In my last installment, I outlined guidance for the first three ransomware initial attack vectors detailed in the MS-ISAC #StopRansomware guide. In this paper I will outline the last three initial attacks vectors found in the guide. The fourth vector they deal with is Precursor Malware Infections.

Researchers have found that ransomware infections are usually preceded by reconnaissance malicious code that lays the groundwork for the full ransomware attack to come. In some cases, ransomware deployment is the last step in a network compromise and is dropped to obscure previous post-compromise activities such as business email compromise. These malicious code packages have been dubbed ‘precursor malware.’ For example, malware such as Qakbot, Bumblebee and Emotet have been employed as precursors to ransomware attacks. Identifying and remediating such precursor malware can alert you to the possibility of an imminent ransomware attack, and can help you prevent the full ransomware attack from actually happening. For this attack vector, the guide recommends:

• Ensuring that antivirus and anti-malware software and signatures are automatically updated. In fact, the authoring organizations go one step further and recommend using a centrally managed antivirus solution.
• Using application allowlisting and/or endpoint detection and response (EDR) solutions on all assets to ensure that only authorized software is executable, and all unauthorized software is blocked. Application allowlisting is deeper than traditional application control solutions and works at the file level to screen against unwanted applications. EDR is cybersecurity technology that monitors and responds to threats on endpoints such as mobile phones, laptops and IoT devices that connect to your network. This is recommended for cloud-based resources.
• Implementing IDS systems. These can be used to detect command and control activity and other potentially malicious network activity that occurs prior to ransomware deployment.
• Monitor indicators of activity and block malware file creation with the Windows Sysmon utility. Sysmon has a file block executable option that can used to block the creation of malicious executables, DLL files, and system files that match specific hash values.

The fifth initial attack vectors listed in the #StopRansomware Guide is advanced forms of social engineering. Advanced forms of social engineering attacks include tactics such as search engine optimization (SEO) poisoning, imposter websites (drive-by downloads) and malvertising (malicious advertising). All of these techniques are used to extract information from users or to provide an avenue for attackers to inject malware into the network. To help counter this threat vector, the guide recommends:

• Ensuring that you have a good cybersecurity awareness training program that schools your employees in how to recognize and report advanced social engineering attempts against your network.
• Employing a protective DNS service. A protective DNS service is any security service that analyzes DNS queries to identify and mitigate threats.
• Implementing sandboxed browsers to help thwart malware that can be introduced through web browsing. Sandboxed browsers isolate the host machine from malicious code.

The sixth initial attack vector listed in the #StopRansomware guide is one that is on everyone’s mind since the MOVEit attacks started: third parties and managed service providers. In the modern business world, organizations are employing ever-increasing numbers of third-party software packages and managed service providers to perform all kinds of tasks for them. To be effective, these services need access to internal network information and devices, and become in effect a part of your internal network. This increases the attack surfaces available to ransomware attackers immensely. To help thwart these kinds of attacks, the guide recommends:

• Examining the risk management and cyber hygiene practices employed by managed service providers (MSPs) to ensure they are in line with best practices and your organization’s security requirements. They also recommend that you formalize security requirements in contract language with these providers.
• Ensuring the use of least privilege and separation of duties when setting up access of third parties. They should only be allowed access to those devices and servers that are within their role or responsibilities.
• Creating service control policies (SCPs) for cloud-based resources to prevent users or roles, organization wide, from being able to access specific services or take specific actions within services such as deleting logs or changing configurations outside of their role.

Implementing the recommendations found in the #StopRansomware guide encompasses the best advice available to date for preventing and mitigating ransomware attacks against your organization, and will help you remain competitive in the markets of today.

In this paper, I will outline best practices for preventing and mitigating ransomware attacks as detailed in the #StopRansomware Guide published by the Multi-State Information Sharing & Analysis Center. In this guide, measures for preventing and mitigating ransomware attacks are grouped according to six initial attack vectors employed by cyber-criminals to worm their way into your network. The first of these attack vectors that the guide addresses is Internet-facing vulnerabilities and misconfigurations. Most organizations should be used to addressing vulnerability and configuration management by now. What is changing is the degree to which organizations need to rigorously discover and address vulnerabilities and misconfigurations in a timely manner. For this attack vector, the guide recommends:

• Conducting regular vulnerability scanning to identify vulnerabilities on your networks. This is especially true of external, Internet-facing networks (in fact, we recommend employing continuous vulnerability scanning for these). We also strongly recommend that internal and wireless networks should also receive vulnerability scanning. In addition, we recommend penetration testing of your networks to help identify cascading failures and other subtle security flaws that simple vulnerability testing cannot identify.

