Defending against ransomware demands more than implementing detection and response measures.
It’s important to understand that “protection” is more than prevention. It’s about investing in the detection capabilities that allow you to stop attacks as they’re happening. It’s about creating business continuity plans for different scenarios and running those plays until they become second nature. It’s about containing the threat and restoring data backups so you can keep the business running.
You’re trying to turn your network into an impenetrable fortress – building resilience through end-to-end protection, a cyber-aware culture, and micro-segmented architecture that simply isn’t that attractive to would-be attackers.
The point is, your ransomware protection strategy must defend your business on all fronts.
With that in mind, here are six ransomware protection best practices for reducing your cyber risk.
Establish End–to-End Visibility Across Your Entire Network
Like so many digital strategies, implementing Zero Trust best practices starts with end-to-end visibility (hey, you can’t protect what you can’t see).
Here, your goal is establishing a clear picture of your entire digital footprint and filling any obvious gaps that could put your organization at risk.
- Conduct an initial assessment. Once you’ve mapped out your entire estate, you’ll want to perform an initial assessment to determine where your security posture stands right now. Today’s digital organizations, that increasingly enable work-from-anywhere and utilize cloud services, open up a greater range of possible entry points for ransomware campaigns.The entirety of your attack surface must be mapped out and have security controls enabled across every endpoint, device, application, workload, user, etc. connected to your network. It’s about creating an airtight defense that keeps threat actors from entering the system. You want to be able to look at the entire estate and immediately know exactly which assets and data sets are most valuable to attackers.What vulnerabilities might they exploit to gain access to your system? Once a threat actor has infiltrated your system, what paths might they take during the lateral movement phase?
- Identify data & assets. Microsoft experts advise organizations to identify critical business assets, data, and processes. They also emphasize that it’s important to confirm the appropriate team members truly understand where they “live” and how to keep them safe, so that proper controls can be implemented to protect and rapidly restore them.
- Uncover (and address) blind spots & gaps. From there, start identifying blind spots and gaps that could put your organization at risk. Think – cloud usage and shadow IT. You’ll want to make sure that you have full coverage across all security layers: endpoints, apps, identities, infrastructure, etc. Your goal is comprehensive protection. Use anti-virus and anti-malware software and implement security policies that prevent known payloads from launching. Implement XDR and SIEM solutions to stay on top of emerging threats and unusual activity. You get the idea.
Harden Your Security Posture
Once you’ve gotten the lay of the land, torn down security silos, and flagged critical blindspots and gaps, it’s time to start hardening your security posture. While this isn’t a comprehensive list, here are some of the most important things you can do to strengthen your defenses:
- Keep up with patching & updates. In 2019, an estimated 60% of data breaches involved unpatched vulnerabilities. Staying on top of patches and software upgrades is another one of those simple prevention methods that can go a long way in keeping your organization safe from ransomware and other threats.But, as CPO Magazine points out, keeping up with patching and updates requires orgs to balance the need for robust security protections with the need to minimize business disruptions, and the need to ensure IT staff is focused on high-impact work. As such, your best bet is automating updates, as well as choosing software that automatically delivers updates without requiring IT to manually take action.
- Eliminate configuration errors. According to a recent Crowdstrike report, the most common cause of cloud-based ransomware attacks, breaches, and other intrusions is poor configuration. See, when parts of your infrastructure are no longer receiving routine maintenance or security updates, solutions like SIEM, XDR, monitoring, and so on can’t protect those environments. Many of these issues stem from errors made during basic admin tasks. So, you’ll want to set up infrastructure with default patterns that make it easy to set up and manage accounts, security groups, roles, etc.
- Segment your network. Another thing you can do to limit the scope of damage is break your network into smaller sub-networks, or segments. This allows admins to apply granular controls and policies to specific parts of the network. Admins gain more visibility into data flows, usage, and can identify and act on vulnerabilities/incidents faster. It also prevents threat actors from moving laterally through the system.
Make Identity and Access Management a Priority
According to a recent Microsoft report, identity has become one of the most important lines of defense against ransomware. From a protection perspective, preventing ID abuse is critical. It’s also the first place you’ll want to investigate in the event of a security incident.
A few things you can do to prevent ransomware from entering your system:
- Implement MFA. Microsoft estimates that basic protections like SSO and MFA are effective in blocking close to 99% of attacks. Now, while that sounds some sort of silver bullet, only about 20% of businesses fully implement said protections. Meaning, most ransomware attacks could have been stopped if identity and access management (IAM) was a priority from the get-go. Still, victim-blaming isn’t productive. And – even if it were, it’s only the first line of defense against ransomware.
- Use the least privilege principle & right-sized access. Make sure you restrict access permissions, deny access to unauthorized devices, and block app installations from standard users. Solutions like Entra Verified ID, Azure AD, and Entra Permissions Management. make it easier to verify credentials, automate provisioning, and monitor usage.
- Secure admin paths. Attackers often exploit weaknesses in privileged access security during targeted attacks. The benefit is, threat actors can get into the system via privileged accounts or workstations and quickly gain access to critical business assets. Securing privileged access seals off unauthorized pathways, makes it easier to monitor access and usage and better protect against targeted data theft.
