Ransomware Armor: From Recovery to Implementation
Cyber attackers are constantly looking for a way into your critical IT infrastructure. Whether via an email phishing attack or a mistaken download of malware, it takes merely seconds to open the doors to a breach. Data is then compromised and may be filtrated, encrypted, held hostage, or corrupted leading to demands made by the attacker.
There are many debilitating factors and aftermath effects that occur within the realm of an attack. The work required to instill a solid protection and recovery plan, although complex and involved, carries far less impact and repercussion than a reactive approach.
Resilience vs. Security
Organizational resilience can be broken down into three parts.
- First, to be resilient requires prior preparation to understand priorities, risks, and strategies.
- Second, resilience takes into account agility and monitoring to allow an organization to avoid or respond to risks as they become apparent.
- Third, is to be strong and empowered with the ability to recover quickly from negative impacts and adverse effects commonly called “disasters.”
Professional resilience keeps the business processes moving forward per pre-established priorities that include executing operational awareness and strategies, while also assuring that capabilities are in place to bounce back when adversity strikes. Resilience involves a set of methodologies and practices that allow for preparing, protecting, and recovering.
To be secure is to be fixed, in place, safe, or free from danger. Because business information and processes are critical, detailed, and confidential, it is vital to keep assets and methodologies as secure as possible. The moment information defenses show weakness, your business data is at risk of being shared with people who use it to their benefit, without warning.
You want your company, along with its structure, employees, processes, and end results to run smoothly and be successful. It is the combination of these two practices, security and resilience, that gives businesses the ability to prepare for and defend against cyberattacks.
Data is Power
Data acts like corporate currency and protecting it has become the focus of today’s Cyber and Operational Resilience programs. Traditional Business Continuity and Disaster Recovery plans don’t provide the capabilities required to recover from a cyber-attack. The fundamentals for recovery exist in those plans, however they must account for the more encompassing business disruptions caused by a ransomware event.
Focusing on the business end-to-end services (or value chain) is required for a ransomware recovery plan versus the critical ‘business process’ focus found in the traditional BC/DR approach.
Weak Points Allow for Attack
Ransomware resilience begins with the identification of potential attack points (causes) within the environment. Maintaining security patch levels and application versions for desktops and servers, and storage and backup systems, is critical in preventing attacks. The complex ecosystems and sophisticated infrastructure of businesses today require both detection and prevention applications, such as SlashNext, to add additional protection.
Today’s employees are experiencing cybersecurity burnout. Daily message reminders received both at work and home create a de-sensitization and lax in safe practices. Security personnel need creative means to maintain attentiveness and awareness within the corporate organization. Phishing campaigns aren’t enough anymore.
A Safe Place is Key
Once an attack occurs, communication is pivotal to recovery and minimization of impact. Employees, customers, vendors, shareholders, media, government agencies, and law enforcement must be informed with succinct communications regarding the suspected attack source, its impacts, and the actions being taken to both minimize damage and execute recovery.
Recovery depends on knowing the critical business services, data dependencies, and order of restoration of services and associated data. Identifying and isolating the impacted systems prevents the spread of the attack. Having a ‘safe’ area for recovery is one of the most important keys to success. Restoring systems and data from a known and trusted backup (point-in-time) to the safe area, and being able to clean the increments of the attacker’s malicious code is the foundation to and beginning of recovery of critical business services.
Executive decisions come into play when recovery to a safe point-in-time is completed. Key questions must be addressed, such as:
- Can we restart operations at the recovered point-in-time?
- What is the impact to the business and our loss if restarting now?
- Can we manually recover lost transactions between the point-in-time recovery and when the adversity struck?
- What communications are required and what is to be communicated to our various audiences?
- How quickly can we bring our environments back to a production ready state?
Augmenting a traditional Business Continuity/Disaster Recovery Plan to account for ransomware attacks provides beneficial data which helps answer these questions. Ultimately, there isn’t an absolute solution guaranteeing 100% recovery from a ransomware attack, however the impact can be minimized to both counter the costly payment to the attacker and avoid damage to market-share and business reputation.
Dealing with cyberattacks needs to be a preventative approach, rather than a reactive measure. It involves each aspect of your business. Your IT staff may be aware and diligent, however if your employees and vendors are unaware of ways that an attack can occur, the precautionary efforts of others are jeopardized. There are several tactics that your business can employ to assure protection against or preparedness for an attack.
- Active threat hunting and monitoring
- Interactive training for employee awareness of cyberattack sources
- Zero trust and interface reviews with vendor systems
- Auditing of data backup software and appliances for current patch and release levels
- Data encryption and ‘write once read many’ practices
- Good, better, and best account control, management, and password practices
- Maintaining data backup policies to assure alignment with critical business services
- Cyberattack detection through:
- Endpoint detection and monitoring
- Network monitoring for abnormal traffic
- Regular penetration testing
For many businesses, engaging in a partnership with a cyber-resource may prove to be the best preventative measure. Having eyes and ears on the core of your IT infrastructure and the peace of mind knowing that it is being monitored 24/7/365 allows you to focus on the areas requiring your expertise.
Cayuse has the resources that enable our clients to implement proactive initiatives for prevention of and recovery from ransomware. Our team has over 75 years combined experience with:
- Assessing business and technology risks
- Developing strategies for event monitoring and recovery to minimize impact and loss
- Creating and implementing recovery plans
- Training and testing for personnel response and plan viability
Practice Makes Perfect
It takes just one situation, one negative event to completely challenge, threaten, or change your business. Knowledge is power and preparedness is comfort. Utilize the resources you have available to both educate your staff and protect your business. Having a solid ransomware resilience plan in place requires less energy, effort, and expense than discovering and subsequently recovering from an attack.
The combination of security and resilience is vital in the business world. Employing good practices in the work environment is your biggest and most important measure in protecting against a ransomware attack. There are partners in the world of cybersecurity and resiliency too, that can help to assure that your team is managing their efforts and going in the right direction.