Ben's Book of the Month: Review of "Ransomware Protection Playbook"

Posted on by Ben Rothke

In the history of information security, there are countless stories of highly sophisticated attacks, and perhaps the most famous is Stuxnet. The full story is detailed in Kim Zetter’s masterpiece, Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon. It included hacking of a digital certificate authority, penetration of the Natanz enrichment facility, and more.


Also, there are many lowly sophisticated attacks in the history of information security, with ransomware being numbered there. Ransomware is a severe threat to any organization, and it is launching havoc and causing significant damage to organizations across every industry. The danger and threat of ransomware are such that every organization needs to have plans to deal with the prevention, mitigation, and, if required, recovery from ransomware.


As 2021 is coming to a close, one is hard-pressed to go a week this year without reading of major organizations suffering from a ransomware attack. While Colonial Pipeline and Travelex made headline news, countless other attacks affected hospitals, manufacturing, and more that caused devastating losses. Ransomware is a threat such that if a firm does not have a plan to deal with it, it is somewhat remiss derelict in its duties to its customers and stockholders.


Early phishing attacks were easy to identify, including blatant spelling and grammatical errors, given the obvious mistakes. But like phishing, ransomware authors have learned from their early mistakes and are using techniques that are becoming more sophisticated. One thing that is lost on many organizations is that even if they have ransomware insurance to pay for the ransom, the cost of the recovery operation from ransomware can be 10 to 15 times more than the ransom, according to Gartner.


In Ransomware Protection Playbook (Wiley), author Roger Grimes has written a highly tactical and practical guide to help organizations deal with the ransomware threat. Light on theory and heavy on tactical details, this book is a go-to guide on how to deal with the scourge known as ransomware.


Many organizations think they can be protected against ransomware via their firewalls, web security gateways, or endpoint antivirus. But Grimes writes that out of all the ransomware he has tested over the past two years, an antivirus program detected only a single specimen as malicious.


The only way to effectively deal with the issue is by having a ransomware response plan, which the book shows how to do. As a subpart of an incident response plan, the ransomware response plan will work most effectively if tested in advance. In the heat of an active ransomware attack, responders must know what they are tasked to do and have the experience garnered via previous drills.


A large part of the need for a program to deal with ransomware is that even if a firm does everything right in trying to prevent it, there is nothing it can do to guarantee it won’t be a victim. By having a plan to deal with it in the event of an attack, they will be enormously more prepared.


For those that are victims, the response comes down to the choice of paying the ransom or not. And there are numerous factors, which the book details, that must be considered when deciding to pay or not. The decision to pay or not will end up creating a distinctly different set of actions moving forward.


When it comes to ransomware, Gartner recommends that security and risk management leaders responsible for endpoint and network security must get ready for ransomware attacks by constructing a pre-incident preparation strategy that includes backup, asset management, and the restriction of user privileges and by determining whether the organization is ultimately prepared to pay a ransom or not. Build post-incident response procedures by training staff and scheduling regular drills. While Gartner does not mention the Ransomware Protection Playbook by name, this is an excellent guide to put its advice into action.


In the NFL, a team’s playbook is something that is to be guarded and not shared. When it comes to ransomware, this is a playbook that you want every member of your information security team to have, know, and share.

Ben Rothke

Senior Information Security Manager, Tapad

Analytics Intelligence & Response

incident response ransomware

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community