With ransomware demands in the millions, companies are beginning to prioritize investment in their ransomware resilience strategy to avoid the severe financial, operational, and reputational costs of being the victim of an attack. In fact, ransomware planning ranked as the top initiative for retail and hospitality CISOs in RH-ISAC’s recent 2021 CISO Benchmark Report, but what actionable tactics can you implement that will prevent ransomware attacks against your business?
Here are seven of the top actions you can take to prepare for and prevent a ransomware attack.
- Security Awareness Training: Security awareness training for your employees is one of the most effective strategies for preventing a ransomware attack. Attackers need to be able to gain access to your network which they can do by taking advantage of human error. Phishing is still one of the most common methods of entry for ransomware attacks. Phishing scams have evolved to use social engineering tactics and heavily targeted messaging to seem legitimate. Training your employees on how to identify a phishing email, and importantly, how to report a phishing email, can prevent them from compromising your network through clicking malicious links and downloading dangerous attachments. You should also configure an effective spam filtering system and email gateway to lower the number of phishing attempts that even make it into your employees’ inboxes. Another important aspect of security awareness training is implementation of a password policy and multi-factor authentication. Without these standards in place, attackers can brute force an employee’s credentials to gain initial access to your network and escalate permissions to control your systems from there.
- Secure RDP ports: According to the 2020 Unit 42 Incident Response and Data Breach Report, RDP services were the initial attack vector in 50% of ransomware deployment cases. The shift to work-from-home during the pandemic has made remote desktop protocol attacks even more prevalent. The best way to prevent attackers from taking advantage of this entry point is by ensuring that your RDP ports are not left open to the internet, which can be accomplished by use of a VPN or Remote Desktop Gateway. Additionally, not all devices in your network will need RDP access. Turning off and blocking RDP access for those that don’t need it will limit your exposure. Learn more about remote desktop protocol in our previous blog post.
- Data Backups and Encryption: Protecting your data won’t technically stop a ransomware attack, but it will limit the impact of one if it were to occur. Keeping a regularly updated, immutable, offline backup of your data will make it less likely that you will have to pay the ransom to recover your data. Encrypting your data will limit the impact of a double extortion attack in which the attacker threatens to expose your data publicly if you don’t pay the ransom.
- Implement a Policy of Zero Trust: Particularly with the continued prevalence of remote work and BYOD, it is more important than ever to implement a zero-trust policy. Zero trust is a framework that requires all users to be authenticated and continuously validated in order to access applications and data. One of the goals of zero-trust architecture is to limit the risk of an insider attack or an attacker being able to use compromised credentials to access the network. A zero-trust framework can be applied on a network or an identity level. In a network approach, the network is broken down into segments and the user is validated upon entering each of the different segments. This works to prevent lateral movement through the network if an attacker gains initial access. The downsides to this method include its difficulty to implement in complex hybrid environments. Additionally, if an attacker bypasses the security controls for that one segment, they’re able to access all of the resources inside of that segment. An alternative method is identity-based zero trust, which places the perimeter around individual resources. This has the benefit of building a more complete audit trail and helping to detect anomalies in activity quicker.
- Defend Other Points of Entry: Instituting a web application firewall, particularly one that also covers your APIs and mobile apps, can be a great way to filter out some of the unwanted traffic to your site, serving as a first line of defense. You should also ensure that you’re completing regular patching so you’re not a victim of a known vulnerability. Additionally, using an endpoint discovery and response (EDR) solution can help detect and block abnormal activity.
- Develop a Comprehensive Ransomware Playbook: Similar to backing up your data, a playbook won’t necessarily stop an attack, but having a plan will mitigate the damage from an attack. Document every stage of your ransomware resilience strategy from the tactics used to prevent an attack to actions taken during an attack to identify the source and limit its spread. Work in conjunction with key stakeholders within your organization such as your legal, financial, and communications departments to develop and document your strategy for the aftermath of an attack including whether or not to pay a ransom, restoring your network and handling media and customer inquiries.
- Join the RH-ISAC: RH-ISAC provides members with resources to defend against ransomware attacks, such as security awareness training that educates employees about common scams that can lead to malware infection. Members also have access to resources such as trend reports and daily intelligence briefings that identify common malware strains and TTPs peers are seeing so you can be aware of warning signs. Learn more about RH-ISAC membership.