Ransomware has become increasingly professionalised with organised threat actors, sophisticated tools and new commercial models, such as ransomware as a service (RaaS), driving economies of scale. The silver lining is that the grave impact of ransomware on the business has propelled cyber to board level.
Ransomware has the potential to cause irreversible business damage, so CISOs should consider not only protection (the “if” scenario), but also response and recovery (the “when” scenario). As such, CISOs must find the right balance between prevention and recovery, balancing tactical and strategic fixes, in line with their threat landscape, industry and business specifics.
Protection
Looking at the full spectrum of protection and response measures for ransomware can be daunting. Implementing advanced technologies, such as extended detection and response (XDR) or security orchestration, automation and response (SOAR), can drastically reduce an organisation’s susceptibility to a ransomware attack but have high price tag and take time to implement.
Hence, while CISOs should be planning for the long term, equal consideration should be given to security improvement in the short and medium term.
This is especially important as we repeatedly see ransomware attacks caused by the lack of security hygiene; CISOs should implement a continuous risk reduction regime that balances time and resources for tactical and strategic measures across protective, response and recovery controls.
This can be done by examining a typical ransomware attack chain or framework, assessing your current security posture against the chosen approach and then working with control owners and subject matter experts to drive security improvement.
For example, if we consider the stages of a typical ransomware attack, which will include reconnaissance of the target, initial access, privilege escalation and lateral movement to final impact, CISOs can target specific areas for improvement along the attack chain.
Looking at privilege escalation, can your domain admin delete your backups? If so, hardening Active Directory or implementing basic privileged access management for key systems can help.
For initial access, can removable media be freely used on your network? If yes, consider hardening endpoints to prevent the use of unauthorised removable media. Most ransomware attacks will seek to exfiltrate data, so check your O365 data loss settings are up to standard.
Stronger security posture also helps while procuring cyber insurance, which CISOs can consider. Insurers will seek an understanding of an organisation’s risk to inform the decision and associated premium. While insurance can be part of the solution, organisations shouldn’t solely rely on insurance when dealing with ransomware.
Response and recovery
A comprehensive cyber resilience regime spans the entire organisation and can become a separate topic for discussion in its own right. A strong recovery capability will cover critical business processes, right technology, crisis team and communications and third-party provisions, in addition to traditional business continuity planning and back-up testing.
A classic recovery problem arises when IT and cyber security are disconnected from the business, so they only come together when there is a major incident. Repeatedly, we see critical business processes identified and prioritised by operational teams, rather than business stakeholders.
Recovery can be much faster if cyber security and IT teams work on re-building technology stack based on what drives the business. Likewise, business continuity and disaster recovery plans need to cover the entire organisation and cannot be done in isolation or focused on specific sites or threats. A quick fix, and first step, for many organisations worried about ransomware is to bring cyber security, IT and business teams together to prioritise critical business processes.
Knowledge of the technical components that are needed for recovery is vital. When it comes to rebuilding the environment, it is irritating to have to get servers online or restore connection to the time server. It is painful to have to rebuild from scratch, package management systems, governing all the applications and their distribution, such as SCCM. It is a daunting prospect rebuilding directory services from scratch, like Active Directory, that model the entire enterprise and have every user, group, device and printer mapped.
Thus, identifying business-critical data sets beforehand and backing up recovery components needed for any successful recovery can often be the “make or break” of an incident.
Planning and preparation for recovery will lay the foundation, but there is no better way to understand your ability to respond and recover than doing a proper test from the ground up with suppliers. We have done it and know it shows true recovery times: from your ability to meet business requirements to the ability of your providers to meet their service-level agreements (SLAs).
The results can be surprising and further propel cyber to the attention of the executive level. Even testing the basics can notably improve your organisation’s posture. Crisis management processes centre on effective communication and decision making, so regular wargaming exercises and simple testing such as ensuring staff can access collaboration tools used in a crisis and agreeing crisis roles and responsibilities upfront are low in overhead but yield tangible benefits.
This all underlines that ransomware is a credible threat which can cause severe business disruption and ultimately hurt customer trust and the brand. Hence, it is important to drive continuous security improvement alongside building a strong response and recovery capability.
Arina Palchik and Charles Moorey are cyber security experts at PA Consulting.