The Executive’s Guide To Mitigating The Ransomware Threat
This post, produced with inputs from real world cybersecurity practitioners Matt Devost, Bob Flores, Junaid Islam and Bob Gourley, provides information for Corporate Board of Directors and the CEO. In our experience, the guidance provided here can mitigate the existential risks of a ransomware infection to a low level.
This is the second part of our special series on Ransomware. The first provided an update on the nature of the threat, including an anatomy of a modern attack.
The cybersecurity community has an extensive body of knowledge of lessons learned and best practices that can be applied directly to any organization that wants to leverage these insights. This defensive ecosystem, when used appropriately, can mitigate the risks by the most active criminal ecosystem.
This point leads to the single most important action a CEO can take to mitigate the threat of ransomware: Decide that your organization will leverage the power of the cybersecurity community and its extensive lessons learned in mitigating cyber risks like ransomware.
Do not think you are in this fight alone.
It takes both policy and technical controls to mitigate this threat. Our list of the most critical lessons in both is presented below.
Corporate Policy and Process
Every business is different. So community lessons learned have to be contextualized before implementing. That said, there are policy and process lessons so significant they are almost totally universal.
- Governance: Every organization large or small should have a cybersecurity governance program in place, including use of a comprehensive cybersecurity framework. Our favorite is the NIST cybersecurity framework. It is designed to be comprehensive and understandable and tailorable to any level of the organization. This critical step will provide a foundation of security that makes it much harder on adversaries.
- Senior Executive Awareness: This is critical to a continuously improving program. Can be improved by a focused threat intelligence capability and periodic, scenario-based tabletop style exercises.
- Out Of Band/Encrypted Communications: Executives, the IT team and security team need a communications plan in place that will allow for coordination before, during and after incidents. This is called Out of Band because it should not be in the same system that adversaries may compromise (we recommend Wickr). Remember the adversary is watching to see what you know and what your next move is.
- Incident Response: Ensure the entire team knows what to do when ransomware is first spotted, including who should get notified, and ensure your tech team knows the right guidance. The ransomware response plan should be well thought out and build on lessons of others, which includes steps like isolating infected computers and networks, and not turning off computers unless they cannot be isolated. All organizations should have a plan for communication with adversaries (we recommend via expert negotiators).
- Testing, Scanning, Penetration Testing and Red Teaming: The most important metrics are whether an organization can keep an adversary from planting malware like ransomware. Testing will help evaluate that and will help the security team continually improve.
- Stay Informed and Engaged: Adversaries change their tools, tactics and techniques. Defensive measures need to change as well. Staying informed on the threat and staying engaged with the cybersecurity community will help ensure future ransomware threats are mitigated.
- Third Parties: Adversaries exploit trusted relationships with third parties. Be sure third parties have security policies that meet the standards of the NIST cybersecurity framework.
Technical Controls and Configurations
This list that follows is built for the technical executive: the CIO, CTO, CISO or enterprise network expert. It is certainly good for CEOs to review this guidance since ultimate responsibility for thwarting ransomware rests in that position, but in most cases the CEO should review these with the right technical leaders who will really implement these actions.
- Patching: It is really shocking how many key enterprise systems are not patched in the average modern enterprise. Managers should sit down with IT professionals and review with them the patch level of key systems that run business applications and control user accounts. And settings for automated patching and scanning for updates should be reviewed. No leader should have to wait for a ransomware attack to learn that a poor patch management process is in place.
- Backups: Large enterprises have many types of data located in many different places. Cloud transition and modernization efforts are generally positive for getting data architectures under control, but those take long times to implement. Guidance should be given to all program managers and IT staff to ensure all data is backed up now, securely, offline. Critical applications should have a special backup of the operating system and application code called a “Gold Disk” to ensure it is recoverable fast. Tests of recovery of backups should be done. This is hard, but important. It will save you.
- Network Segmentation: Network segmentation slows malware spreading. Networks should be designed into logical segments (business units or departmental resources or geographies). This will help contain the impact of any intrusion affecting the organization and prevent or limit lateral movement of bad actors and malware both. Note: Network segmentation can be rendered ineffective if it is breached through user error or non adherence to organizational policies, like connecting removable storage media or other devices to segments. It is also a best practice to disable protocols not needed in the network since malware uses these to communicate internally (ask the network team about the Server Message Block (SMB) protocol since this is frequently used to move malware).
- External DNS Lookups: Every organization should use a professionally managed DNS (Domain Name System) that blocks malicious code from communicating (such as Quad9). Some next generation firewall/web gateways may also have services like this, but to be effective they must use updated intelligence feeds, so check to ensure true DNS firewall using threat intelligence is in place.
- Filter malicious attachments and content: Using professionally managed email services (AWS, Google, Microsoft) enables high end filters that look for malicious code in incoming email and files. Enterprise email gateways and web application gateways can also be configured to slow the spread of malicious code and block connection to malicious command and control.
