Adequate preparation and ransom-aware security policies for defence of your critical business assets
Ransomware is headline news almost every day. The financial model that rewards this new type of cyber criminal has been proven; extorting end-users and enterprises for money works. The list of organisations impacted is truly mindboggling, from health care networks to corporate systems, government agencies and even law enforcement.
Part of the reason ransomware has been so successful is that the threat hasn't really been taken seriously by many. Defences are usually ad-hoc, overly reliant on specific technologies, and reactive - software is frantically updated when a new ransomware variant hits the headlines.
Classical disaster recovery plans also fail to account for the operational goals of ransomware attackers. Unlike conventional risks that may trigger disaster recovery protocols, ransomware actively seeks to thwart recovery efforts.
So, while it might seem like resistance is futile, the reality is that ransomware attacks can be prevented and business impact can be mitigated. What is needed is a coherent, policy-based approach to defending business assets.
The combination of encryption, crypto-currencies and 'dark' networks gives these attackers the ability to lock down critical business resources and to process ransom payments while remaining anonymous.
Consequently, the barrier to entry for a would-be-criminal is quite low. Most ransomware variants are copycat attacks with minor tweaks to either what they target, or how they initiate their infections. Unfortunately, even with minor tweaks, the high frequency of attacks has seen the overall ransomware threat evolve rapidly.
Know thy enemy
To defend against current ransomware threats and help understanding the threat, we should ask: what are the motives of the attacker, and how have their technical capabilities and methods evolved over time?
Knowing what types of data these crooks are likely to be interested in allows us to start developing both defensive mechanism to prevent infection, and appropriate disaster recovery procedures.
Ransom-aware security policies
Security policy development frameworks such as ISO/27000 can help to identify risks, document procedures and develop controls to defend against most ransomware threats. However, your security plan also needs to be “ransom-aware”.
The broad range of at-risk systems and data needs to be considered, and disaster recovery plans need to be secure against deliberate data and backup destruction.
For example: ISO27002-2015 section 12.3 covers implementation guidance for backups. It recommends that:
“…backups should be stored in a remote location, at a sufficient distance to escape and damage from a disaster at the main site.”
However, if your policies are not “ransom-aware”, they might maintain a physical separation but overlook a network (logical) separation. Under attack from ransomware, you may find that the malware has reached out across your network links to destroy remote or even cloud-based backups.
Business best practice
To combat the threat of ransomware, enterprises need to be prepared. SAI Global's guide ' Surviving Ransomware', co-authored by Zubair Baig and Nikolai Hampton, is designed to help organisations prepare and it is available now on our online store. It is essential that at-risk systems are identified and either: updated to minimise the attack surface exposed through vulnerabilities and unsupported or obsolete software; or protected through other technical measures such as firewalls or physical isolation.
Security policy controls will also require regular reviews to ensure they adequately consider both current ransomware threats, as well as the potential future evolution.
Special ransomware consideration is required for security controls such as:
• Access control policies (for both users as well as automated systems),
• Backup procedures (including isolation of backups),
• Disaster recovery procedures,
• Network segregation controls, and
• Incident management
Business should also consider their position on ransomware payments. In an ideal world, payments would never be made and the threat would dry up due to lack of financial incentive. However evidence shows that many corporate and even government agencies have resorted to ransomware payments. Your policies and practices should reflect your appetite for dealing with extortion, acceptable losses, limiting ransom payments and sustaining communication policies.
The ransomware threat is real, it's growing and it adaptive. While ransomware is unlike most other cyber security and information security threats, enterprises can defend their critical assets through proactive and well-developed security policies. But, these policies must adequately consider the ransomware threat.
With sufficient planning, revised security policy controls and a well-tested disaster recovery plan, protecting against ransomware is possible. All that remains is to remain vigilant and prepared to adapt as the nature of the threat develops across future generations of malware.
WEBINAR: SURVIVING RANSOMWARE
Join our webinar on 12 September at 2PM AEST where experts Zubair Baig and Nikolai Hampton discuss insights including ransomware motives and technology, plus how to implement effective 'ransom-aware' policies and controls.
Since 2015 Nikolai and Zubair have researched and reverse engineered ransomware, observing how attack methods have evolved and how command and control structures have matured. Aiming to help businesses formalise dealing with ransomware they developed a best practice guide titled ' Surviving Ransomware', which has been published by SAI Global and is available on their online store. The guide is designed to help businesses understand, prepare and defend the enterprise from ransomware threats.
The webinar will also discuss how you can tune your security policies and business rules to help defend yourself against this rapidly emerging and costly threat.