Ransomware: Getting to know the enemy
Every organisation today is concerned about security and the inevitability of a ransomware attack. With multi-generational sprawl increasing the attack surface, recovering from a malicious attack is becoming increasingly difficult.
We hosted a roundtable that brought together a group of security architects, IT, network & security operations directors, process & innovation professionals to take a deeper look at:
- The different types of ransomware. Do you know them and what to look for?
- How to minimise ransomware exposure
- Best practices to have in place for ransomware protection
- How to stop ransomware from spreading and how to get rid of it
Rela8 Group’s Technology Leaders Club roundtables are held under the Chatham House Rule. Names, organisations and some anecdotes have been withheld to protect privacy.
Commvault® liberates people to do amazing things with their data. It enables businesses to proactively simplify and manage the complexity of their continuously evolving and growing data environments, whether the data is on-premises or in the cloud.
It is not a matter of if, but when
Ransomware attacks are becoming a professional business with both ‘lockup of data if you don’t pay’ and the ‘data leak if you don’t pay’ gangs. They have chat rooms and tech support so intrusion detection and having controls in place to mitigate attacks is paramount for protection.
Experts predict that ransomware attacks will take place every 11 seconds by 2021 and with multi-generational data sprawl increasing your attacked surface, recovering from a malicious attack is becoming increasingly difficult. How prepared are organisations for these inevitable ransomware attacks, and what does this preparedness mean to the organisation as a whole?
Executing ransomware scenarios
Businesses have to remain vigilant and aware that attack surfaces are becoming ever more exposed to ransomware attacks. It will happen to every organisation at some point, and they need to be resilient enough to survive an attack. Businesses need to understand what can happen to avoid making decisions ‘on the fly’.
Design scenarios to test whether an organisation is ready and ask questions at senior levels of business management. Learnings from these scenarios play an integral part in an organisation’s readiness for attacks as well as for for capital adequacy assessments and loss forecasting. Testing when certain key people are on holiday, for example, will reveal just how ready the organisation is because an attack could happen at any time.
Alongside digital security, organisations should also think about physical security. For example losing data because someone steals tapes, or fire/flood. Physical and digital security and preparedness should go hand-in-hand.
Hackers are security professionals, taking the time to build spoof websites and social media platforms that look like the real thing, with DDoS protection and incident hotlines if the website doesn’t work. Attackers are refining their methods, for example finding disgruntled employees by sending ‘making money’ spam into an organisation. There are services available that can look for digital shadows and dark web inspection.
Risk from the supply chain
The exposure threat landscape is now broad, and it is important to recognize that the most significant threat factor could come from an open door within the supply chain. Businesses trust their supply chain and they will state that they maintain high security standards, but a risk assessment, or communication that their security is being assessed, may prompt them to look themselves before further action is taken.
Malware can be spread over VPNs into a network via email communication from suppliers, so they must be held accountable for their cyber security. Attackers love to attack anti-virus products so they can be on every endpoint in the system.
Limiting blast radius
Cyber insurance underwriters assess risk exposure, and premiums will be affected by an organization’s recovery strategies. It is about generating revenue – a longer downtime equals more revenue lost. How quickly a company recovers and understanding the critical steps needed to facilitate that is important.
Steps can be taken to mitigate ransomware attacks. Segregating business units may cause slight disruption but limit the blast radius. Monitoring and segregation of systems, reducing administrative level credentials and frequent back-ups are long processes, whereas an attack is quick and extreme. Public-facing servers have zero trust, and the blast radius should be limited to one device. Delivering detection technology to every device is expensive, but worth it if attackers are found within minutes, not months.
Threat intelligence capabilities need to be utilized. Looking at digital shadows and potential exposure in a proactive rather than reactive approach. Making sure the basics are in place, like patching, can reduce the likelihood of an attack (although patches don’t always work.) The incident management process should encourage colleagues to report something when they notice it.
Supporting code signing avoids false positives in the EDR and distinguishes legitimate code from non-legitimate. Continuous testing of code alongside other preventative measures can limit an attacker’s ability to infiltrate.
Protecting against something that could happen is a form of insurance. Business continuity management plays a large part in disaster recovery strategy, it is not a series of tick boxes to show companies have the right documentation.
Implementing a business impact analysis to highlight those systems most critical to business continuity is an essential tool when there are budget restraints. The cost of putting protective measures in place needs to be weighed up against what downtime would cost in both revenue and reputation. If there are spares on-site for DR, then the recovery time is much reduced with no waiting time to order in.
Preparation is key
Businesses need to understand what can happen to avoid making knee-jerk decisions when there is an attack. Scenarios must be designed to test whether an organisation is ready and questions asked at senior levels of business management.
The exposure threat landscape is broad now and it is important to recognise that the most significant threat factor could come from an open door within the supply chain.
How quickly a company recovers and understanding the critical steps needed to facilitate that recovery is important. Business continuity management plays a large part in a disaster recovery strategy.