VP and Chief Security Strategist at Exabeam and host of The New CISO podcast.
getty
Companies today are beginning to see ransomware as another cost of doing business. A June 2021 study by security vendor Cybereason, Ransomware: The True Cost to Business, found that 80% of organizations that paid the ransom in the past were hit by a second attack, and almost half were hit by the same threat group. Forty-six percent reported that some or all of their data were corrupted in the recovery process. These numbers will only grow as more cybercriminals successfully bring employees onboard their malicious ventures.
You’re patching your systems, but how many systems are out there that you don’t even know about? Most organizations struggle to keep track of all the systems and devices using their network. Interestingly, most CISOs own system hardening, patching, prevention and response but are also increasingly forced to own the IT asset inventory — something with which I entirely disagree. Security teams are owning too much, and it’s hurting their larger resilience.
Many intrusions, specifically ransomware, begin with an upstream failure. These failures present themselves to adversaries in criminal marketplaces, sold by intermediary criminals known as initial access brokers. These brokers deal in compromised and stolen credentials and access via precursor malware, all of which often leads to problems such as ransomware.
It’s great that you’re running antivirus software, but there’s a pretty decent chance it won’t detect that precursor malware; so what other resources and capabilities are you bringing to bear to combat that?
Multifactor authentication is also a must, but even so, we’ve seen this circumvented, misconfigured and unevenly applied in the field. What else are you doing to detect credential theft when it happens, especially when not all accounts are afforded this protection?
Your employees know they shouldn’t open suspicious files or links, but how good are they at determining what is suspicious? Education is important, but how often does your organization need to send a “pre-email” to inform you that the following email is legitimate? As far as I’m concerned, this supposed control is both unusable and unfair to the user when measured against the risk of intrusion.
What You Really Need To Do Well
Even if you do these things and do them well, systems can still be compromised. So what are some other things you can do to greatly reduce the likelihood of falling victim to ransomware? Here are nine suggestions:
1. Shut down RDP. Adversaries will take advantage of weaknesses in Remote Desktop Protocol (RDP) services to penetrate networks. Shut down, carefully manage, and monitor RDP on all internet-facing systems and workstations. Shutting them down is best.
2. Asset lists. Know thy network! You can’t protect what you don’t know is there, and the CISO and security team should not own this. Make someone else own asset lists; they are a critical input to good security.
3. Prevent and monitor unwanted (exe) files. Configure systems to prevent execution of PE (exe) files in temporary locations such as web browsers and email clients.
4. Deploy adaptive authentication, remove single factor. Adaptive authentication goes beyond multifactor authentication to detect and understand anomalous user login behavior. Is the supposed user logging in from a new location or with a device, time of day or carrier network they never used before? If so, it challenges them by presenting another level of authentication appropriate to the risk level of the user’s behavior.
5. Know your supply chain. You are dependent on third parties to support your incident response efforts. At a minimum, what role will they play as described in their contract? Who is their point of contact for your technical and leadership teams?
6. Become a detection expert. Develop a team and analytic capability that understands how malware behaves, how compromise occurs and knows how to detect and respond to intrusions beyond the use of commodity controls such as antivirus. This includes the ability to detect suspicious callback domains and understanding precursor malware families. Just as with typical breaches, most ransomware now exfiltrates data (often then to be used for extortion or posted online) before revealing itself to the victim. Your team must continually refine its ability to disrupt the cycle of compromise and make the environment stronger over time.
7. Be a feedback loop. Intrusions are the keys to environmental hardening for all operating environments. The analytic and response teams must drive changes that resemble the company. If this tie cannot be found, this should be cited as a risk. Incident response is always an opportunity to observe weakness in computing environments and make recommendations to harden. Audit this.
8. Analyze behavior. Develop a team and analytic capability that understands how adversaries misuse credentials and behavior on the network that may indicate misuse, such as sign-ins from new locations, attempted access to systems the user never accessed before and an employee with outside incentive to push ransomware themselves onto the network. Develop the ability to understand normal and abnormal behavior. You can’t understand abnormal unless you first have access to the normal traits of your environment, employees and entities.
9. Take credential lifecycle management very seriously. If you manage entitlements with rigor, as most auditors require, make sure you equally monitor the behavior of credentials. Credential lifecycle includes behavior, analysis of resource access, and connection to malware and intrusions via timelines. Revoke the credentials of users who have left the company, especially third parties like contractors who are no longer used by the organization. Understand if a lockout is normal or not, and monitor for the compromise of accounts. Make sure no one is given access to systems or data they don’t need access to in order to do their work.
These measures can take over where more typical controls leave off and either prevent intrusions that lead to ransomware or detect them early before they do their damage. If you do all those things NIST recommends — and do them well — and take the measures I outlined above, you have a very good chance of preventing your organization from being the next ransomware victim.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Follow me on LinkedIn. Check out my website.