Alex Restrepo, cybersecurity researcher at Veritas, lays out the key concepts that organizations should be paying attention to now and implementing today.
The ransomware landscape is evolving, and ransomware is now one of the most popular (for cybercriminals) and damaging types of malwares. The JBS, Colonial Pipeline and Kaseya attacks are the recent high-profile examples of the impact of ransomware and the monumental consequences it can have: Shifts in the market, impact on infrastructure and even leading to action at the highest levels of government.
In the wake of these attacks and other events like the SolarWinds attack, the executive branch has taken action in the form of an executive order (EO), which covers several cybersecurity concepts. This order encourages private sector companies to follow the Federal government’s lead to help minimize the impact of future incidents.
There are several different concepts outlined in the EO, so to help organizations get started, I’ve outlined some of the key concepts that organizations should be paying attention to now and offer a few tips on how you can start implementing these strategies today.
1. Adopt a “Zero-Security” Posture Towards Ransomware
One of the orders that stood out to me is the “Modernize and Implement Stronger Cybersecurity Standards in the Federal Government” requirement. This aims to move the Federal Government to increase and adopt better security practices with zero-trust security, accelerating movement to secure cloud services, and the deployment of multifactor authentication and encryption.
At Veritas, we counsel enterprises to adopt what we call a “zero-security” posture; it’s the mentality that even the most effective endpoint security will be breached. It is important to have a plan so that you’re prepared for when this happens.
2. Be Active, Not Passive
Enterprises need to have a robust endpoint data protection and system security. This includes antivirus software and even whitelisting software where only approved applications can be accessed. Enterprises need both an active element of protection, and a reactive element of recovery.
Companies hit with a ransomware attack can spend five days or longer recovering from an attack, so it’s imperative that companies are actively implementing the right backup and recovery strategies before a ransomware attack.
3. Don’t Put All Your Eggs in One Basket
Black hats who are developing ransomware are trying to prevent any means of egress from an enterprise having to pay the ransom. This is why ransomware attacks target files and systems in use, as well as backup systems and cloud-based data.
We urge organizations to implement a more comprehensive backup and recovery approach based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework. It includes a set of best practices: Using immutable storage, which prevents ransomware from encrypting or deleting backups; implementing in-transit and at-rest encryption to prevent bad actors from compromising the network or stealing your data; and hardening the environment by enabling firewalls that restrict ports and processes.
4. Create a Playbook for Cyber-Incidents
The other aspect of the EO I wanted to touch on was the call to “Create a Standard Playbook for Responding to Cyber Incidents.” The federal government plans on creating a playbook for federal agencies that will also act as a template for the private sector, to help companies take the appropriate steps to identify and mitigate a threat.
Time is of the essence, so before we see the federal government’s playbook, here are a few important steps organizations should be thinking about when it comes to creating their own:
- Digital Runbook: Having a plan on paper is a start, but having a digital plan that can be easily viewed and executed with a single click is essential. The more complex a plan is to run, the longer it will take to recover from an attack.
- Test, Test, Test: Testing ensures your plan will work when you need it. Initial testing is important to ensure all aspects of the plan work, but IT environments are constantly in flux, so it is critical to test regularly.
- Remove Single Points of Failure: The 3-2-1 practice is the idea that you should have three or more copies of your data so that any single failure doesn’t derail your plan. That you have at least two distinct mediums of storage so a vulnerability in one doesn’t compromise all of your copies. At least one of these two mediums should be offsite or an air-gapped copy so that you have options should an attack take out an entire data center.
- Have Options for Rapid Recovery: When an attack recovery takes down an entire data center, recovery can be slowed dealing with compounded challenges around hardware, network, workloads, and the data itself. Having an alternate option such as rapidly standing up a data center on a public cloud provider can shorten downtime and provide alternatives to paying a ransom.
5. Remember: Ransomware Is an Arms Race
Preparing your company for an inevitable ransomware attack is becoming more critical every day. The Colonial Pipeline attack has driven new mandates for cyber resiliency, and as security leaders, we have a critical role in ensuring we’re doing everything we can to protect and secure valuable and sensitive data.
Ransomware won’t be “solved.” I see it as an arms race where we all have to be constantly vigilant, especially around elements that are out of our control. No single solution or security control is going to stop ransomware, but by taking a layered security approach, you’ll be able to mitigate the impact of and get back up and running very quickly.
Alex Restrepo is part of the Virtual Data Center Solutions team at Veritas.
Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting our microsite.