Best Practices to counter ransomware
As more and more businesses go online, number of threats that lurk in cyberspace are also increasing. Ransomware is an emerging threat against which you need protection due to increased volume in recent years. Ransomware attacks target business houses, government offices, hospitals or even individual user systems around the world. They block users access to their own data and systems and demand money to release it back. Paying ransom money does not guarantee access to data. Backing up data is critical for business continuity so that it can recover quickly and resume operations.
To counter adversaries and breaches, a resolute team should be constituted to analyze, formulate and report the recovery process. A good backup strategy is to follow 3-2-1 rule to take backups. Sensitive systems should be virtually air-gapped to keep data safe from hackers and malware. Two critical metrics for data protection plan are Recovery point objective (RPO) and Recovery time objective (RTO). In short, RTO is how quickly you want to recover and RPO is data you are ready to lose in the event of ransomware attack.
Main causes of Ransomware attacks are:
- Falling victim to Spam/Phishing emails
- Poor user practices/gullibility
- Lack of cyber security training
- Weak Password management policies
- Clickbait content
- Downloads from Malicious websites
- Unsecured RDP points
- Lack of financial budgeting for security solutions
Here is some high level information about best practices which is crucial to make the recovery plan for all sort of adversaries including ransomware attack:
- Constitute DR Team: (RACI stands for Responsible, accountable, collaborator, informed.) RACI chart is a matrix to outline teams and activities responsible for different task in disaster recovery)
- Inventorize: Identification and status information of Users, Devices, software, data.
- Data Categorization: Important and sensitive data, data easily reproduced from external sources.
- Patching and Updates: Updating systems, Edge devices in network like firewalls, routers, switches, LB’s, storage are crucial and first line of defense in security of infrastructure.
- Strong Policy enforcement: Enforce standard policy across company aiming zero trust. Assign least privileges to users and systems to do the job. Role based administration and separation of powers. Strict password management policies should be adhered to.
- Logging: Deploy logging and auditing capabilities across the company for network, systems, database, integrity patterns across the infrastructure.
- Network Monitoring: Keep an eye on unapproved network communications to prevent malicious reconnaissance. Unauthorized machines should quarantine and stopped.
- Backup: Federated Directory, system configurations, organizational data, Application data and Endpoint data.
- Vulnerability Management: Identification of vulnerabilities on all systems in organizations and managing and prioritizing vulnerability based on organizational needs.
- Immutable Storage: Immutability is the concept that immutable cannot changed by anyone included privileged personnel for specific number of days. Data retention period can be decided depending on the kind of data.
- Air Gaps: Data backups on interconnected data-centers and connected cloud sites could cause to lose data on both sides in case of ransomware attack, a rolling disaster. Physical or virtual air gap is the solution here. Like keeping backup in different cloud accounts or on a separate storage. Not using common protocols NFS and SMB for backups is a plus. Object based storage could make the difference.
- Integrity monitoring: Deploy baseline integrity activity monitoring for data, Directory Federation services, collaborative platforms etc.
- Endpoint protection: employees as well vendor machines on the network should monitored with endpoint security software in addition to antivirus software. Zero trust policy should apply to keep endpoints safe.
- Backup Policy: After covering all above aspects, Backup policy life cycle includes managing frequency of data backup, type of backup and their transitions like onsite, offsite, and offline backup and duration for which backups should be kept . Encryption and offline backup are the key. Ransomware once having access to network try to reach all shared storage paths and backup paths to modify data and make it encrypted. Ransomware does not act on day one. It can stay on network for weeks before it activates and do the damage. Once we have detached copies of backup, we still need to make sure, which one need to restore to avoid any traces of Ransomware. For offsite backup, S3 can be used. AWS Backup is also a viable choice, as AWS Backup use different key for encryption and decryption. Cross account backups (airgap backups) are always good to consider for critical datasets.
- Tools: Many opensource and commercial tools are available to protect your data from ransomware. Here are some examples which can assist in building your defense against Ransomware – OpenVAS, Vulcan Cyber, Tenable Nessus Essentials, Cloudflare Zero Trust Services, Splunk, Security Onion, Grype, Hedgehog, Wireshark, Snort, portmaster, Glasswire etc.
Above information is only an overview. As infrastructure deployments differ across organizations, a single DR approach does not fit for everyone. If you like to deep dive in DR process to counter ransomware, Contact us, we will do the needful to protect your infrastructure for security breaches.