- Use Standards to Stop Email Spoofing: Lower the chance of having anyone fall for spoofed or modified emails from valid domains by implementing globally-accepted domain-based message authentication, reporting, and conformance (DMARC). This reduces the chance that spam or phishing emails will trick employees.
- Use Multi-Factor Authentication (MFA): Implementing multi-factor authentication, something organizations should already be embarking on, goes a long way to slowing the spread of malware. Besides implementing MFA on internal accounts, make sure it is implemented on VPNs, webmail and any other account that needs a log in, including third party vendor accounts and SaaS accounts. Use of password managers is also a positive step.
- Harden Account Management and LAN Control: Enterprises use a tool called a Domain Controller (DC) to set policies on who is authorized to use the network and which computers they can access. Hardening the DC using industry guidance can mitigate many avenues adversaries use to get an initial foothold and then spread throughout an organization. The most widely used DC ships as part of Windows Active Directory, but there are also Linux versions frequently in use. Ensure DNS on DC is configured using best practices to make it harder for any unauthorized client to update their records in DNS zones (Depending on the enterprise configuration, this may be where to configure DNS to leverage a managed DNS firewall for external lookups).
- Account and Access: Apply the principle of least privilege to all systems and services and restrict user permissions to install and run software applications. Limit the ability of a local administrator account to log in from a local interactive session (e.g., “Deny access to this computer from the network.”) and prevent access via remote sessions (RDP session). Remove unnecessary accounts and groups and restrict root access. Control and limit local administration. Make use of the Protected Users security group in Active Directory (on Windows domains) to further secure privileged user accounts against pass-the-hash attacks. Audit user accounts regularly, particularly remote monitoring and management accounts. This includes audits of third-party access given to MSPs or other service providers.
- AntiVirus: Ensure use of antivirus and anti-malware software on all servers and end user devices. Many ransomware issues come after other malware opens a path for the ransomware.
- Allowlisting: Execute application directory allow listing through Microsoft Software Restriction Policy or AppLocker.
- Restrict usage of PowerShell (the cross-platform command-line shell and scripting language that is a component of Windows). Threat actors use PowerShell to deploy ransomware. Good people use it to manage the infrastructure. Updating PowerShell to version 5.0 or later and uninstalling all earlier PowerShell versions will help lock this down by enabling better control of who uses it and enabling logging.
- Cloud Configuration: Ensure cloud environments like Microsoft 365 are configured using best practices and security settings. Microsoft, Google and Amazon all provide configuration guides that walk through the details here.
Every organization should leverage the power of the cybersecurity community and its extensive lessons learned in mitigating cyber risks like ransomware. We know of no other approach that will work in mitigating this threat.
Cybersecurity Sensemaking: Strategic intelligence to inform your decisionmaking
The OODA leadership and analysts have decades of experience in understanding and mitigating cybersecurity threats and apply this real world practitioner knowledge in our research and reporting. This page on the site is a repository of the best of our actionable research as well as a news stream of our daily reporting on cybersecurity threats and mitigation measures. See: OODA Cybersecurity Sensemaking
From Solar Sunrise to Solar Winds: The Questionable Value of Two Decades of Cybersecurity Advice
While the Ware Report of 1970 codified the foundations of the computer security discipline, it was the President’s Commission on Critical Infrastructure Protection report of 1997 that expanded those requirements into recommendations for both discrete entities as well as the nascent communities that were growing in and around the Internet. Subsequent events that were the result of ignoring that advice in turn led to the creation of more reports, assessments, and studies that reiterate what was said before. If everyone agrees on what we should do, why do we seem incapable of doing it? Alternately, if we are doing what we have been told to do, and have not reduced the risks we face, are we asking people to do the wrong things? See: From Solar Sunrise to Solar Winds: The Questionable Value of Two Decades of Cybersecurity Advice
If SolarWinds Is a Wake-Up Call, Who’s Really Listening?
As the U.S. government parses through the Solar Winds software supply chain breach, many questions still remain as to the motive, the entities targeted, and length of time suspected nation state attackers remained intrenched unseen by the victims. The attack stands at the apex of similar breaches in not only the breadth of organizations compromised (~18,000), but how the attack was executed. See: If SolarWinds Is a Wake-Up Call, Who’s Really Listening?
Executive Level Action In Response to Ongoing Massive Attacks Leveraging Microsoft Vulnerabilities
This post provides executive level context and some recommendations regarding a large attack exploiting Microsoft Exchange, a system many enterprises use for mail, contact management, calendar/scheduling and some basic identity management functions. This attack is so large and damaging it is almost pushing the recent Solar Winds attacks off the headlines. Keep in mind that till this point, the Solar Winds attack was being called the biggest hack in history. So this is a signal that the damage from this one will also be huge. See: Executive Level Action In Response to Ongoing Massive Attacks Leveraging Microsoft Vulnerabilities