• Ensuring that all entities on your networks (operating systems, software/firmware applications and hardware devices) are regularly patched and updated to the latest versions. They also recommend prioritizing patching of internet-facing servers that operate software for processing internet data. Organizations should especially employ CISA’s Known Exploitable Vulnerabilities Catalogue available at their website to ensure they are addressing the most serious vulnerabilities. In addition, the guide recommends that organizations that have trouble keeping up with this process should consider migrating systems to reputable “managed” cloud providers to reduce, not eliminate, system maintenance roles for identity and email systems.
• Ensuring that all devices (on-premises, cloud services, mobile and personal) are properly configured and that security features are enabled. They recommend reducing or eliminating manual deployments and codifying cloud resource configuration through IaC. IaC templates should receive security testing prior to deployment. They further recommend that checking configuration drift routinely to identify resources that were changed or introduced outside of template deployment.
• Limiting the use of RDP and other remote desktop services, and if they must be used, applying best practices security measures to help ensure they are not misused. They also recommend regularly updating VPNs, network infrastructure devices, and devices being used to remote in to work environments with the latest software patches and security configurations. MFA should be used for VPN and all remote access.
• Disabling SMB protocols 1 and 2 and upgrading to version 3 after mitigating existing dependencies (on the part of existing systems or applications) that may break when disabled.

The second initial attack vector listed in the #StopRansomware Guide is compromised credentials. To prevent and mitigate successful attacks from this vector, the guide recommends:

• Implementing phishing-resistant MFA for all services, particularly for email, VPNs, and accounts that access critical systems. They further recommend employing password-less MFA that replaces passwords with two or more verification factors such as fingerprints or facial recognition.
• Considering subscribing to credential monitoring services that monitor the dark web for compromised credentials.
• Implementing identity and access management (IAM) systems.
• Implementing zero trust access control measures.
• Changing all default admin user names and passwords.
• Not using root access accounts for day-to-day operations, and rather creating users, groups and roles to carry out tasks.
• Ensuring that passwords of at least 15 characters are used. We further recommend using passphrases that are longer and harder to break, but that are easier to remember.
• Enforcing account lockout policies, and monitoring login attempts for brute force password cracking and password spraying.
• Storing passwords in a secured database and using strong hashing algorithms.
• Implementing local administrator password solution (LAPS) wherever possible.
• Protecting against local security authority subsystem service (LSASS) duping by implementing ASR for LSASS and credential guard for Windows 10 and Server 2016.
• Educating all employees on proper password security in your annual security training.
• Using Windows PowerShell Remoting, Remote Credential Guard, or RDP with restricted Admin Mode as feasible when establishing a remote connection to avoid direct exposure of credentials.
• Ensuring that administrators use separate access accounts for administrative duties and simple network access.

The third initial attack vector listed in the guide is phishing. As all of us know by this point, phishing attacks are one of the most common and successful attack methods employed by cyber-criminals. To prevent and mitigate ransomware attacks using this vector, they recommend:

• Including guidance on how to identify and report suspicious activity or incidents in regular user security awareness training.
• Implementing flagging external emails in email clients.
• Implementing filters at the email gateway to filter out emails with known malicious indicators.
• Enabling common attachment filters to restrict file types that commonly contain malware and should not be sent by email.
• Implementing domain-based message authentication, reporting and conformance (DMARC) policy and verification.
• Ensuring macro scripts are disabled for Microsoft Office files transmitted via email.
• Disabling Windows script host (WHS).

These are only the first three of the six initial attack vectors included in the guide. In my next paper I will outline the last three vector which include precursor malware infections, advanced forms of social engineering, and one of the most fearsome attack vectors currently plaguing us all: third parties and managed service providers.

In this paper I will outline the steps recommended in the recently updated MS-ISAC #StopRansomware Guide for preparing your organization for preventing ransomware attacks. Being well prepared for ransomware attacks is not only common sense for the organization, it may deter cyber criminals from even attempting their attacks. Cyber criminals universally look for and attack those organizations that have the weakest information security programs.

