, so that victims have a strong incentive to pay up — one that can’t be countered simply by having reliable backups. Criminals have also tried to incentivize employees to help them plant ransomware within victim environments, transforming what was once a malware-based attack strategy into a tough-to-counter insider threat. Or, they’ve added extra steps into the attack sequence, such as bringing down a victim’s website with a distributed denial-of-service (DDoS) that’s perfectly timed to coincide with the ransomware’s activation.
Nonetheless, most of the cybersecurity best practices that organizations should implement in order to defend against the threat posed by ransomware aren’t new or groundbreaking. The list of tips and tactics for preparing for ransomware attacks that the National Institute of Standards and Technologies (NIST) has published, for instance, reads like a basic overview of good habits for cyber hygiene.
According to NIST, organizations should:
- run endpoint security software on all endpoints at all times
- update software as soon as patches become available, including servers, workstations, services, and devices
- block access to known ransomware sites on the internet
- configure operating systems or IT management software to allow only authorized applications to run in your environment
- restrict or prohibit the use of personally owned devices unless you’ve taken extra steps to ensure their security
- limit granting administrative privilege to when it’s absolutely necessary
- train employees not to use personal accounts and web applications from work computers
- train employees not to open files or click on links from unknown sources, and validate through testing
- maintain and test a data backup and restoration strategy
- develop and periodically stress-test an incident response plan
We at BTB Security agree that all of this is good advice. In addition, we think that organizations should monitor their environment 24/7/365, as well as create a strong third-party risk management (TPRM) plan, especially since last summer’s Kaseya ransomware attack demonstrated how easily software supply chains and managed service providers (MSPs) can serve as vectors for this type of infection. Purchasing cybersecurity insurance to cover the losses and damages resulting from a ransomware attack may also help mitigate some risks, but should never be the “primary” cybersecurity strategy.
However, taking these steps isn’t enough to guarantee that your organization will never fall victim to a ransomware attack. And despite the risk assessments and audits that organizations in regulated industries are required to undergo on a regular basis, today’s boards are increasingly concerned about ransomware risks.
ARE YOU RESILIENT AGAINST RANSOMWARE?
It’s likely that your organization’s board wants a specific, evidence-based answer to this question.
Audits, reports, and policy summaries may demonstrate your compliance with industry-wide regulations, but as large-scale ransomware attacks that continue to make the news clearly demonstrate, organizations in highly regulated industries fall victim to ransomware every day. Compliance doesn’t assure resilience.
Instead, you need to be able to answer questions like:
- If ransomware were introduced into our environment, would we detect it?
- How quickly could identify and isolate impacted systems?
- How far would it be able to spread before we found it?
- Do we have reliable backups?
- Have we tested our backups?
- Would we be able to restore from those backups quickly enough to maintain business-critical operations?
- How would employees in vital incident response roles handle the situation?
Although many organizations conduct tabletop exercises (and should!), those sorts of simulations can answer only some of the above questions. Similarly, penetration testing – a valuable source of information about vulnerabilities, to be sure – can evaluate only a portion of the controls relevant to ransomware risk.
BENEFITS OF SPECIALIZED RANSOMWARE ASSESSMENT
A specialized ransomware assessment should be both focused and comprehensive. It will allow your organization to meaningfully improve its security posture in relation to today’s ransomware threats. In particular, a ransomware assessment should bring together select elements of a technical controls review, a collaborative assessment of your backup and recovery processes and a governance review of relevant control processes.
If you want the best possible assessment of your ability to respond to ransomware in the real world, consider conducting a ransomware simulation exercise. In this focused activity, the security provider you’re working with will introduce a sanitized version of a currently prevalent ransomware strain into your environment. This enables your team to push the assessment beyond the theoretical. You’ll be able to see how your organization’s actual detection and response capabilities stack up. With this truly comprehensive and realistic test of your preventative and detective controls, you’ll be able to identify and rectify weaknesses, safely. The result will be a far more mature security posture, and greater confidence in your ransomware resilience, something worth highlighting at your next board meeting.
Interested in learning more about how BTB Security helps our clients harden their defenses against ransomware? Check out our ransomware exposure assessment, or connect with a member of our team of security experts to learn how we guide our clients to achieve better security.