2021 was a breakout year for ransomware, with approximately 37% of global organisations reporting they were the victim of some form of ransomware attack. In 2022, the attacks have become more sophisticated and expensive for organisations, with a greater proportion of these attacks now targeted at Small-to-Medium Sized Enterprises (SMEs).
In this article, Mike Groves and Olly Burnand from S-RM’s Cyber Advisory practice, discuss the questions that all organisations should consider when seeking to determine their level of resilience to ransomware.
Organisations must be proactive and ready to deploy, tune, and integrate a broad range of controls to mitigate the risk of compromise. This means getting the right people, processes, technology, and policies in place and ensuring that they all work seamlessly together.
But even the most secure networks are not immune to compromise. At S-RM we recommend adopting a ‘defence in depth’ approach to ransomware, which means assuming that an attacker will successfully bypass the preventative controls that your organisation has in place, and continuously preparing for a worst-case scenario attack.
"WITH SOME CAREFUL PLANNING AND JUDICIOUS ALLOCATION OF CYBER SECURITY RESOURCES, IT IS POSSIBLE TO SIGNIFICANTLY INCREASE THE MATURITY OF YOUR RANSOMWARE DEFENCES, AND IN DOING SO GREATLY REDUCE YOUR RISK OF COMPROMISE"
Beginning a programme to move your organisation towards a state of ransomware resilience can be a daunting task. But with some careful planning and judicious allocation of cyber security resources, it is possible to significantly increase the maturity of your ransomware defences, and in doing so greatly reduce your risk of compromise.
Here are four questions that we believe every organisation should consider when seeking to answer the question: How resilient are we to ransomware?
1. What does our network look like from the perspective of a ransomware attacker?
During the reconnaissance phase of a ransomware attack, an attacker will seek to identify a way to gain access to your network, and reach a position from which they can deploy ransomware across the entire IT estate. Typical activities during this phase include:
- Scanning your externally-facing IT infrastructure for exploitable vulnerabilities and open ports.
- Searching the web and dark web for leaked credentials permitting access to the IT systems of your organisation.
- Looking for planned or previous attacks on your organisation that are being discussed on notorious dark web communications channels.
- Creating domains that are similar to those of your organisation, so that customers or employees unwittingly navigate to these sites and enter credentials into malicious servers.
It is vital to understand what your network looks like from the perspective of an attacker, or more specifically, to see what information could be gathered about your organisation with no prior knowledge of your network, systems, or security.
S-RM's vulnerability scanning and dark web sweep services provide organisations with a complete picture of what an attacker can see before they launch an attack. These services address the four activities listed above, and include a report summarising what was found and what you can do to mitigate the risks identified.
2. Do we have a plan for responding to a ransomware attack, and have we tested it?
Creating a genuinely useful incident response plan is challenging, and many organisations report not using their plans at all when responding to ransomware attacks. In our experience this is because many organisations see the incident response plan as a compliance 'tick-box', rather than a practical document providing thought-out, concise guidance to help response teams navigate through high-pressure situations with confidence.
Establishing clear roles and responsibilities, formalising simple escalation pathways, and equipping the team with documented guidance are all essential factors of a successful response - so how can we create an incident response plan that is practical?
Here are some key areas to consider:
- The process of creating a response plan is as valuable as having a completed response plan. Creating an incident response plan is a group activity, and not something that should be delegated to an individual or simply outsourced to a consulting practice. Sitting as a group and walking through your organisation’s response to various hypothetical crises will help your employees to understand what would be expected of them in an incident, and to develop the ‘muscle memory’ required for them to think and act decisively when it matters most.
- Exercise at all levels of the business first (Executive, Management, Operational), then document the plan, and then test again. Every level of seniority at the business has its own unique concerns during a ransomware attack.
- Operations must understand how to limit the spread of ransomware quickly, and to escalate incidents to the right decision makers as soon as they become serious.
- Management must be able to make important decisions, such as when to authorise switching critical systems off, or isolating network segments, but they must also know when it is appropriate to escalate to the Executive Committee.
- The Executive Committee are responsible for managing the reputation of the company and external parties’ interests, if the incident becomes public knowledge. This means the media, customers, regulatory authorities, shareholders, and third parties.
