[BreachExchange] The role of continuity practices in surviving ransomware

[Audrey McNeil]

http://www.itproportal.com/features/the-role-of-continuity-practices-in-
surviving-ransomware/

Recently, the National Crime Agency (NCA) and National Cyber Security
Centre (NCSC) launched its first joint report into ‘The cyber threat to UK
businesses’. The document outlined what it expects to be the major trends
seen across the cyber security industry over the coming months. Ransomware,
which has experienced rapid growth over the last year and presents a hugely
lucrative industry for cybercriminals, was acknowledged as an escalating
threat to UK businesses.

Creating and deploying ransomware has never been easier. Malicious code
needed to create the ransomware can now be readily outsourced, with
“Ransomware as a Service” models already available on the dark web, where
wannabe attackers can purchase ready-made malware packages. This ease of
procurement, coupled with the financial opportunity associated with
targeted attacks, means ransomware will continue to be a huge threat in
2017.

Who is being targeted, and why?

This increased accessibility has significantly broadened the variety of
potential attackers in recent years, and as such it’s hard to generalise
around the motivations of individuals. Whether it’s lone actors operating
from a bedroom, a politically-motivated hacktivist, or an international
criminal organisation with salaried employees, everyone is a target to
someone.

Low-value

Individual consumers and smaller organisations represent low value targets.
At this end of the spectrum, ransomware is a numbers game, and attackers
tend to follow the path of least resistance. In practice, that means
working through organisations that meet certain basic criteria (e.g.
charities in London, with <£5m turnover), or individuals that represent
demographics with little to no education in cyber security.

High-value

Larger organisations with valuable datasets and a public reputation to
protect obviously represent high-value targets, and often attract the most
sophisticated attacks as a result. One of the key dictators of severity is
the level of access privileges held by the infected user. This makes power
users such as sysadmins and senior executives far more valuable targets
than ordinary users. Attackers can spend weeks or even months probing
attack vectors in order to locate senior individuals susceptible to
compromise.

Why are these attacks so successful?

Whoever the target is, the rise of cryptocurrencies has increased the
degree of anonymity afforded to criminals taking ransom payments. Cyber
criminals balance risk and reward.  Taking payments as cryptocurrency means
the reward has stayed constant, whilst the risk of being caught has dropped
significantly.

Although the government’s report advised UK organisations to combat
cyber-attacks by reporting attacks, promoting awareness and adopting cyber
security programmes, it failed to acknowledge the more immediately
actionable role that good continuity practices can play in surviving and
recovering from cyber-attacks. Whilst outright prevention of a ransomware
attack may be impossible, good continuity practices, such as a carefully
tailored backup solution, can effectively negate the consequences.

What continuity practices can organisations implement to ensure they
recover as quickly as possible?

Devising a specific incident response plan for cyber attacks

Something that was omitted from the government’s advice report is the
importance of having an effective incident response plan in place. We
typically advise that companies should plan for impacts and test for
scenarios. Impact-based planning works on the basis that while there are an
infinite number of possible disasters, the number of potential consequences
at the operational level is much smaller. Scenario-based planning asks
users to anticipate the consequences of a disastrous event and to create
solutions ahead of time.

However, certain threats do warrant specific response plans, and this is
certainly the case for ransomware. Ransomware can lie dormant on servers
for a period of time to deliberately out-last a backup strategy.  As a
result, it needs a different approach and plan to recover effectively.

Recovery testing for cyber incidents

Once this plan has been established, it is vital to then test that plan and
make sure it works. Where this isn’t possible, organisations should run
exercises such as a tabletop test as a minimum. This involves organisations
responding to a simulated disruption by walking through their recovery
plans and outlining their responses and actions.

Plans should be regularly reviewed, updated and tested. This ensures that
in the event of an incident, plans can be executed as effectively as
possible with minimum impact to everyone concerned. It would be advisable
for UK organisations to make a ransomware attack the next focus of any
future continuity planning if they have not done so already.

Recovery

In the event of a ransomware attack a business will have two options:
recover the information from a previous backup or pay the ransom. In many
cases, even when a ransom has been paid, the data has not been released, so
paying does not guarantee you will get your data back.

There are two main objectives when recovering from ransomware. To minimise
the amount of data loss and to limit the amount of IT downtime for the
business. The fastest way to recover from most incidents is to fail-over to
replica systems hosted elsewhere. But these traditional disaster recovery
services are not optimised for cyber threats. Replication software will
immediately copy the ransomware from production IT systems to the offsite
replica. This software will often have a limited number of historic
versions to recover from so by the time an infection has been identified,
the window for recovery has gone. This means that ransomware recovery can
be incredibly time consuming and requires reverting to backups. This often
involves trawling through historic versions of backups to locate the clean
data.

The rise of ransomware will only increase so organisations must regard
infection as a matter of ‘when’ rather than ‘if’ and take the appropriate
steps to mitigate the risks. The advice from the government provides a
solid foundation but it is imperative organisations have an effective
response plan and backup strategy to support it.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170406/304d54cf/attachment.html>