DIGITAL DIALOGUE
There’s no magic wand that we
or anybody else has to reverse the ransomware -- the impact -- once it’s occurred.”
Agencies like CISA can come in and perform analysis on the ransomware so that agencies understand what they’re dealing with. Occasionally, there may be keys out that can help unlock a specific variant but generally speaking, that’s not going to be the case, Booth said.
However, by concentrating on the time to the left of the boom – before cybercriminals get in – you can reduce the chance of ransomware making it into your infrastructure. Booth said that every agency should be thinking about the following things now to reduce the chances of ransomware infection and improve recovery efforts if the unthinkable happens, including deciding whether or not a ransom will be paid.
The answer to the last point – at least for federal agencies – is typically no. Booth why cyber criminals are more
BEST PRACTICES
likely to focus on the private sector, as well as state and local governments when they are planning attacks.
Still, it’s important for every organization to focus on that time to the so-called “left of the boom,” where you can prevent attacks before they happen. Booth was quick to explain that something as simple as employee education can help reduce the number and severity of an attack.
“With ransomware or really
any disaster it’s undefined, it’s
a hypothetical event. It’s easy to de-prioritize it. It’s not an excuse, but, as with everything in cyber security, we have to consider the human factor,” he said. “Making sure that it’s in their face and more tangible
to them as a potential outcome for their organization will increase the likelihood that people pay attention.”
Once you make it to the right side of the “boom” it becomes extremely important to minimize the amount of damage by figuring out which servers and resources have been affected
and which data is encrypted. It’s also crucial to make sure that backups are available so an organization
can recover quickly, said Rebecca Fitzhugh, principal technologist
and director of developer relations
at Rubrik, especially since cyber criminals are increasingly focusing on encrypting backups.
“You can do all the right things,”
she explained. “You can be running
up to the end point protection, you
can do user education, you can do everything right, and still get attacked. It’s always going to be coming back
to, ‘Can I recover? And how quickly can I recover?’” When a cybercriminal eliminates your last line of defense, you may have to pay the large ransom or rebuild your infrastructure from the ground up – and neither option is good.
Agencies should look for API-driven backup solutions that detect anomalies on backup data, and make sure that backup data is immutable – it is never available in a read/write format and
it cannot be overwritten in any shape or form, Fitzhugh said. “Really, the concept of immutability should be back baked into your backup architecture to ensure that no security exposure can tamper with your backups. We (also) want to have some sort of mechanism for faster recovery or even automated recovery, where we can revert back to the most recent clean version, whether we use something like an instant recovery upload or file level recovery operations.”
Here are some steps that every agency should be thinking about as ways to proactively reduce the chance of a ransomware attack:
• Creating policies around basic cyber hygiene including regular patching, creating good network segmentation, implementing air gap networks, and avoiding exposed remote desktop protocols (RDP).
• Making sure an agency has the right contract in place to ensure rapid access to backups so downtime is minimized and the mission isn’t interrupted.
• Building and disseminating staffing policies and procedures so employees can be brought in quickly if there is an afterhours incident.
• Creating a playbook for ransomware so that everyone – from legal to external affairs – knows how to respond when there’s an attack.
• Incorporating ransomware response into the agency’s overall disaster recovery plan.
• Practicing and testing the disaster recovery plan so you know exactly what to do when you get hit and how you can quickly recover.