- Shorter is better. In the heat of a ransomware incident, nobody has the time or patience to scan through multiple pages to find useful information. If somebody has picked up an incident response plan or playbook, they know what the document is for, so forget the preamble and get straight into the response steps and communications pathways. Keep it concise, and use diagrams to illustrate the steps to take. Have clear escalation criteria to help people understand when it is the right time to escalate an incident to the level of seniority above them. Refer to supporting documents, for example the backup restoration process, and ensure they are easy to find.
S-RM has delivered cyber incident response exercises to a variety of audiences, from FTSE 100 Executive Committees to Security Operations teams in SMEs. We understand how to make exercises credible and engaging, and how to facilitate useful discussion to ensure that lessons are learnt by all participants. Our post-exercise reports are specifically structured to enable you to build genuinely useful response plans and playbooks, and include the option for us to help develop these with you too. We specialise in helping clients develop the muscle memory they need to respond confidently to even the worst case ransomware scenarios, and providing clear guidance to ensure that no key response actions are omitted.
3. Are there gaps in the people, processes, and technology that we have in place to mitigate the risk of ransomware attacks?
The set of controls to prevent, detect, analyse, contain, eradicate, and recover from ransomware attacks can be broadly categorised into six domains:
- Controls to prevent ransomware delivery (Email Security, USB Control, Web Filtering, Intrusion Detection/Prevention, Firewalls)
- Controls to prevent ransomware execution (Endpoint Detection and Response/Anti Virus, Vulnerability Management)
- Controls to prevent ransomware spreading (Network Segmentation, Security Information and Events Management)
- Backups and service resilience (Data backups, backup restoration, IT System redundancy/service failover)
- Incident response capability (Exercising, plans, playbooks, forensics, third party support)
- Training and awareness (Information Security, Phishing campaigns, Incident escalation/reporting).
Gaps in the controls in any one of these domains could become the root cause of a ransomware incident. S-RM's Ransomware Readiness Assessment provides clients with a report that enables them to view the maturity of their controls across all of these domains in one place. The report also provides recommendations for improvement, and organises them into a 12 month costed roadmap. This enables organisations to allocate their budgets and resources effectively and reach their target state of ransomware resilience.
4. Where should we focus our attention to raise our resilience?
When beginning a programme to move towards ransomware resilience, there are many places at which you could start. Cyber security teams are notoriously under-funded and overstretched, and the NIST 800-53 Cyber Security and ISO27001 frameworks both contain over 110 mitigating controls each. So how do you know which to address first? The prioritisation of cyber security controls is not easy. It requires accepting that not everything can be achieved overnight, and also that true progress takes a lot longer than you might expect. It then takes experience and careful analysis to identify those controls that provide the greatest cost-benefit returns in reducing risk.
"THE PRIORITISATION OF CYBER SECURITY CONTROLS IS NOT EASY. IT REQUIRES ACCEPTING THAT NOT EVERYTHING CAN BE ACHIEVED OVERNIGHT, AND ALSO THAT TRUE PROGRESS TAKES A LOT LONGER THAN YOU MIGHT EXPECT"
To help you get started, the first step should always be to define your minimum viable company (MVC). That is, the bare minimum of data and services that you require as an organisation to appear functional to the outside world. To identify your minimum viable company, think through answers to the following questions:
- Which of our applications have the lowest acceptable downtime? That is, if all of your applications stopped functioning, which would have the greatest impact on your business first?
- Which of our data requires the strongest protection? That is, if all of your data was rendered unavailable, which assets would you need to recover first to continue operating as a business?
- What are the IT systems hosting these applications and data (that's endpoints, servers, and network devices)?
Once you have a clear picture of the IT systems which keep your MVC functioning, you can enforce robust controls to protect them from compromise, and prepare measures to enable their recovery even during the worst case scenario incidents. In the final analysis, if you are able to weather a ransomware storm without suffering significant impact to critical operations, then how much damage can attackers really inflict?
5. One final test
Having answered the other four questions in this article, you can now see if a penetration tester, thinking like a real ransomware attacker, is able to find any gaps in your security. Taken together, these steps will then provide you with an evidence-backed answer to the question: how resilient are we to ransomware?
If you are interested in discussing any of S-RM’s ransomware resilience services outlined in this article, please contact our Cyber Advisory team.