[BreachExchange] Sustaining IT resiliency in the face of a ransomware attack

[Destry Winant]

https://www.securityinfowatch.com/cybersecurity/information-security/anti-virus-and-malware-defense/article/21219148/sustaining-it-resiliency-in-the-face-of-a-ransomware-attack

Ransomware has been challenging enterprise IT teams for years. Considering
the necessity of today’s remote working world, and the reliance on online
programs – the pandemic has set the stage for a new evolution of ransomware
attacks that are more harmful and more common. Preventing ransomware from
happening is an impossible task; the challenge remains in balancing
business agility and sustaining resilience against increasingly strict
controls. This is the difference between trying to prevent a plane crash
from ever happening versus trying to make plane crashes more survivable –
the first is impossible, the second is today’s reality.

Below I’ve listed a few practices that can help your business sustain
resiliency in the face of a ransomware attack:

Automate and Segment Backups Offline

Resiliency in the face of a ransomware attack can mean many things:
augmenting internal teams with Managed Detection and Response, improved
network segmentation, automated Disaster Recovery testing and validation,
deception technology, and isolated data domains, for example. However, one
of the first steps to surviving ransomware attacks is ensuring your backups
are safe to restore and your network has been deemed free from any residual
ransomware. Aim to keep backed up data offline as much as possible, because
finding your backups ransomed is entirely preventable and doesn’t have to
be a nightmare technical solution. However, the question of the network
being free of ransomware is a harder one.One of the first steps to
surviving ransomware attacks is ensuring your backups are safe to restore
and your network has been deemed free from any residual ransomware.Courtesy
of Getty Images

Determining whether your network is free from residual ransomware
post-attack is extremely difficult; so, better to start with segmentation
and automation for restoration now. I’m frequently surprised at how many IT
shops lack even the most basic automation for these situations. The fastest
way to ensure an impacted machine is clear of residuals is to blow it away
and start fresh, and that’s only doable if we automate.

Adapt to Work-From-Home Risk Model and Help Employees Stay Alert

It’s thought that work-from-home employees are somehow capable of newer,
more severe damages: I don’t think this is true, but the work-from-home
environment does expand the overall attack surface and adds unknown factors
that need to be calculated into the overall risk model.

There is a blurring of work rigor and home relaxation in remote working
environments to be aware of. Even as I write this, I’m cognizant of the
fact that I’m in a monogrammed button-up shirt-wearing gray sweatpants. I
think there’s a reason to believe that this comfort can translate to
carelessness relatively easily, which then might increase the success of a
cyber-attack.  At the same time, fewer machines are on VPNs, so in some
cases, a lot of remote workers might actually be resulting in slowed
ransomware movements.

Whether you’re working from home or in the office, employees will always
find a way to bring exciting new disasters. While COVID-19 caught a lot of
companies off-guard, the general concepts of zero trust are more important
now than ever. It shouldn’t matter where our employees are from the
standpoint of good security practices. We should adapt to risk posed by the
user via downtrusting or uptrusting based on behavior.

Build Employee Skill Set Through Awareness-Based Training

When it comes to security training issues, most stem from employee
expectation problems. For example, when people board a plane, the flight
crew tells them where the emergency exits are, how to put on the life vest,
and how to find the nearest exit. They don’t expect them to land the plane.
Yet, in typical awareness training, we’re constantly trying to teach people
to spot highly sophisticated attack scenarios and comply with complex
policy frameworks. Awareness can really be a win when it develops a
dialogue, generates security champions in the business, or provides
practical skills.

Phishing simulation is a great example of a skills-based style, and
companies that run it correctly see a major improvement in click-through
rates.  For developing dialogue and building champions, teams should do
frequent, tailored internal training and simultaneously use the time to
review any suspicious emails. Although this is more time-consuming, it’s a
great way to get people thinking about security and building trust with the
business.

Maintain Strong Visibility Across IoT Devices

IoT can complicate certain ransomware situations from the intense pressure
to have environmental understanding. Working across thousands of IoT
devices can muddle the water in really difficult ways, so visibility
remains a key requirement for understanding the security of your network.
With that said, understanding asset counts and baseline behavior can
rapidly become a herculean task. These devices also make hiding easier to
do, provide new vulnerabilities into the network, and give attackers new
ways to live off the land.

Having full traffic visibility, especially DNS, is absolutely a mandate if
you’re going to allow IoT device usage across your team. Without seeing all
the bits, north-south and east-west, you’re basically a sitting duck.
Remember the challenge with threat exposure is based on how long it takes
to detect it and how long it takes to respond to it. If you can’t see the
threat, you’ll never detect it. Infinity is the enemy of security.

Leverage Technology to Detect and Respond Quickly

Tools such as deception technology can be used to lure ransomware attacks
away from valid targets. On the other hand, organizations that are still
building the foundation of their cybersecurity programs would be better off
spending the time on solidifying Disaster Recovery practices, getting a
Managed Detection and Response service to speed response, or hardening
their Active Directory.  However, for those that have a solid program now,
deception is a good one to look at. Looking forward, it’ll be interesting
to see how deception technology plays in the work-from-home world, since a
lot of this technology plays into the corporate environment. This might be
beneficial for automated attacks, but for hands-on-keyboard attacks – the
attackers could probably detect more deception than real machines. One
could take other approaches using deception if combined with tarpits or
perhaps clone environments. Again, slow them down rather than go for full
blocking.

Among the many lessons learned from this pandemic, having a
resilience-based framework at the foundation of IT strategy has been deemed
a necessity across all industries. The real challenge is putting it into
practice and determining what is tactically needed for teams to feel fully
equipped. Ransomware will likely never cease to exist, but the more
education and awareness we build as a community – the more we can reduce
our vulnerability to even the most sophisticated of attacks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210422/86b23566/attachment.html>