In general, the first step in preparing for ransomware attacks is ensuring that you have a well-rounded and effective information security program in place. Specific to ransomware, you should ensure that your incident response plan has specific policies and processes in place that address ransomware attacks. It is also important to ensure that your incident response plan includes communication plans and templates. The incident response team should reach a consensus on what level of detail about the incident is appropriate to share with staff, regulators, law enforcement and the public, and how this information should flow. After conducting numerous incident response table-top exercises with organizations of all types, we at MSI have found that if the response team does not have communications planned in detail in advance, their incident response will be chaotic. Other plan preparation guidance found in the #StopRansomware Guide includes:

• Ensuring that your data breach notification procedures adhere to applicable state laws. If you are unsure about your state notification laws, see: https://www.ncsl.org/technology-and-communication/security-breach-notification-laws
• If your organization has electronic health information on the network, you may also need to notify the FTC (see: https://www.ftc.gov/legal-library/browse/rules/health-breach-notification-rule) or HHS (see: https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html). In addition to the above guidance, I would recommend that your organization should include any other regulatory or law enforcement agency that should be notified in your written incident response plans.
• For any personally identifiable information that may be breached, you should be prepared to notify the individuals or businesses impacted about the type of information exposed, recommended remediation actions and relevant contact information.
• You should ensure the incident response plan, including communications plans, are reviewed and approved by the CEO in writing, and that these plans are reviewed and understood across the chain of command. Your organization should also regularly review the latest ransomware incident response guidance available online to help ensure that you remain current.
• Ensure that hard copies of the incident response plan are maintained, and that an offline version is also available.

Operational preparation guidance found in the #StopRansomware Guide includes:

• Ensure that you maintain and test multiple encrypted backups of critical information, including offline backups.
• Ensure that you maintain and regularly update “golden images” of critical systems. This should include image templates that have a preconfigured operating system and associated software applications that can be quickly deployed to rebuild a system such as a virtual machine or server.
• Use infrastructure as code (IaC) to deploy and update cloud resources and keep backups of template files offline to quickly redeploy resources. IaC code should be version controlled and changes to the templates should be audited.
• Store applicable source code or executables with offline backups.
• Retain backup hardware to rebuild systems if rebuilding the primary system is not preferred.
• Your organization should also consider using a multi-cloud solution to avoid vendor lock-in for cloud-to-cloud backups in case all accounts under the same vendor are impacted.

As a final preparatory step, your organization should implement a zero trust architecture for you network (see https://www.cisa.gov/zero-trust-maturity-model). Zero trust provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised. The goal is to prevent unauthorized access to data and services and make access control enforcement as granular as possible.

Implementing these processes and controls on your network will bring you up to date with current best practices for preparing your organization for dealing with ransomware attacks. In my next blog, I will outline the measures found in the #StopRansomware Guide for preventing and mitigating ransomware incidents.

Ransomware is the leading information security threat that has emerged in recent years, and it’s only getting worse! In the first six months of this year, 1,393 organizations have issued data breach notifications. If this keeps up, and there’s no reason to think it won’t, 2023 will beat the record set in 2021 of 1,862 data breaches reported. Ransomware is a big part of this sad total.

Back in 2020, the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) released their first Ransomware Guide to try to help organizations respond effectively to this threat. In the last three years, however, ransomware has evolved greatly. Because of this, they have released an updated ransomware guide now titled #StopRansomware Guide. This guide was developed through the U.S. Joint Ransomware Task Force (JRTF) which is co-chaired by the CISA and FBI. The new title was instituted to incorporate the #StopRansomware effort into the title. (#StopRansomware is a one-stop hub for ransomware resources for individuals, businesses and other organizations. The new #StopRansomware.gov website is a collaborative effort across the federal government and is the first joint website created to help private and public organizations mitigate their ransomware risk. It contains all the latest ransomware information and advisories produced by federal authorities).

