Ransomware has never been more prevalent — or profitable — than it is right now. What started as the exclusive domain of highly skilled and opportunistic bad actors has evolved into an underground industry in which virtually anyone can get their hands on pre-built tool kits and plans to launch ransomware attacks at an alarming pace.
Many businesses are searching for a “silver bullet” to prevent attacks and stay out of the headlines. But protecting against ransomware — and the repeat or double-extortion attacks that increasingly follow — is more of a mentality and posture than it is a particular set of tools.
Much like an American football game where the defense must plan for everything an offense throws at them, IT and security teams must anticipate the many elements, angles and paths a ransomware attack can include.
Whether your organization has found itself in the unenviable position of charting a road to recovery, or if proactive protection is your aim, it’s important to keep these four things in mind when creating a defensive playbook. Following these steps can also help streamline processes for recovery and regaining trust in compromised environments:
1. Reframe your assumptions about cyber risk. Acknowledge that breaches will happen, given enough time. With this mindset, shifting to a defensive posture that focuses attention and resources squarely on proactively protecting mission-critical systems and educating users on cybersecurity fundamentals becomes easier to do. It will also streamline processes for recovery and regaining trust in compromised environments.
As in sports, it’s critical for security to stay agile, so you can quickly pivot and make changes — with the understanding that even with the best preventative controls in place, something could still slip through.
2. Revoke admin rights across your environment. Breaching an endpoint and stealing privileged credentials on it — those that grant or have administrator rights — supercharges attackers’ ability to encrypt high-value data and hold it for ransom. Your playbook should emphasize protection of highly privileged systems by revoking admin rights from human users and applications and consistently enforcing least privilege — the lowest possible clearance level that allows the user to perform their role.
Mapping out the potential lateral movement routes an attacker might take — and ranking them in order of likelihood and severity — will drive a more systematic defensive approach. This can also help you ward off credential theft attempts, block ransomware with increased certainty and detect insider threats faster to minimize damage.
3. Run regular drills to test cybersecurity defenses. Of course, it’s impossible to anticipate every potential “play,” especially since ransomware attackers change tactics frequently. Instead, continuously test and reassess your security processes to determine whether certain connections, access rights and recovery processes align with your organizational goals. For example, validate whether connections to privileged access points follow the right protocols and limitations to address potential vulnerabilities or overlooked points of failure.
Working with an outside Red Team can help test existing security controls against common tactics, techniques and procedures (TTPs) to help dissuade future attacks. If you do suffer from a security event like a ransomware attack, incident response services are integral in identifying the scale of the attack, determining if any indicators of compromise (IOCs) remain in the environment and helping you minimize loss.
4. Ruin attackers’ plans. Just because you “assume breach” doesn’t mean you’re backing down. There are many strategies you can employ to make attackers wish they had gone elsewhere. For instance, you can reduce risk exposure by starting all network users and applications with standard accounts that have no admin rights and elevate applications requiring admin rights on an as-needed basis.
This will help shut down common attack vectors such as phishing campaigns, remote desktop protocols (RDPs) and unauthorized local downloads.
This step can be supplemented by adding automated secrets and credentials management on critical targets to stop attackers from using stolen tokens or keys to access high-value data and monitoring network activity for suspicious behaviors.
Attacks on the endpoint are virtually constant, and it’s clear that some will succeed. Yet, it’s what happens next that determines whether the attack truly alters the score or simply winds up a fumble.
A winning ransomware defense playbook will consider — and can intercept — ransomware attempts at every point along the attack chain by embracing the right mindset, a defense-in-depth approach that layers preventative controls and detective mechanisms and the in-depth expertise needed to keep out of harm’s way and stay in the game.