Sustaining IT resiliency in the face of a ransomware attack

April 19, 2021
Determining whether your network is free from residual ransomware post-attack is extremely difficult

Ransomware has been challenging enterprise IT teams for years. Considering the necessity of today’s remote working world, and the reliance on online programs – the pandemic has set the stage for a new evolution of ransomware attacks that are more harmful and more common. Preventing ransomware from happening is an impossible task; the challenge remains in balancing business agility and sustaining resilience against increasingly strict controls. This is the difference between trying to prevent a plane crash from ever happening versus trying to make plane crashes more survivable – the first is impossible, the second is today’s reality.

Below I’ve listed a few practices that can help your business sustain resiliency in the face of a ransomware attack:

Automate and Segment Backups Offline

Resiliency in the face of a ransomware attack can mean many things: augmenting internal teams with Managed Detection and Response, improved network segmentation, automated Disaster Recovery testing and validation, deception technology, and isolated data domains, for example. However, one of the first steps to surviving ransomware attacks is ensuring your backups are safe to restore and your network has been deemed free from any residual ransomware. Aim to keep backed up data offline as much as possible, because finding your backups ransomed is entirely preventable and doesn’t have to be a nightmare technical solution. However, the question of the network being free of ransomware is a harder one.

Determining whether your network is free from residual ransomware post-attack is extremely difficult; so, better to start with segmentation and automation for restoration now. I’m frequently surprised at how many IT shops lack even the most basic automation for these situations. The fastest way to ensure an impacted machine is clear of residuals is to blow it away and start fresh, and that’s only doable if we automate.

Adapt to Work-From-Home Risk Model and Help Employees Stay Alert

It’s thought that work-from-home employees are somehow capable of newer, more severe damages: I don’t think this is true, but the work-from-home environment does expand the overall attack surface and adds unknown factors that need to be calculated into the overall risk model.

There is a blurring of work rigor and home relaxation in remote working environments to be aware of. Even as I write this, I’m cognizant of the fact that I’m in a monogrammed button-up shirt-wearing gray sweatpants. I think there’s a reason to believe that this comfort can translate to carelessness relatively easily, which then might increase the success of a cyber-attack.  At the same time, fewer machines are on VPNs, so in some cases, a lot of remote workers might actually be resulting in slowed ransomware movements.

Whether you’re working from home or in the office, employees will always find a way to bring exciting new disasters. While COVID-19 caught a lot of companies off-guard, the general concepts of zero trust are more important now than ever. It shouldn’t matter where our employees are from the standpoint of good security practices. We should adapt to risk posed by the user via downtrusting or uptrusting based on behavior.

Build Employee Skill Set Through Awareness-Based Training

When it comes to security training issues, most stem from employee expectation problems. For example, when people board a plane, the flight crew tells them where the emergency exits are, how to put on the life vest, and how to find the nearest exit. They don’t expect them to land the plane. Yet, in typical awareness training, we’re constantly trying to teach people to spot highly sophisticated attack scenarios and comply with complex policy frameworks. Awareness can really be a win when it develops a dialogue, generates security champions in the business, or provides practical skills.

Phishing simulation is a great example of a skills-based style, and companies that run it correctly see a major improvement in click-through rates.  For developing dialogue and building champions, teams should do frequent, tailored internal training and simultaneously use the time to review any suspicious emails. Although this is more time-consuming, it’s a great way to get people thinking about security and building trust with the business. 

Maintain Strong Visibility Across IoT Devices

IoT can complicate certain ransomware situations from the intense pressure to have environmental understanding. Working across thousands of IoT devices can muddle the water in really difficult ways, so visibility remains a key requirement for understanding the security of your network. With that said, understanding asset counts and baseline behavior can rapidly become a herculean task. These devices also make hiding easier to do, provide new vulnerabilities into the network, and give attackers new ways to live off the land.

Having full traffic visibility, especially DNS, is absolutely a mandate if you’re going to allow IoT device usage across your team. Without seeing all the bits, north-south and east-west, you’re basically a sitting duck. Remember the challenge with threat exposure is based on how long it takes to detect it and how long it takes to respond to it. If you can’t see the threat, you’ll never detect it. Infinity is the enemy of security. 

Leverage Technology to Detect and Respond Quickly

Tools such as deception technology can be used to lure ransomware attacks away from valid targets. On the other hand, organizations that are still building the foundation of their cybersecurity programs would be better off spending the time on solidifying Disaster Recovery practices, getting a Managed Detection and Response service to speed response, or hardening their Active Directory.  However, for those that have a solid program now, deception is a good one to look at. Looking forward, it’ll be interesting to see how deception technology plays in the work-from-home world, since a lot of this technology plays into the corporate environment. This might be beneficial for automated attacks, but for hands-on-keyboard attacks – the attackers could probably detect more deception than real machines. One could take other approaches using deception if combined with tarpits or perhaps clone environments. Again, slow them down rather than go for full blocking.

Among the many lessons learned from this pandemic, having a resilience-based framework at the foundation of IT strategy has been deemed a necessity across all industries. The real challenge is putting it into practice and determining what is tactically needed for teams to feel fully equipped. Ransomware will likely never cease to exist, but the more education and awareness we build as a community – the more we can reduce our vulnerability to even the most sophisticated of attacks.

About the author: Jack Hamm is the CISO and VP of Infrastructure at Gigamon. Jack manages the Gigamon internal security team — responsible for security operations, security architecture and incident response. He is a hands-on, seasoned operations manager with a focus on quality and process improvement.