The #StopRansomware Guide has two parts: part 1 concerns ransomware and data extortion prevention best practices, and part 2 is a ransomware and data extortion response checklist. The two parts represent current best practices and recommendations based on operational insight from CISA, MS-ISAC, the National Security Agency (NSA), and the FBI (these are known as the authoring organizations). The changes made from the old guide to this current version include:

• Added FBI and NSA as co-authors based on their contributions and operational insight.
• Incorporated the #StopRansomware effort into the title.
• Added recommendations for preventing common initial infection vectors, including compromised credentials and advanced forms of social engineering.
• Updated recommendations to address cloud backups and zero trust architecture (ZTA).
• Expanded the ransomware response checklist with threat hunting tips for detection and analysis.
• Mapped recommendations to CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs).

In my next series of blogs, I will go into detail about the latest best practices recommendations for ransomware prevention and response that are contained in new #StopRansomware Guide. To get started, here are the initial steps that the guide recommends that all organizations undertake to prepare and protect their facilities, personnel, and customers from cyber and physical security threats and other hazards:

• Join a sector-based information sharing and analysis center (ISAC), where eligible, such as:
  • MS-ISAC for U.S. State, Local, Tribal, & Territorial (SLTT) Government Entities – learn.cisecurity.org/ms-isac-registration. MS-ISAC membership is open to representatives from all 50 states, the District of Columbia, U.S. Territories, local and tribal governments, public K-12 education entities, public institutions of higher education, authorities, and any other non-federal public entity in the United States.
  • Elections Infrastructure Information Sharing & Analysis Center (EI-ISAC) for U.S. Elections Organizations – learn.cisecurity.org/ei-isac-registration. (See the National Council of ISACs for more information).
• Contact CISA at CISA.JCDC@cisa.dhs.gov to collaborate on information sharing, best practices, assessments, exercises, and more.
• Contact your local FBI field office for a list of points of contact (POCs) in the event of a cyber incident.

Remember, ransomware groups such a CLOP are ruthless, talented and waiting to pounce on any organization, government or private sector, that they are able to compromise. Get started today on educating your personnel and preparing to resist and respond to ransomware attacks.

When you mention building a good information security program to most business employees, especially developing and maintaining written information security policies, you’ll see most of them cringe and get that far away look in their eyes. I can understand that completely! Developing and implementing a modern infosec program is a long and often difficult process. You have to go through assessments to ascertain the level of your current infosec program, you have to determine what level of infosec program you need to finally attain and you have to plan exactly how you are going to achieve your information security goals. For most even smallish to medium-size organizations, this can take three years or more. It can make you tired just thinking about it!

However, the unexpected good news about the whole thing is that, once the program is in place, it’s a piece of cake to maintain it! All that is needed is regular reviews and updates of the program particulars to ensure they remain current and effective. On top of that, having a good infosec program in place and well maintained can help you keep your current customers and entice new customers to utilize your services. This is especially true in the modern business environment which is plagued with oodles of very competent cyber-criminals and adversarial nation states who employ everything from malware and zero days to clever attack strategies and mechanisms such as social engineering techniques to steal your money and ruin your business reputation. Let’s face it, if your organization provides or uses business services in the age of supply chain attacks, you truly need to be able to demonstrate information security competency just to keep your head above water.

So how do you begin the process of developing your infosec program? There are so many steps in the process it is natural to feel overwhelmed by the scope of the whole thing. Luckily, there is a fine mechanism out there to help you get off to a good start in implementing your program; this is the Center for Internet Security (CIS) Critical Security Controls assessment. In this assessment, you first consult with the assessor to discuss the particular business and the information security goals you need to achieve to provide strong security. In the next stage of the process, the assessor meets with pertinent staff (usually by teleconference) to ascertain what CIS security controls you currently have in place and what level of maturity they are at. This usually is done in two or three meetings. The assessor then analyzes the results of the assessment and provides your organization with roadmaps for closing the control gaps found during the assessment and meeting the control goals of the organization. This roadmap is typically split into several phases. With a typical three-year overall timeframe for achieving aspirational goals, these phases will include immediate goals (3-6 months), short-term goals, (6-12 months), intermediate goals (13-24 months) and long-term goals (25-36 months). These roadmaps are quite detailed. They list the recommended controls to be implemented during each time period. They also list the estimated technical complexity, political complexity and financial cost of implementing each control rated as high, medium or low. Other implementation guidance is also listed for each control as necessary. As you can see, having this process and roadmaps in place, your organization will have a good start on implementing the program and will quickly lose that feeling of being overwhelmed.