In this paper I will outline the steps recommended in the recently updated MS-ISAC #StopRansomware Guide for preparing your organization for preventing ransomware attacks. Being well prepared for ransomware attacks is not only common sense for the organization, it may deter cyber criminals from even attempting their attacks. Cyber criminals universally look for and attack those organizations that have the weakest information security programs.
In general, the first step in preparing for ransomware attacks is ensuring that you have a well-rounded and effective information security program in place. Specific to ransomware, you should ensure that your incident response plan has specific policies and processes in place that address ransomware attacks. It is also important to ensure that your incident response plan includes communication plans and templates. The incident response team should reach a consensus on what level of detail about the incident is appropriate to share with staff, regulators, law enforcement and the public, and how this information should flow. After conducting numerous incident response table-top exercises with organizations of all types, we at MSI have found that if the response team does not have communications planned in detail in advance, their incident response will be chaotic. Other plan preparation guidance found in the #StopRansomware Guide includes:
- Ensuring that your data breach notification procedures adhere to applicable state laws. If you are unsure about your state notification laws, see: https://www.ncsl.org/technology-and-communication/security-breach-notification-laws
- If your organization has electronic health information on the network, you may also need to notify the FTC (see: https://www.ftc.gov/legal-library/browse/rules/health-breach-notification-rule) or HHS (see: https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html). In addition to the above guidance, I would recommend that your organization should include any other regulatory or law enforcement agency that should be notified in your written incident response plans.
- For any personally identifiable information that may be breached, you should be prepared to notify the individuals or businesses impacted about the type of information exposed, recommended remediation actions and relevant contact information.
- You should ensure the incident response plan, including communications plans, are reviewed and approved by the CEO in writing, and that these plans are reviewed and understood across the chain of command. Your organization should also regularly review the latest ransomware incident response guidance available online to help ensure that you remain current.
- Ensure that hard copies of the incident response plan are maintained, and that an offline version is also available.
Operational preparation guidance found in the #StopRansomware Guide includes:
- Ensure that you maintain and test multiple encrypted backups of critical information, including offline backups.
- Ensure that you maintain and regularly update “golden images” of critical systems. This should include image templates that have a preconfigured operating system and associated software applications that can be quickly deployed to rebuild a system such as a virtual machine or server.
- Use infrastructure as code (IaC) to deploy and update cloud resources and keep backups of template files offline to quickly redeploy resources. IaC code should be version controlled and changes to the templates should be audited.
- Store applicable source code or executables with offline backups.
- Retain backup hardware to rebuild systems if rebuilding the primary system is not preferred.
- Your organization should also consider using a multi-cloud solution to avoid vendor lock-in for cloud-to-cloud backups in case all accounts under the same vendor are impacted.
As a final preparatory step, your organization should implement a zero trust architecture for you network (see https://www.cisa.gov/zero-trust-maturity-model). Zero trust provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised. The goal is to prevent unauthorized access to data and services and make access control enforcement as granular as possible.
Implementing these processes and controls on your network will bring you up to date with current best practices for preparing your organization for dealing with ransomware attacks. In my next blog, I will outline the measures found in the #StopRansomware Guide for preventing and mitigating ransomware incidents.