Amid all the seemingly unending stories about successful ransomware attacks – even my hometown of Middletown, N.J. is among the most recent to fall victim – there are reasons to feel optimistic.
Just in the past several weeks, the internet community united to compile a list of vulnerabilities most commonly used by ransomware attackers to gain initial access. The U.S. Department of Justice indicted two alleged members of the notorious REvil ransomware gang, on the heels of a White House-led summit of more than 30 countries to address the threat, while the BlackMatter ring said it was closing up shop following pressure from law enforcement.
When security operations teams aren’t relying on Twitter or authorities to rein in the bad guys, they should still be taking steps to keep their adversaries at bay. A ransomware strategy, among other things, should include the proactive identification of critical network shares – so that you can isolate and reduce the impact if an incident occurs – and the use of threat intelligence to inform and enrich investigations.
And arguably the most frequently implemented part of a ransomware response plan is ensuring backups are in place. However backups are not in and of themselves a silver bullet, and require appropriate oversight. Here are three things your SecOps team should be doing in regard to your backups:
Ensure that the disaster recovery/business continuity team understands and documents what files, folders, snapshots and configurations are backed up, and where to. While a single copy might suffice for certain localized IT faults, it likely will not for malicious targeting by ransomware. You must maintain a secondary copy offline.
Before you restore your systems from back and get up and running, you will want to have previously modeled the maximum amount of time between the ransomware event and the recovery (RTO), as well as the maximum of data you stand to lose due to how often backups are created (RPO).
Determine what dependencies exist between your recovery strategy and the tactical implementation of restoring from backups. For example, be sure you know the scale and scope of the backups; bandwidth between the recovery site and the backups; and, what applications, credentials, keys and directory authentication are necessary for a full restoration in the presence of malicious actors running untrammeled through your network.
For a complete guide to ransomware response, created by security operations professionals for security operations professionals, download this new free Siemplify e-book.
Dan Kaplan is director of content at Siemplify.