The JRTF (The U.S. Joint Ransomware Task Force) published the #StopRansomware Guide and we share few best practices in this article. To check the full guide: #StopRansomware Guide
The use of ransomware is continuously rising, and attackers are adjusting their techniques to become more destructive. We have recently seen the use the “double extortion” technique where hackers encrypt their victim’s data and exfiltrate them to demand ransom.
The impact of these ransomware goes beyond the economic aspect of the actual ransom and includes both:
- The organization’s inability to access necessary data to operate.
- A reputational damage for the organization.
The JRTF (The U.S. Joint Ransomware Task Force) issued a guide “#StopRansomware Guide” which includes two parts:
- Part 1: Best practices to avoid ransomware and data extortion.
- Part 2: Response checklist for ransomware and data extortion.
In this article we are going to cover few key points of the guide focusing on preparation, compromised credential, MSPs, and the best practices.
> Conserve and store all your critical data backups offline, where it is encrypted and secure.
> Develop, sustain, and regularly test a cyber incident response plan (IRP) and all the associated procedures of communication and notification.
> Deploy a Zero Trust architecture relying on the least privilege. Make sure to be as granular as possible to limit uncertainty by maximizing control and visibility.
Prevent and mitigate
A. Compromised Credentials
> Multi-Factor Authentication: Make sure to implement a Multi-Factor Authentication for all services and that all users are using it. If possible, deploy a password-less MFA that substitutes passwords with various identity verification methods.
> Subscribe to credential monitoring services.
> Implement identity and access management (IAM) solutions: Control and monitor access rights for cloud and on-premise applications with an IAM solution.
> Implement zero trust access control: It is crucial to establish robust access policies that apply a Zero Trust approach, especially when managing resources in the cloud. It is achieved by restricting both user-to-resource and resource-to-resource access.
> Modify the default administrator usernames and passwords to improve security.
> Avoid using root access accounts for operational purposes: Follow a responsibilities separation technique by creating distinct group users, groups, and roles.
> Mitigate the risk of unauthorized access by storing passwords in a secured database and using strong hash functions.
> Deactivate the password saving feature in web browsers.
> Use a LAPS solution for administrators.
> Offer all users trainings on password security.
> Use adequate remote access solutions with restricted Admin Mode.
> Administrators accounts must be strictly used for administrative functions. Account with privileges should be created upon request that gives access to what is required leaving out any access to other hosts.
B. Third Parties and Managed Service Providers (MSPs)
Hackers use the trusted relationship between your organization and third parties/Managed service providers (MSPs) to spread malicious malware and ransomware. They leverage the MSPs/third parties’ access to get to your organization’s network and sensitive data.
How can you secure your organization from external access risks?
> Ensure that third parties/MSPs can maintain high cyber hygiene practices and have a robust risk management. Many attacks were caused by third parties/MSPs compromission.
> Enforce the principles of least privilege and separation of duties. Access permissions should be restricted to relevant roles and responsibilities.
General Best Practices
> Establish a comprehensive asset management by conducting a thorough inventory of all IT assets, identifying critical data and systems, securing asset documentation storage, and maintaining offline backups.
> Enforce the principle of least privilege across all systems and services by limiting access to what is needed for the specific tasks. Furthermore, conduct audits of remote access, admin accounts, and third party access on a regular basis.
> Update all hypervisors and associated IT infrastructure.
> Leverage best practices such as ensuring regular data backups and enabling logs on all resources.
> Minimize the risk of remote access by conducting regular audits, monitoring logs, and deploying robust security software.
> Implement a Zero Trust architecture to establish proper network segmentation that separates IT administration from operational technology.
> Centralize log management of network devices, local hosts, and cloud services. Back up the logs for at least one minimum, especially critical systems logs.
> Configure network appliances to identify any suspicious behavior and lateral movement.
> Evaluate process through regular assessment to ensure both security and usability. This way, users can easily follow procedures that protect your organization.
To sum up, the #stopransomware Guide covers a wide range of security aspects to ensure that organizations are both secure and prepared to respond to any ransomware. It is clear that today implementing a Zero Trust architecture based on the least privilege concept is crucial to secure your organization from internal and external access. This can not be done by taking one or two action, it is a continuous process including regular assessments and adapting security measures to cover all the aspects of cybersecurity. Furthermore, it is important to consider the usability of the measures to make sure that they can be easily implemented by your users.