A ransomware attack is a nightmare scenario for IT professionals and their organizations. Along with the costs of recovering data and restoring systems, business operations can grind to a halt, and customer confidence can be shaken.
Unfortunately, ransomware attacks are on the rise this year, especially in the U.S. and UK. A new report from Atlas VPN indicated there were 304.7 million ransomware attack attempts in the first half of 2021, compared with 121.4 million in the same period last year. There were 227.3 million in the U.S. and 14.6 million in the UK.
In the fact of this cyber challenge, two professionals from Mandiant led an August 11 BrightTalk webinar, “Ransomware: Five Steps to Defend Against It.”
“A solid defense includes both technology and people, such as tracking threat actors and providing employee training,” said Rich Reese, principal consultant for the security firm.
David Parry, manager, noted that widespread phishing campaigns, compromised emails, and identity theft are often the opening moves in a ransomware attack cycle. Other targets include legacy applications or devices connected to the Internet. However, voice over IP (VoIP) vectors are not a typical attack channel, although unsecure servers could be exploited, Parry said.
“After establishing a foothold, an attacker will attempt to escalate privileges, conduct an internal reconnaissance and complete the mission,” he said. “Remember that data theft can occur prior to a ransomware attack.”
A well-rounded defense
Reese and Parry outlined five phases of a strong ransomware defense.
1. Identify. Look at your servers, sensors and devices, including alarm systems, fax machines, and copiers. “There might be an old box that still online or a neglected edge device that could provide an entry point for attackers,” Parry said. “If you don’t know it’s there, you can’t protect it.”
A good network management application can identify IT assets, and send an alert when a suspicious system comes online, he added. You should also look at applications to be sure they have the latest security patches and updates.
Knowing the nature and location of your organization’s data is another important protective step. If an attacker encrypts your data, you should be able to tell whether what may be stolen or lost. “If you lose 500 gigs, you should know whether this is mission-critical information or simply marketing material that could easily be reconstructed,” Reese said. “An outside audit can be a good way to check on your asset and data management processes.”
2. Protect. You can’t underestimate the importance of data backups – particularly immutable or offline systems that an attacker can’t reach, said Parry. “That’s a big differentiator for organizations that have good restoration efforts, versus those whose backups have been compromised by an attacker.”
Other protective steps include deploying multifactor authentication (MFA) to reduce the risk of identity theft, and endpoint security tools. Training users to guard their online identities should be an ongoing process, Reese said. “You also want the IT team to be aware of possible scams, like an attacker calling your help desk to get temporary credentials to reset a password,” he said.
3. Detect. Intrusion detection tools are only part of the equation, as the human element needs to be considered as well. After all it requires a level of judgment to determine if an alert is real or not.
“Why do so many ransomware attacks happen late on a Friday afternoon?” Reese said. “It’s because managers have gone home and there are fewer eyes on the network over the weekend.”
4. Respond. If an attack has occurred, the response team should include legal and media executives as well as the IT security team. “You need to put the response team together in advance, and be sure their contact information is up to date,” Reese said. You should also consider the human factor in responding to an attack. Your team may be asked to work 24/7 for an indefinite period, so think about scheduling people.
5. Recovery. Restoring operations after a ransomware attack is far more complicated than decrypting data or rebuilding computers. You need to be sure essential systems like your CRM, billing and payroll are “clean” so business operations can return to normal, Reese said. “You also need to think about a manual recovery of data and applications if all your tools are down,” he added.
Finally, you should conduct a forensic analysis of the attack to collect evidence and identify weak points to prevent a recurrence, Parry said. “You want to harden the environment and protect your organization, while restoring functionality for your users.”