Five steps to building a practical ransomware defense
In the last five years, ransomware has grown in frequency and impact, leading to increased business losses and an impacted brand image. In our Ransomware Defense e-book, Atos has outlined an effective approach to defending your organization from ransomware threats. Our framework builds on global best practices, addressing critical gaps and providing a complete, yet practical, approach to building your ransomware defense.
This blog post provides a glimpse into the publication, outlining five key steps to creating a robust, successful and sustainable defense. Let’s take a look at each of these in detail.
1. Strategy, yes, but operations too
There are many good anti-ransomware strategies, such as the ones offered by NIST and CISA. While you may need to adapt these frameworks to the unique needs of your business, they provide an easy way to define the capabilities you need for every stage of your defense.
But designing your strategy is only half the battle — you need to put in just as much effort to figure out how you will operationalize it. Practically speaking, this includes:
• Moving from a strategy into a tangible and operational plan
• Identifying the critical skillsets, processes and tools needed to execute your plan
• Zeroing in on components of your operating plan that you are already able to deliver
• Prioritizing every element based on your risk profile
• Implementing a robust roadmap
• Establishing governance processes to deliver on your new strategy consistently — and to review and refresh it as needed
2. An ecosystem of ransomware solutions
There is no silver bullet for ransomware. To combat attacks effectively, you need to cover multiple domains, and each deployed solution needs to work seamlessly with the others. This requires an ecosystem approach rather than a siloed one.
Security teams need to assess the following domains to address gaps in their frameworks and infrastructure:
• Identity and access management (IAM), including privileged access management (PAM) and identity governance and administration (IGA)
• Security posture management, including cloud security posture management (CSPM)
• Vulnerability management, starting with scanning and assessment, and including red teaming
• Vulnerability mitigation and correction, including patch management
• Data leakage prevention (DLP) and data encryption
• Redesigning how users and entities access your assets, like networks, solutions, tools, applications and data, taking a zero-trust mindset
• Managed detection and response (MDR), covering endpoint detection and response (EDR), network traffic analysis (NTA), user and entity behavior analysis (UEBA), threat intelligence (TI), security information and event management (SIEM) and security orchestration automation and response (SOAR)
• Computer security incident response team (CSIRT) or digital forensics incident response (DFIR)
• Data backup, archiving and restoration
The Atos Ransomware defense e-book documents a comprehensive list of solutions aligned with the NIST Cybersecurity Framework (CSF) that can be deployed effectively for your business.
3. Staying on top of new ransomware variants
Building ransomware threat intelligence is not a simple one-time activity. With constantly changing threat tactics, techniques, and procedures (TTP), new ransomware variants and newer approaches, your threat intelligence needs to be regularly updated.
Your actionable threat intelligence must be able to identify each of the following activities and/or standalone types of a ransomware attack:
• Initial access, such as phishing, remote services and known vulnerabilities in public-facing assets
• Execution such as Windows remote management, native API and/or user execution
• Persistence such as web shells, valid accounts and auto-start execution, to name a few
• Escalation of privileges such as web shell, valid account and process injection, among others
• Evasion of detection and defenses such as obfuscated files, impairing defenses and masquerading
• Credential access such as brute force or credentials in files
• Discovery phase, for instance, in the password policy discovery, account discovery or process discovery
• Lateral moves, such as a lateral tool transfer, RDP or Windows remote management
• Data collection such as from across the network, but primarily information from a network-shared drive
• Connecting to command and control like port knocking, application layer protocol or remote access software
• Exfiltrating sensitive files, tracking data transfer size, exfiltration over alternative protocols or transfers to a cloud account
• Impacting operations, such as inhibiting system recovery, encrypted data and system shutdown or reboot
If you are looking to map your threat intelligence to MITRE ATT&CK, consider using TRAM — an open-source platform designed to advance research into automated cyber threat intelligence report mapping.
4. Defenses at every stage of an attack
An effective ransomware line of defense intervenes at various points in an attack. The NIST Cybersecurity Framework provides an actionable framework for this:
Effective ransomware defense must intervene at every phase of an attack.
Develop a complete and updated inventory of your IT environment, including all assets. Evaluate and address any vulnerabilities regularly.
Build initial defenses for essential business services, even during an attack. Develop structural defenses and preventive controls to reduce attack surfaces.
Establishing monitoring, threat hunting, and automated scanning using AI and ML is essential to collect threat data and find traces of attacks in progress throughout your environment.
Aim to contain and eliminate attacks before they spread and cause harm, like evicting attackers, to avoid the possibility of follow-up incidents.
Establish reliable backups and recovery processes, enabling you to return to normal business operations without suffering data loss, significant business downtime or financial losses.
5. Addressing gaps in your defense
In pursuit of an optimal ransomware defense for your organization, consider partnering with an expert in the field. This approach introduces an expert third-party assessment of your environment and helps you leverage their proven and verifiable skills in this risky landscape.
• The best security partner is one who has rich and documented experience in stopping ransomware, has a portfolio of anti-ransomware skills, solutions, and processes, and has always-on global services for rapid incident response.
Atos’s new eBook, Ransomware Defense 2022, features insights into cybersecurity, the evolving ransomware landscape, and tips to identify the right security partner for your organization’s IT and security needs.
Get started with your copy today: Ransomware Defense 2022 – Atos.
By Vasco Gomes, Global CTO CyberSecurity Products & Digital Security Offering Technology Lead
Posted on: November 9, 2022