There are two people in a wood, and they run into a bear. The first person gets down on his knees to pray; the second person starts lacing up his boots. The first person asks the second person, “My dear friend, what are you doing? You can’t outrun a bear.” To which the second person responds, “I don’t have to. I only have to outrun you.” — “The Imitation Game”
ICYMI, a ransomware attack hit a major US pipeline last weekend, leading to a shutdown in operations that has lasted several days. Colonial Pipeline will remain shut down for an unknown amount of time, as the organization is “developing a ‘system restart’ plan” in real time. Critical infrastructure and pieces of the supply chain (which were already fragile due to the pandemic) continue to be taken down by ransomware attacks, either advertently or inadvertently. This has a number of downstream effects on the supply chain, causing recovery times to grow even bigger as the many companies that these suppliers rely on also attempt to recover.
Ransomware Is Ultimately About Business Disruption
This attack comes on the heels of a crippling year of ransomware attacks across the globe, especially those targeting healthcare organizations. The name of the game: business disruption. Critical infrastructure providers are being targeted by ransomware actors because, when hit with ransomware, they need to choose between indefinite suspension of critical business processes or paying the ransom. Shutting down a crucial resource for an indeterminate amount of time is simply not a sustainable option for a business, and it backs affected providers into a corner, where their only option is to pay up.
What Can You Do About It Right Now?
As the opening quote and the title of this blog suggests, cyber-criminals follow Occam’s razor; they are looking for the easiest way to make money. Even the attackers in this specific incident stated publicly, “our goal is to make money.”
So, as a security professional, what do you need to do right now to lower your risk in the face of future ransomware attacks? You need to outrun the guy next to you.
Here are eight quick wins you can implement right now to limit the impact of a ransomware attack:
- Enforce strong passwords. No password12345 has any business in your organization. Build a password policy that enforces strong passwords by default.
- Check your backups. Make sure you have working backups of data that your organization could not live without. Test whether your backups include what you care about, and test whether they restore successfully. Backups are your last line of defense and are critical.
- Implement multifactor authentication (MFA) that’s easy to use and is ubiquitous. This should front the entry points into your infrastructure, whether that’s a combination of your identity provider (Azure AD, ADFS, Okta, Ping, etc.) and your VPN (Pulse Secure, Cisco AnyConnect, etc.) or otherwise. This avoids the issue of stolen log-ins/credentials being easily used to siphon data and infect your organization.
- Secure privileged accounts immediately. In most of these attacks, we continue to see that domain administrator accounts or other types of privileged accounts are on almost every endpoint or have permission to access critical applications, giving the attackers an easy way to move laterally. Take inventory of those types of accounts, and remove them where possible. Only give employees local administrative rights when necessary — it should never be by default.
- Update and test your incident response plan. Your response plan needs to include what happens when you inevitably get infected with ransomware and what that subsequent planning is — that should include both your technology and business departments. It also needs to include who you will contact for help when you’re inevitably hit, which could be your MSSP or another incident response organization that you have on retainer.
- Be switched on! Ensure that your endpoint protection and security policies on your endpoints are up to date and enforced and that the protection is turned on and working. We can’t tell you how many times we’ve seen organizations that have things like real-time protection disabled, or the last time they updated their antivirus definitions was weeks ago, or they have cloud protection turned on but it doesn’t work because it can’t get out to the internet. Talk to your endpoint protection vendor and ask them about the appropriate health checks to make sure these products are installed, turned on, and working as expected.
- Make sure that your devices are being patched regularly. Prioritize critical assets like externally facing devices such as VPN concentrators or servers sitting on a DMZ. Ultimately, your organization should be reducing the time that it takes to patch software and operating systems, as monthly patch cycles don’t address how quickly attackers are moving and the remote nature of work.
- Block uncommon attachment types at your email gateways. Your employees shouldn’t be receiving attachments ending in .exe, .scr, .ps1, .vbs, etc. Microsoft actually blocks a number of these by default in Outlook, but you should take a look at your email security solution and ensure that they’re only allowed by exception.
Longer term, we know that the way security systems have evolved isn’t working for the sophisticated nature of the attacks we’ve seen. A closing piece of advice is to focus on moving from a perimeter-based security architecture to one based on Zero Trust to effectively limit lateral movement and contain the blast radius of a multitude of types of attacks, including phishing, malware, supply chain, and so on.