- Make things easy on end-users. You’ll also want to make it easy for users to follow best practices. Implementing SSO, passwordless sign-in, secure collaboration tools, etc. makes it convenient for all users to access the data, docs, and apps they need to do their work. What’s more, it also prevents them from seeking out unauthorized solutions that introduce risks to your network.
Always Back Up Your Files
Backing up all files and maintaining copies of those backups in a secure, separate location is one of the most important things you can do to prevent your data from being stolen, encrypted, and held for ransom. A few things to keep in mind as you put together your backup strategy:
- Avoid long backup cycles. Data backups should be performed on a routine basis — though not all data sets will need to be backed up on the same schedule.
- Follow the “3-2-1-1 backup rule.” The 3-2-1-1 rule breaks down as follows: you’ll keep three or more copies of your data in different locations, use two different storage mediums, store one copy off-site (different cloud or external hard drive), and store one or more immutable copies using an indelible storage method. This approach may seem a bit excessive, but it ensures that a vulnerability in one backup won’t compromise the other copies. This makes it easier to bounce back from an attack and limits the amount of damage it can cause. You can wipe the device and reinstall a copy of the backup.
- Clearly document backup policies & procedures. Make sure that backup policies are clearly defined, documented, and communicated to the team. Documentation should include things like strategies, goals, processes, tools, individual responsibilities, retention schedules, backup timing, etc.
- Perform regular testing. Finally, it’s important that you perform regular tests to ensure that your backups haven’t been compromised. Again, frequency depends on several factors: data volume, assets, etc.
Educate and Train Your Team
Employees can be your greatest risk or your best line of defense when it comes to ransomware attacks. Poorly-trained employees can undermine even the most sophisticated protections. All it takes is one person downloading an infected file or clicking a malicious link and, just like that, bad actors gain access to your network.
The good news is, arming your team with some basic skills is one of the best (and easiest) ways to defend your business from ransomware attacks.
Ad-hoc cyber security training won’t cut it. Gartner recommends building an adaptive, ongoing program that connects cyber education and awareness programs to business outcomes — just like any other business strategy.
Here’s a look at what that might entail:
- Basic cyber hygiene. Initially, your goal is showing employees how individual actions are directly linked to protecting the organization and its customers from ransomware. Educate employees about current threats — ransomware gangs, recent breaches, business interruption vulnerabilities, etc.
- How to ID phishing attempts. Train employees how to spot phishing emails, texts, social media messages, apps, and websites. Small things like looking at grammar usage, salutations (i.e.: Dear Sir/Madam), and sender emails (i.e.: firstname.lastname@example.org) or hovering over links for more info before clicking can go a long way in preventing
- Best practices around BYOD, remote access, and removable media use. Remote-hybrid work has increased the threat of ransomware — with more threat actors capitalizing on unsecured personal devices, Remote Desktop and VPN vulnerabilities, and things like USB devices. It’s important that your training efforts focus on ensuring that employees are aware of the risks that come with their devices and what they can do to stay safe.
- How to report & respond to known threats. Another critical element in any ransomware training program is reporting and responding to cyber incidents. Make sure you teach employees what they should do if they receive a suspicious email or link — who they should report it to, how to forward that information, etc. Your strategy should also include guidance for what people need to do if they make a mistake (otherwise, they may try to cover it up out of fear they’ll be punished).
Develop Your Ransomware Response Plan (or Several)
While prevention is the best medicine, there’s no way to guarantee that you won’t fall victim to ransomware at one point or another. As such, our last “ransomware protection best practice,” looks beyond prevention and focuses instead on preparation.
Bridget Quinn Choi, Principal at Booz Allen Hamilton, told Protocol that organizations often have ransomware recovery plans in place, but there are lots of gaps when it comes to response times and achieving business continuity post-disaster. She says that many times, these gaps are driven by unclear objectives, a lack of testing, and a poor understanding of what’s expected in an incident response.
After COVID and everything we’ve seen since those initial lockdowns, the only thing we can count on is more uncertainty. Putting together incident response plans for different scenarios (i.e. data breaches, compromised backups, stolen credentials) can facilitate smart decision-making and quick action when disaster strikes – no matter what kind of disaster is on the horizon.
At a bare minimum, you’ll want to cover business continuity, data protection, and how to respond to a ransomware attack. But – it’s worth noting that cyber incidents come in many different “flavors” and you’ll want to consider those nuances as you develop a response plan. Like, how will you:
- Respond to ransom demands?
- Report incidents to law enforcement?
- Inform customers that there’s been a breach?
- Check backups and critical systems for infection?
- Quarantine infected systems and files?
- Get up and running?
Your incident response plan will be informed by your business model, strategy, and the regulations that dictate how these things are done within your industry. But – you’ll want to make sure that you clearly define and document your game plan, communicate it to key employees, and run routine stress tests to ensure that you’re ready to fend off threat actors of all stripes – sophisticated gangs, commodity attackers, or something in-between.
Look, the best way to avoid becoming a ransomware victim is to be proactive about prevention – but there’s always a possibility that ransomware will find its way inside your network – even if you’ve done everything right.
Velosio can help you get started on your ransomware defense journey. Take this quick Microsoft security assessment to identify gaps in your security posture, and we’ll go from there. You can also contact us directly to learn more about our services, expertise, and what it’s like to work with us.