7 Steps to Help Prevent & Limit the Impact of Ransomware
Ransomware attacks affect a wide range of institutions, from small local governments to huge corporations. It is incumbent to all of us to do everything we can to keep them from being successful.
Ransomware is a sort of malware that prevents a victim from accessing a system, device, or file until a ransom has been paid to the attacker. For example, ransomware can achieve this by encrypting files on the endpoint, threatening to delete files or restricting system access. When ransomware attacks target hospitals, emergency call centers, and other important infrastructure, the consequences can be very severe.
Protecting your organization from ransomware demands a holistic, “all hands on deck” approach that involves everyone in your organization. The following are seven methods that companies can assist in preventing attacks and mitigating the effects of ransomware. CIS Controls security best practices have been assigned to each issue, so you may learn more about each topic by clicking on it.
1. Maintain backups – thoughtfully
The Microsoft Information Security and Assurance Center (MS-ISAC) recommends that backing up sensitive data is the single most effective method of recovering from a ransomware infestation. It is necessary to examine a few factors, however. It is critical that your backup files are properly safeguarded and stored offline or out-of-band to ensure that they are not targeted by attackers. Using cloud services may help you avoid a ransomware outbreak because many of them maintain prior copies of files, allowing you to restore a previously unencrypted version if necessary. Make a habit of checking the effectiveness of backups regularly. Should an attack occur, be sure that your backups are not affected before rolling back your changes.
A data recovery plan can be created using the CIS Control 11 tool, which gives more information.
2. Develop plans and policies
Create an incident response strategy so that your information technology security staff knows what to do in the case of a ransomware attack. During an attack, the strategy should outline clearly defined responsibilities and communications channels that will be used to communicate with one another. A list of contacts, such as any business partners or vendors who would need to be contacted, should also be included in your plan. Do you have a policy in place for “suspicious email”? If this is not the case, consider establishing a company-wide policy. This will assist in educating employees on what to do if they receive an email that they are unclear of how to respond to. It is possible to do something as basic as forwarding an email to the IT security staff.
3. Review port settings
RDP port 3389 and Server Message Block (SMB) port 445 are used by many ransomware variants to encrypt files and demand payment. Consider if your company need certain ports to remain open, and whether it is necessary to restrict connections to only trustworthy hosts. Make sure to review these settings for both on-premises and cloud environments, and to collaborate with your cloud service provider to disable any unneeded RDP ports if necessary.
4. Harden your endpoints
Constantly check to see that your systems are configured with security in mind. Secure configuration settings can assist you in reducing the attack surface of your company and closing security vulnerabilities that may have been left open by default setups. The CIS Benchmarks are a fantastic, no-cost option for companies wishing to use industry-leading, consensus-developed settings at little or no cost.
5. Keep systems up-to-date
Make sure that all of the operating systems, applications, and software in your business are updated on a regular basis. Applying the most recent security updates will assist in closing the security gaps that attackers are attempting to take advantage of. Turn on automatic updates whenever possible to ensure that you always have the most up-to-date security fixes.
6. Train the team
Ransomware must be stopped in its tracks, and security awareness training is essential. When employees are able to recognise and avoid dangerous emails, everyone contributes to the organization’s overall security. Team members can learn what to look for in an email before they click on a link or download an attachment by participating in security awareness training sessions.
7. Implement an IDS
An Intrusion Detection System (IDS) searches for malicious behavior by comparing network traffic logs to signatures that have been identified as being associated with malicious behaviour in previous instances. A well-designed IDS will update signatures on a regular basis and notify your company as soon as it identifies potentially harmful activity.
CIS Control 8 addresses the upkeep, monitoring, and analysis of audit logs, which are managed by the majority of commercial intrusion detection systems.
In addition, CIS has created the Albert Network Monitoring technology, which can be found here. This is an IDS solution designed specifically for State, Local, Tribal, and Territorial (SLTT) government agencies in the United States. With the help of a custom signature set, Albert is extremely good at identifying ransomware and other malicious software. The signatures on Albert are updated on a regular basis to ensure that enterprises are protected from the most recent threats.
Albert-Network-Trafic-Analysis
When ransomware strikes, it’s critical for your business to be alerted and begin an investigation as soon as possible. The data from Crowdstrike indicates that a mature business should be able to investigate an intrusion in 10 minutes or less. Only ten percent of businesses, on the other hand, are able to achieve this need. (Source) With Albert Network Monitoring, enterprises afflicted by ransomware may proceed from event detection to notification in as little as six minutes after malicious behaviour has been detected and confirmed.
What exactly is going on in those six minutes? CIS Security Operations Center (SOC) analysts are conducting an initial investigation into malicious threat activity by confirming malicious threat activity, reviewing any historical activity from the impacted host, compiling security recommendations for the affected organisation, and notifying the affected entity with their security analysis and guidance. Cyber analysts are available to enterprises that use Albert 24 hours a day, seven days a week by phone and email to answer queries, query data, and assist organisations in strengthening their defences against cyber threats.