Ransomware attacks have increased, not only in frequency but in Dollar amounts being demanded as ransom to free data. This means that things are getting worse, not better out there. Attackers are not necessarily targeting you, but you need to be prepared nevertheless. So, what do we do?
BlueKatana recommends that you should never pay ransom to ransomware. Paying the ransom brings more money to the business of ransomware and encourages shady operators to jump into the action. In our opinion, your best bet is to be prepared for whatever could happen; this minimizes your exposure. You should also be able to react fast, reducing your downtime and increasing your success in business continuity. All combined, you can minimize your impact from these types of otherwise catastrophic events.
BlueKatana is a big proponent of prevention, detection, and response. Attackers will not only encrypt your data to extort your enterprise’s money, but they will also steal your data to sell on the Dark Web to maximize profits. So your plan should include a way to recover and actions to prevent these scenarios from happening in the first place.
Prepare a Plan
Planning is one of the most important steps when it comes to preparedness. Sounds obvious to read it here… but it needs to be highlighted: Make a plan, and then follow the plan. You will need to identify all your data assets and then qualify them as either critical or not. If they are critical to your business, you need to safeguard them and prevent their loss. You will need to figure out how often your data assets are updated. This will determine how often you need to safeguard a new copy of them.
You will need to establish the proper protocols to prevent access from outside into your data assets and how you will be safeguarding (backing up) those assets. Backups come in many different formats, media, etc. Find out which one is more convenient for you. Most enterprise backup systems are hybrid and use a mix of physical media and cloud backup, while others are purely physical or purely cloud.
Backups play a critical role in your business continuity plan. In the event of a catastrophe, you will rely on these backups for restoring the data to guarantee your continuity.
At any time, you can rest assured that BlueKatana is here to help you plan or execute these steps. We can mentor your team or run the process end-to-end for you. Please contact us for more information.
Back up Critical Data
Once you planned what and how often needs to be backed up, you need to set up an automated form of backup. Some tools back up your data at a low usage time, others continuously. Backups should start running as soon as possible. The first backup sets could take longer as they had never been copied. Subsequent backups take less time because backup tools take only what changed from the previous copy to minimize how much gets sent to storage.
Backup tools have ways to confirm, verify and validate that your backups did not fail. Use this functionality, but don’t rely blindly on these validations.
Restore Data Periodically
Backups that fail do so at restore-time.
Trust, but verify: follow this principle in everything you do regarding your livelihood. You trust the backup system because the validations and checks say it succeeded in backing up the data. But, verify that your backups will restore without error by also restoring them periodically. This will help you assess the quality of your backups AND estimate the time-to-full-restore state. Knowing how long it takes you to restore will set expectations for how long the business will be down while restoring a backup after a disaster event.
Run these restore attempts at periodic intervals. You don’t need to restore all backups at once, but you do need to be pretty sure your backups won’t fail when you have lost your data assets. Restore devices together where it makes sense. For example, you need a system and its database to be restored together even if they are running from different devices.
Evaluate if you need a minimum number of hardware devices available on standby. You may need several servers, virtual machines, desktops, laptops, etc. Here is where you can benefit from keeping older devices after they are decommissioned. These will work as makeshift replacement devices if your devices are temporarily unusable or may be needed for further forensic analysis.
Remember that you need to keep these devices running the same versions of all software you will be restoring from your backups. This will save you time and effort at the critical time of restoring.
Understand how much time it takes to spin a new instance, and make sure you have a list of all your instances needed. Whenever you update the software on one of your production instances, make sure you update your cloud plan so you don’t attempt to restore it into an incomplete instance.
Some cloud vendors will offer you the possibility of “cloning” an instance. This is very helpful because it will potentially skip your backup process altogether. Have in mind you need to have access to your “last-known-good” to clone it. This last-known-good is a copy of your device at the stage where it was not encrypted right before being taken for ransom.
Train Your Staff
So far, we have reviewed what needs to be planned. While planning and ongoing, you need to make sure everyone in your enterprise is prepared, aware, and trained against cyberthreats. You can send periodic test-phishing emails to your team to test their preparedness.
Harden Your Infrastructure
You can prevent the entry of some threats into your network by running periodic network penetration tests (PEN-testing) and setting up your network appliances (firewalls and other network devices) to be closed to access to all non-secured and non-authorized sessions.
Monitor Your Network
Part of hardening your network is enhanced by having indicators of compromise. No protection is 100% effective, so it is critical to have these indicators ready and periodically check them. It would help if you watched for unusual traffic, failed log-in attempts, escalated privileges, and other signs that could indicate unauthorized access. Adding threat intelligence and a 24/7 team of security analysts to review alerts and validate threats means you are far more likely to spot and stop an attack before it’s too late.
Know What To Do and Avoid
Make sure and test your teams on reporting suspicious components, behaviors, etc. Your staff should know how to report any detected malware to your technical team. This will guarantee the right steps are taken to contain the issue as much as possible. This includes your Managed Service Provider/Managed Security Service Provider, commercial insurer, law enforcement, and even your corporate attorney if you believe data was exposed.
Having a breach response program in place can give you immediate access to the guidance and expertise you need in this critical time.