Improving threat readiness
When your company’s data is leveraged in a cyber extortion attack, a quick determination must be made about the nature and extent of the attack, followed by the execution of plans to respond to and mitigate the attack. Because the longer a ransomware attack remains unaddressed, the more potential damage there could be to your organization’s ability to conduct business as usual.
While an organization’s ultimate goal is the total prevention of an attack, mitigation is a likelier (and perhaps more reasonable) goal, and organizations should prioritize preparedness just as much as prevention. Prevention includes the implementation of best practices and measures that can stop ransomware events from happening while also positioning the organization to sustain as little as damage as possible, should an attack occur.
Ransomware readiness can be divided into three major components: preparation, detection and isolation.
Preparation
Your organization’s ability to respond to a ransomware event is directly affected by the tools you have readily available to you in the moment, which makes preparation a key part of successfully navigating an attack. Good preparation works twofold to educate your teams on how to prevent attacks, and to provide guidance on what to do in case you are targeted.
The following are some of the components you may wish to include as you map out your organization’s planning around cyber extortion attacks.
- Create an Incident Response playbook that contains all relevant information related to responding to a ransomware attack.
- Regularly hold mandatory training sessions for employees to educate them on how to prevent giving threat actors access to company systems to carry out an attack. The importance of password hygiene, warning signs of email phishing, and best practices for online safety may be among the topics covered.
- Empower employees to help prevent attacks by providing them with protocols and resources to report suspicious activity and voice their concerns if they feel there is a risk that needs to be addressed.
Detection
Detection refers to the tools, technology, people, and processes in place to notice that attack is happening or has occured, and to identify its source within the network. Specific subcomponents of detection include:
- Having a robust system of platforms configured to monitor your networks and alert you if suspicious activity occurs, such as the appearance of a known ransomware file extension or the rapid renaming of a large volume of files, which can signal that they’re being encrypted.
- Fueling your threat intelligence program with easily accessible and updated knowledge about specific ransomware actors/groups and tactics, techniques, and procedures (TTPs)—including technical intelligence—to better anticipate potential risk apertures and attacks.
- Implement multi-factor authentication to reduce the likelihood of ransomers gaining unauthorized access to your systems.
Isolation
To limit its spread, isolation should be your organization’s first priority after you realize a ransomware attack is targeting your organization. Designing your systems in a way that separates different networks can be very impactful when every second counts. Specific subcomponents of isolation include:
- Limiting any individual employee’s access to only the files and data they must have to do their jobs.
- Shutting down infected systems and completely disconnecting them from your organization’s network as quickly as possible.
- Disabling means of spreading potentially harmful data among devices, including VPN, NAC, and AD-user.
Responding to an ransomware attack
Once you have successfully caught and halted a ransomware attack’s progression, it is critical to have a response plan already in place to help you save time making decisions and keep emotional reactions in check, which can occur during a potential emergency. It can be difficult to determine the full scope of a ransomware attack, and the more data that the threat actor extorts or encrypts, the longer it may take to understand the nature of the breach.
Ransomware Protection Playbook
