By Kathryn Daily, CISSP, CAP, RDRP
Ransomware is one of the top buzzwords you here today in reference to cybersecurity with good reason. Ransomware attacks nearly doubled in the first half of 2021. Thanks to NIST, organizations now have a framework of security objectives that support preventing, responding to, and recovering from ransomware threats and to deal with the potential consequences of events.
“Ransomware is a type of malicious attack where attackers encrypt an organization’s data and demand payment to restore access.”
As you know, the Cybersecurity Framework functional categories are as follows: Identify, Protect, Detect, Respond, and Recover. The Ransomware Profile applies security objectives to those categories to wit:
An inventory of physical devices should be undertaken, reviewed, and maintained to ensure there is no unprotected vector for a
ransomware attack. A hardware inventory will also be necessary during the recovery phase, should a reinstallation of applications be necessary. Software inventories may track information such as software name, version, etc., devices where it’s currently installed, last patch date, and current known vulnerabilities. This information supports the remediation of vulnerabilities that could be exploited in ransomware attacks.
Organizational communications and data flows are mapped to enumerate what information or processes are at risk, should the attackers move laterally within the environment. External information systems must be catalogued so that organizations can communicate to partners and possible actions such as temporarily disconnection from external systems in response to ransomware events. Resources such
as: hardware, devices, data, time, personnel, software, etc., should be prioritized based on their classification, criticality, and business value in order to understand the true scope and impact of ransomware events and is an important factor in contingency planning for future ransomware events, responses, and recovery actions.
Most ransomware attacks are conducted through network connections and ransomware attacks often start with credential compromise. Proper credential management is an essential mitigation. Additionally, most ransomware attacks are conducted remotely. Management of privileges associated with remove access can help to maintain the integrity of systems and data files to protect against insertion of malicious code and exfiltration of data. Using token-based multifactor-authentication will reduce the likelihood of account compromise. Network segmentation or segregation can limit the scope of ransomware events by preventing malware from proliferating among potential target systems.
Most ransomware attacks are made possible by users who engage in unsafe practices, administrators who implement insecure configurations, or developers who have insufficient security training. All users, regardless of function, should be informed, and trained, in security mechanisms within their role in the system.
Multiple sources and sensors along with a security information and event management (SEIM) solution would improve early detection of ransomware. Determining the impact of events can inform response and recovery priorities. This information should be in the contingency planning documentation. Network monitoring might detect intrusions before malicious code can be inserted or large volumes of information are encrypted or exfiltrated. Monitoring personnel activity might detect insider threats or insecure staff practices or compromised credentials and thwart potential ransomware events. Vulnerabilities can be exploited during a ransomware attack. Regular vulnerability scans can allow an organization to detect and mitigate most vulnerabilities before they are used to execute ransomware.
Response to ransomware events include both technical and business responses. An efficient response requires all parties to under stand their roles and responsibilities. Coordination priorities include stemming the spread of misinformation as well as preemptive messaging. Information sharing may also yield forensic benefits and reduce the impact and profitability of ransomware attacks. Forensics help identify the root cause to contain and eradicate the attack, including things like resetting passwords of credentials stolen by the attacker, deleting malware used by the attacker, and removing persistence mechanisms used by the attacker.
Immediate initiation of the recovery plan after the root cause has been identified can cut loses. Recovery plans must incorporate lessons learned to minimize the probability of future successful ransomware attacks.