We're on to the last piece to bring it all together. Again, the goal of this guide is to provide you with a variety of suggestions for hardening your enterprise network against ransomware attacks. In case they were lost in translation somewhere, here are parts 1 and 2.
(Note: You know the drill. Infographic at the top, for ease and accessibility, but I would suggest reading on through the rest of the post too).
Keep your systems updated
A no-brainer, really. Use WSUS, SCCM, Landesk, Ninite, etc. to keep your systems fully updated. Keep an eye out for every Microsoft Patch Tuesday, in addition to Adobe Security advisories (if you use Adobe products and/or Flash). Additionally, make sure you’re keeping up-to-date on new software and/or bulletins from other software vendors used in your network. “Test, then deploy” should be the IT version of “Measure twice, cut once.”
What about those of you in Critical Infrastructure, or other nearly impossible to update or patch infrastructure? You’re not off the hook. Make sure that you’re still following security/update bulletins for vendors you utilize in your regulatory/air-gapped networks. You have to pay attention to what bugs were fixed, what vulnerabilities were patched, determine whether or not these things are applicable to your environment, read up on mitigations/workarounds (if there are any), and plan changes accordingly. If there are no mitigations/work-arounds, for a given issue, then ensure you keep a running list and run these issues up the Change Control tree. In an ideal world, you would be able to patch everything. In the real-world, you have to mitigate what you can and prioritize patching what you can’t mitigate. Keep a close eye out until then, and utilize other security solutions to at least be able to detect attacks when they happen, and prevent them when possible. Bear in mind that security software at the end of the day is still just software. Security researchers are finding more and more flaws present in security solutions that turn into gaping security holes. So, keeping your security solutions patched becomes important as well.
The full disclosure mailing list is a goldmine of information on the latest vulnerabilities, as is project zero, among other security research groups. You may also consider signing up for email notifications from all of your vendors to be made aware when new versions or patches for software used in your network are updated.
Patch/Vulnerability Management Points
Follow resources that regularly release security updatesEnsure you’re getting bulletins/newsletters, or something from your vendors, to make you aware of new security updates/releases. You might also want to follow the Full Disclosure mailing list, Google’s Project Zero, and TippingPoint's Zero Day Initiative, among other sources.
Update applications regularly and/or prioritize patchingPrioritize updating the OS, web browsers, browser plugins, and office applications (including MS Office, PDF readers, etc.), as soon as new releases are made available. You should be patching/updating all your applications regularly, but if you have to prioritize, prioritize applications that interact with the Internet, or interact with things downloaded from the Internet.
Determine mitigation steps when patching isn't an optionSometimes patching isn’t an option (air-gapped networks, critical infrastructure, heavy regulation). Read the patch notes, determine if the issue being patched impacts your enterprise/network. If so, see if there are mitigations that can be used in lieu of patching, if not determine the criticality of the issue(s) (e.g. CVSS scores, and/or mission criticality) and submit change control to patch issues in order of criticality as soon as possible.
Be proactive by keeping security solutions and awareness up-to-dateKeep your security solutions up-to-date with the latest detections, definitions and fixes as well. If you can’t patch, then you need to at least be able to detect attacks when they happen and remediate as necessary. Be aware that security software is still software and can have vulnerabilities as well!
Proper Backups, Backup Management, and Disaster Recovery
Backups are the one thing to have in place in the event of a ransomware infection. They could mean the difference between a few days of downtime, some overtime, and some very tired admins/SOC staff. The alternative is all of that, plus having to pay the ransom. Nobody wants that.
It’s one thing to make sure you have a backup scheme in place, it’s another to restore the backups, and make sure they work. If at all feasible and possible off-site, offline backups (magnetic tape, external hard drive, etc.) are going to be your best defense against ransomware attacks. Attackers can’t reach the backup tapes or hard drives if they’re stored in a closet on-site or an offsite storage facility such as Iron Mountain. While backing up to and restoring from online storage (e.g. NAS/SAN) is faster, these systems carry the risk of the backups being encrypted as a part of the attack. Or, in the other cases, dedicated adversaries could access the online backup system and delete the backups before deploying the ransomware. If you’re going to use online storage, ensure there is proper network segmentation, and that strict access controls to the files and backup system are implemented.
Some may be lead to believe that the entire fiasco of backup tape management and online versus offline storage can be bypassed by simply using cloud backup services (e.g. Amazon Glacier). While commodity ransomware may not be able to easily affect cloud backups, dedicated attackers could simply steal the credentials and delete the backups -- not unlike the scenario described with local online backups described above. Typically, once a file is deleted in a cloud instance, there’s no recovering it or getting it back. If you use cloud backup services, ensure only the barest minimum of staff have access to the service, some form of two-factor authentication is enabled and available, and that strict access controls are applied.
If you have a disaster recovery environment, or service like Sungard, you should be performing disaster recovery exercises already to ensure that failover to the DR system is successful, and that mission-critical systems remain functional. You should also be ensuring that strict access controls are applied to the DR environment if it’s a hot/warm site. Or you could run the same risks as an online backup system: dedicated attackers could simply attack the DR site and deny you the ability to failover when you need it the most.
As a part of the disaster recovery process, you may wish to visit the website “NoMoreRansom” before resorting to backups or paying the ransom. NoMoreRansom is a collaborative effort between a variety of information security organizations. The goal of the site is to educate users and organizations on their options for combating ransomware infections. The website can attempt to identify what ransomware variant has locked your files with a tool they call “crypto sheriff”. Additionally, if there are any free decryption tools that are available for the ransomware that locked your files, you can download them here to try and get your files back.
TL;DR (Please remember -- and actually do -- these things)
Run a backup rotation and schemeDetermine what is best for your environment and run a backup rotation and scheme. Periodically test your backups.
Utilize offline (key word: "offline") backupsWhen possible, utilize offline backups. Even if “offline backups” are something like an external hard drive bought from Wal-Mart. It beats nothing. Make sure that when backups are done, and testing confirms they're good, that the backups are stored offline! Adversaries can’t delete or encrypt what they can’t access over the network.
Ensure secure access control/managementIf backing up to a NAS, SAN, or cloud backup solutions (e.g. online backups), ensure the most secure access control and access management to the systems responsible for your backup solution. Only those tasked with being responsible for backups should have access, passwords should be stored in a secure manner, and two-factor authentication should be utilized where possible.
Run DR (disaster recovery) exercisesIf you have the good fortune of having a DR (disaster recovery) hot or warm site, run DR exercises and ensure failover actually works. Also, just like with your online backup solutions, ensure that strict access control and access management practices are followed.
Visit NoMoreRansom.org for available decrypter toolsAs a last-ditch effort, prior to restoring from backup OR paying the demanded ransom, pay a visit to NoMoreRansom to see if there is a decrypter tool available for the ransomware you were attacked with.