CISA's Ransomware Guide Takeaways

Ransomware has become more common in the past year with the hackers constantly changing tactics, such as moving from infecting backups to deleting them altogether and evolving ransomware variants. Also, the monetary value of ransoms has increased, sometimes in excess of $1 million.

This raises the bar on traditional breaches from mostly reputational risk with moderate financial impact to layer on operational disruptions and extended recovery times. This makes for a really, really bad week, month, or quarter depending on the degree of preparation in place.

To help combat these threats, on September 30, a ransomware guide was released by CISA (Cybersecurity & Infrastructure Security Agency) and MS-ISAC (Multi-State Information Sharing & Analysis Center).

Here are 5 takeaways from this guide on how to protect your systems from ransomware.

1. Manage backups, images and software: Maintain offline backups that are encrypted and regularly test your backups by restoring files. The offline backups are important because many ransomware variants search for any accessible backups.

Also, have images on hand of any key systems, such as critical servers (operating systems and files) and applications in case they need to be rebuilt. If rebuilding the system is not an option, have backup hardware that is as close as possible to the current versions. Any newer or older systems may be incompatible with your current images and cause additional headaches onto that really bad day.

2. Configurations: Misconfigurations have recently become a primary contributor to breaches per the 2020 Verizon Data Breach Investigations Report. This is a favorite delivery method of the hackers. Here’s your checklist:

• Scan and regularly remediate When we are talking remediation, we are looking at critical vulns remediated ASAP/ fewer than 30 days from detection, highs within 30 days, so on and so forth. A scan with an identified vuln does not mitigate any risk whatsoever.
• Patch and update software, including operating systems to the latest available versions. Yes, those with Windows 7 still hanging around…those gotta go. Either upgrade or make a plan and layer on the extended support from Microsoft. We know you can’t eat the entire elephant in one sitting, so prioritize and get that momentum built. Start with those web facing and work your way in.
• Work with your team on appropriately configuring Remote Desktop Protocol (RDP) – Transmission Control Protocol (TCP) Port 3389. These remote connections are a way for hackers to get a foot in the door and use that access to distribute ransomware. Close any unused RDP ports, enforce account lockouts and apply multi-factor authentication. (Here’s a guide from CISA: https://us-cert.cisa.gov/ncas/alerts/aa20-073a.)
• Work with your team to update required versions of Server Message Block (SMB) or disable it where it is not needed. If SMB is required, Upgrade to the most current version, such as SMBv3 along with SMB signing. If it is not required, disable it. Consider blocking all versions of SMB from being externally accessible as well. Consult the guide and your IT expert on how best to do so. 

3. Keep your Antivirus (AV)/anti-malware up to date. As straightforward as it sounds, it’s important to monitor your AV status and respond to any alerts. Ensure it is installed on all devices and configured to automatically update. Also, make sure your network monitoring is set to alert and block any ransomware deployment.

4. Third Party Risk Management is key. Many institutions rely heavily on third parties to manage their IT environment. The hackers use these relationships as a way to get their foot in the door, so review their internal practices, policies and procedures. Keep in mind, the ownership is ultimately on the institution to make sure their own practices, policies and procedures are implemented appropriately even if it is the responsibility of the third party to execute.

5. Best Practices and Hardening Guidance. Research and put in place, to the extent possible, the hardening and best practices for your systems. These include MFA for all services possible, granting access to the minimum necessary permissions and using strong passwords. (Here is the guidance from CISA on passwords: https://us-cert.cisa.gov/ncas/tips/ST04-002.)

If you need help determining how to manage these risks, driving progress to remediate your systems, or have any questions, please contact us as support@bedelsecurity.com.

Additional Resources:

The Virtual CISO Whitepaper
https://www.bedelsecurity.com/the-virtual-ciso-whitepaper

5 Key Ransomware Controls
https://www.bedelsecurity.com/blog/5-key-ransomware-controls