The ransomware landscape is evolving, and ransomware is now one of the most popular (for cybercriminals) and harmful types of malware. The JBS, Colonial Pipeline, and Kaseya attacks are recent high-profile examples of the impact of ransomware and the monumental consequences it can have: changes in the market, impact on infrastructure and even leading to action at the highest levels of government.
In the wake of these attacks and other events like the SolarWinds attack, the executive branch has taken action in the form of an Executive Order (EO), which covers various cybersecurity concepts. This order encourages private sector companies to follow the federal government’s lead to help minimize the impact of future incidents.
There are several different concepts outlined in the EO, so to help organizations get started, I’ve outlined some of the key concepts organizations should pay attention to now, and offer some tips on how you can get started implementing these strategies today.
- Take a “zero security” stance towards ransomware
One of the orders that caught my attention is the requirement to “Modernize and implement stronger cybersecurity standards in the federal government.” This is intended to drive the Federal Government to increase and adopt security best practices with zero trust security, accelerating the move towards secure cloud services and the deployment of multi-factor authentication and encryption.
At Veritas, we advise companies to adopt what we call a “zero security” posture; it’s the mindset that even the most effective endpoint security will be breached. It is important to have a plan to be prepared for when this happens. - Be active, not passive
Businesses need to have strong endpoint data protection and system security. This includes antivirus software and even whitelisting software where only approved applications can be accessed. Companies need both an active element of protection and a reactive element of recovery.
Companies affected by a ransomware attack can spend five days or more recovering from an attack, so it is imperative that companies are actively implementing the proper backup and recovery strategies prior to a ransomware attack. - Don’t put all your eggs in one basket
The black hats that are developing ransomware are trying to prevent any means of exit from a company from having to pay the ransom. This is why ransomware attacks target files and systems in use, as well as cloud-based data and backup systems.
We urge organizations to implement a more comprehensive backup and recovery approach based on the National Institute of Standards and Technology (NIST) cybersecurity framework. It includes a set of best practices: use of immutable storage, which prevents ransomware from encrypting or deleting backups; implement encryption in transit and at rest to prevent bad actors from compromising your network or stealing your data; and strengthen the environment by enabling firewalls that restrict ports and processes. - Create a playbook for cyber incidents
The other aspect of the EO that I wanted to address was the call to “Create a standard playbook for responding to cyber incidents.” The federal government plans to create a playbook for federal agencies that will also act as a model for the private sector, to help businesses take appropriate action to identify and mitigate a threat.
Time is of the essence, so before looking at the federal government manual, here are some important steps organizations should think about when it comes to creating their own:
• Digital Runbook – Having a paper plan is a start, but having a digital plan that can be easily viewed and executed with a single click is essential. The more complex the execution of a plan, the longer it will take to recover from an attack.
• Test, Test, Test: Testing ensures that your plan will work when you need it. Initial testing is important to ensure that all aspects of the plan are working, but IT environments are constantly changing, so regular testing is critical.
• Eliminate Single Points of Failure: The 3-2-1 practice is the idea that you should have three or more copies of your data so that a single failure doesn’t derail your plan. That it has at least two different storage media so that a vulnerability in one does not compromise all its copies. At least one of these two media must be off-site or an air-gap copy so that you have options in the event that an attack wipes out an entire data center.
• Have options for rapid recovery: When recovery from an attack destroys an entire data center, recovery can slow down when dealing with compound challenges related to hardware, network, workloads, and the data itself. Having an alternative option, such as quickly installing a data center on a public cloud provider, can shorten downtime and provide alternatives to paying a ransom.
- Remember: ransomware is an arms race
Preparing your business for an inevitable ransomware attack is increasingly critical. The Colonial Pipeline attack has fueled new mandates for cyber resilience and, as security leaders, we play a critical role in ensuring that we are doing everything we can to protect and secure valuable and sensitive data.
The ransomware will not “solve” itself. I see it as an arms race in which we all have to be constantly vigilant, especially around elements that are beyond our control. No single security solution or control will stop ransomware, but by taking a layered approach to security, you’ll be able to mitigate the impact and get back up and running very quickly.
Author: Alex Restrepo
Consult at: https://threatpost.com/improving-ransomware-resiliency/168091/