When it comes to ransomware, there is no one product or solution that will protect you from every threat out there. Terms like ransomware protection and ransomware protection are thrown around all the time, but the truth is they are a myth.
I prefer to think about ransomware defense. We know the threat is out there, we know it will reach us at one point. When it as simple as getting an end user to click a link, the barrier to entry is very very low, especially with the ransomware as service (RaaS) model.
Ransomware Defense Tips
I’ve talked to a lot of people about ransomware in the last few years. I have encountered organizations in just about every state of readiness you can think of. From those doing things so right I was impressed to others that I knew were in major trouble, especially when they didn’t realize that ransomware could attack operating systems like ESXi.
When it comes to putting together a solid ransomware defense strategy, there isn’t a single product or idea to implement that will solve every problem out there. It can also be confusing and overwhelming if you’re in bad shape to begin with. That’s why I started this list of my favorite ransomware defense tips.
1. Know your assets
To be able to recover from ransomware tomorrow, everything needs to be protected today. Your servers, your file shares, your end user devices. If you need it, you had better protect it.
If you don’t have a solid data protection strategy already, this can seem like a daunting task, but it can be broken down into smaller steps.
2. Start at the top
If you need a starting place, start with protecting the assets most critical to your business.
Ask yourself, what do I need to operate? What will have the most financial impact if it breaks? What is the data we absolutely cannot lose by encryption or exfiltration?
Even if it is one file share, or one server, that’s more than you had protected yesterday.
Getting ready for ransomware is a marathon not a sprint.
3. Don’t forget the end user devices
If you are already protecting many of your assets, don’t forget the end user devices. Remember, this can be a huge point of entry for an attack when we’re talking about a breach.
Plus, let’s face it, humans are humans. There’s probably stuff they need there if it gets encrypted which may or may not be essential to the business.
Be sure to protect end user devices, as well as monitor them for suspicious activity. The faster you can catch a malicious actor, the better.
4. Practice good security hygiene.
Let’s face it, security practices often get thrown out the window in favor of end user experience. Sad but true. Now is the time to evaluate your security practices and see what needs improvement.
The best thing you can do here is hire a third party. We are way too close to our environments to objectively say what is wrong with them and what needs to be fixed.
5. Prioritize implementation of security best practices
Now that you know what is wrong, prioritize what to fix. Not everything will be solved over night, it just is not practical from many aspects.
Start with the things that have the greatest impact, such as protecting the most critical systems, or making policy changes that reduce the most risk.
6. Follow the principle of least privilege
If there is one change you make to your security posture, the principle of least privilege should be it.
Compromised credentials are a common way for attackers to gain access. Should the CEO have access to vCenter? Absolutely not, he’s a known target!
Make sure that users only have the access they need to do their jobs. Review access to critical systems on a regular basis.
If everyone is a domain admin, you’re gonna have a bad time.
7. Update your disaster recovery plans
Ransomware is a disaster. Fight me.
A tested, up to date disaster recovery plan is a good place to start when planning ransomware recovery.
Is ransomware different than more classic disaster? Of course it is, it is unpredictable. You don’t know how it will unfold, and you don’t know where you’re going to need to recover to necessarily.
Now is the time to look at these plans, update them, and plan for multiple places to recover to, such as the cloud or a service provider.
When the FBI comes in and quarantines your environment because the the threat actors got way farther than you thought, you’re going to have a bad time.
8. Test your recovery
Now is the time to test your recovery from ransomware. Everything from incident response, to investigation, to actually making sure you can recover your systems from backups.
Ransomware and disaster recovery plans are worthless until they are tested. You need to know that you can do this successfully, and how long it will take. The last thing you want to do is pay the ransom because you know you can’t recover or it will take too long.
By testing recovery now, you know how painful it is. You also will know what you need to fix.
9. Have incident response on retainer
I highly recommend working with an incident response firm and having them on retainer in the event of an attack. Remember, these firms do this all day every day for their customers.
The last thing you want to do is have your environment encrypted and and be dusting off rusty playbooks that haven’t been updated in ages. Time is of the essence once the attack starts, and this is one way to reduce the time to recovery.
Many cybersecurity insurance policies build this in, if you are heading in that direction.
They are also going to make you do most of the things I’ve already mentioned before they activate your policy.
10. Flip monitoring upside down
I’ve done a lot of work in the infrastructure monitoring space, and was very used to looking at simply performance and making sure things were working until recent years.
Ransomware flips this upside down. We need to look at monitoring differently, because we know what ransomware attacks and beaches can look like. This means looking for activity that varies from the norm in many cases.
We also need to monitor all the things, from servers to shares to end user devices. The best thing we can do to defend ourselves against ransomware is catch it fast.
I know what you’re thinking, alert fatigue. I’ve heard horror stories of ignored alarms that led to a full blown attack. This is where things like Security information and event management (SIEM) systems come in.
The truth is when it comes to software, you can probably do a lot with the products you already have in your environment. However there is no substitute for software that is slanted towards security in this case.
Many tools are extremely powerful and can look at the data from your other systems to help determine what is going on. It is not the be all end all solution, but something that should be put into place.
This is an area where automation and AI really shine, it is simply too much for humans to handle at this point.
Start today to defend against ransomware
These are a few of my most practical ransomware defense tips. Trying to put a strategy in place to defend yourself from ransomware can be very overwhelming, especially if security was something that was simply overlooked in your environment.
Even if you pick just one thing from this list to start with, you will be in a better place than you were yesterday.
Stay tuned for more practical tips, and deeper dives into each of these topics.