This is part two of our two-part Ransomware Readiness series. Click here to read part one.
Ransomware has recently had several high profile cases, including attacks on Fujifilm, JBS, and the Colonial Pipeline. These attacks continue to highlight the importance of the security controls that help to stave off or limit the damage.
Gotham Technology Group has developed a ransomware remediation assessment service that analyzes your current technology state and staff training while making recommendations for fixing problems with the goal of improving your security posture.
The assessment examines eleven categories: end point protection, vulnerability management and patching, browsing protections, email protections, network admission control (NAC), firewall access policy, remote access, privileged account management, logging and alerting, security awareness training, and incident readiness. The assessment drills down into each technology.
Let’s take a quick look at each of the categories:
End Point Protection
Are you using a reputable technology leader in anti-malware protection on your end points? Not all malware protection products are the same. Is free anti-malware software really sufficient for protection against the latest ransomware strains? Are you confident that the end points in your environment are downloading automatic updates consistently and promptly? What protections for mobile devices do you have deployed? Are your mobile devices protected against targeted phishing campaigns?
Vulnerability Management and Patching
End points are a primary pathway for malware infection and are the target for ransomware itself. End points that are not fully patched and managed for vulnerabilities are exposed to the full onslaught of ransomware. Are all of your end points and servers patched regularly and are they up to date? Do you regularly scan your internal environment to look for vulnerabilities on your end points? Servers are often overlooked. Are you confident that your entire server inventory is patched and configured for maximum security?
Browsing activity is an important pathway for ransomware infection. It is important to ensure that sufficient protections are in place to reduce the chance of infection through browsing activities. Is all browsing activity protected using up to date URL protections? Is user/group-based browsing in place? Are you taking advantage of modern protections such as DNS sinkholing? Is all HTTPS browsing decrypted and analyzed for malware? Are servers treated as a special group so that they can reach patching and uploading sites only?
Email is an important pathway for malware both in attachments and in malicious links. Therefore, it is critically important to use an up to date anti-malware email platform. In addition, it is also important to ensure that your email domains are configured for maximum protection against hijacking using SPF, DKIM, and DMARC.
Network Admission Control (NAC)
An important vector for malware infection is devices that connect to the network when they are already infected with malware, which then spreads to the rest of the environment. While many organizations deploy NAC, they also tend to stop short of configuring NAC for maximum benefit. Do you have NAC deployed in your environment? Do you ensure that NAC admits devices that comply with a policy that requires checking that anti-malware is installed and up to date? Do you also require that NAC check for appropriate patch levels?
Firewall Access Policy
Firewall access rules are a crucial part of reducing the attack surface. Equally important is the need to restrict outbound access to the Internet. Furthermore, the server inventory should be treated differently to most user end points. Firewall policies should be checked at least once per year. Ensure that all outbound access is restricted to “that which is required” only. Develop policies that ensure that server access is restricted to that which is required. Any exceptions should be handled on a case-by-case basis with the least access possible given. Exceptions should be restricted to specific source, destinations, and services.
Remote access is a vector for credential misuse and stealing. Remote access should be restricted to known, reliably secure protocols and applications. All remote access should require multi-factor authentication. Administrative accounts should not be permitted to use remote access applications.
Privileged Account Management
Privileged account management (PAM) is a too often overlooked part of security controls for ransomware protection. Yet, the spread of ransomware throughout the inventory is very much dependent on the hackers gaining access to a privileged account. Therefore, it is very important that privileged accounts be contained and controlled to ensure that the harm done by hackers is kept to an absolute minimum. Do you have a PAM system in place in your organization? Do you have control over both administrative and service accounts?
Logging and Alerting
Bad actors often break in to a customer environment and spend weeks or perhaps months carrying out reconnaissance, exfiltrating, and then executing the ransomware malware. It is important to use a security incident and event management system to constantly monitor the environment for signs of bad actor activity. In addition, there must be a set of eyes dedicated to monitoring the monitor to ensure that action is taken when suspicious activity occurs. For these reasons, it is important to subscribe to a security operations center as a service (SOCaaS) offering.
Security Awareness Training
Your staff acts as a security control and their effectiveness largely depends on sufficient training so that they understand the threats of social engineering and can also behave appropriately and notify security staff too. Your staff needs to be trained regularly and often.
There are two important aspects to incident readiness. First, security staff should participate in regular tabletop incident exercises. Second, your organization should have an incident response agreement in place. Security staff needs to practice their response to incidents so that they are better prepared for the day when a real incident may occur. Tabletop exercises provide enhanced critical thinking for leaders and operational staff, uncover issues before they happen, help to build decision-making processes, and establish clear preparedness objectives. Thoughtful and objective evaluation of the exercises strengthens preparedness. The time to put an incident response contract in place is now, and not when an incident is occurring. Using an incident response agreement allows for significant questions related to handling an incident to be answered and settled before an incident occurs. This helps to reduce the time to recover and places less stress on the staff as they work toward recovery.
There is a saying in security circles that states that the only question about ransomware is not IF but WHEN your organization will be affected. We do not subscribe to that thinking. If the proper security controls are deployed in an IT environment, and they are configured appropriately, there is no reason to believe that your network is not secure. Yes, it takes time and resources to deploy the various controls, but once in place and maintained; the environment can be expected to protect against ransomware, and to be successful at doing so.
For additional information, contact Gotham today.