By Paul Kohler, CTO, S3
We have witnessed the largest ransomware attacks in history in the first half of 2021 alone. From SolarWinds to CNA Financial Corp, Colonial Pipeline, JBS and Kaseya – ransomware attacks are no longer “if” it will happen to you, it is when. According to research, ransomware attacks are estimated to occur every 11 seconds, costing at least $20B a year.
But why are many organizations still reluctant to support and invest in cybersecurity to build a strong cybersecurity framework to better prevent attacks?
Below are some tactical steps to better protect your organization from a ransomware attack.
Step 1: Assess
The key to solving any problem within your organization is properly defining what you are trying to solve. Without a thorough assessment of your organization’s cyber preparedness, it will be nearly impossible to implement/improve your cyber posture. The alternative to a solid assessment is akin to playing a game of cyber whack-a-mole; stuck in an endless cycle of treating symptoms and not the problem.
This assessment is not a one-time activity. It must be done regularly as the threat landscape is in constant evolution. Standing still will quickly render your current posture weak and ineffective.
Your assessment should include the following topics:
- Governance: Is anyone reviewing access? Any terminated employees/contractors/3rd parties with active accounts?
- Compliance: Are you compliant with all applicable regulations?
- Authentication: What is required of users to authenticate to your environment? Is it required every time?
- Physical Asset Management: Are you managing assets consistently?
- Information Assets: Are you protecting them? Do you know what they are, where they are, and who has access to them?
- Alignment: Do your policies align with operational objectives?
- Access Management: Are you consistently ensuring that the right people have only the access they need at the time they need it?
- Unstructured Data: Who routinely manages access to unstructured data? Where is this data located?
- Monitoring: Anyone watching the henhouse while the foxes are lurking around the perimeter?
- Training: Do your employees, contractors, 3rd parties have clarity on what is expected of them?
Step 2: Increase Cybersecurity Hygiene
Now that you have your assessment you know what needs cleaning — your organization’s hygiene — and it needs to be prioritized based on risk. Cybersecurity hygiene is the practice that maintains the basic health and security of hardware and software. This includes everything from creating cyber policies that are up to date to updating all software and hardware regularly. It also includes retiring and disposing of old hardware/software. Do you have any old VPN’s laying around? I can assure you Colonial Pipeline wishes they didn’t.
Step 3: Develop Detailed Response Plan
Every organization is under the microscope. It is only a matter of time for an organization to come head-to-head against an attack. Instead of hitting the panic button, prepare early with a detailed response plan (and test it often). There are response frameworks available from organizations such as NIST, CIS and ISO, but your organization needs to fill in the details.
The response plan should include filling in the gaps to these major topics:
- Clarity around what you are protecting.
- Are you staffed to protect it? Or do you need 3rd party assistance?
- Who is responsible for what? Who is the backup? Who is the backup to the backup? What is the chain of command?
- Have you tested your plan?
- Containing the incident
- Clear communication
- Mitigation steps
- Revisit the thorough assessment
- Gather forensic information to confirm next steps and plan deployment
- Analyze and revise plans based on the post-mortem
Step 4: Educate the Organization
As the saying goes, you are only as strong as your weakest link. Security awareness training is essential to stopping ransomware in its tracks. It is important to train all those who access your organization’s infrastructure or make use of your organization’s high value information assets. This means training not only your employees, but your entire ecosystem of users. They are your last line of defense.
An effective training regimen will include:
- Employees, contractors, and vendors responsible for protecting organizational data (this includes all critical data elements and intellectual property)
- Phishing, smishing, spear phishing or other social engineering tactics
- Asset protection which should include information necessary to secure assets as well as what to do if an asset is lost or stolen.
Step 5: Implement a Zero-Trust Security Model
Zero Trust is one of the most effective ways for organizations to control access to their networks, applications, and data. Zero Trust is not a product you can buy off the shelf. It is integration of policy, procedure and multiple technologies that transforms the way you manage cyber. It combines a wide range of preventative techniques to deter would-be attackers and limit their access in the event of a breach. This includes identity verification and behavioral analysis, micro / macro segmentation, endpoint security, least privilege controls and adaptive authorization.
The Zero Trust framework aims to accomplish several business-critical objectives. At a high-level it performs five functions:
- Contains the damage inflicted in case of a breach by limiting access to the network
- Streamlines the user experience
- Optimizes connectivity
- Modernizes security operations
- Enables your organization’s digital transformation
Modernized security operations will allow organizations to locate and eradicate malicious code by locating traces of open-source penetration testing tools and hacking frameworks. Modernized security operations will also allow security operations to apply behavioral analytics to activities to isolate suspicious activity and possibly prevent the next cyber attack.
As we enter the next wave of cyber intelligence and combat threats from known and unknown sources, our biggest weapon is preparedness. Increasing our intelligence on potential threats, learning the offensive and defensive tools to better monitor and equip our organizations, and our ability to either thwart or rapidly respond, exponentially increases the level of success. You will either be a victim with failed countermeasures and significant financial and reputational impact, or able to rapidly deploy responses to mitigate or avoid damages all together — the choice is yours.
About the Author
Paul Kohler serves as the Chief Technology Officer for Strategic Security Solutions (S3). S3 is a leading provider of Identity & Access Management, Governance, Risk and Compliance, and SAP Security advisory services.
Paul is focused on building a world-class delivery organization. He is committed to building an organization that lives S3’s core values of integrity, collaboration, intellectual curiosity, and transparency. Paul believes adhering to those core values along with a program first, technology second mindset will guide S3 in delivering technical solutions that meet S3’s clients’ needs.