Ransom(ware) Handbook 2021 – Part 2 – Practical Advice

Posted on by Alex Holden

Today, a big part of the dark web black market is driven by ransom and ransomware crime. When helping companies prepare or deal with ransom and ransomware attacks, I start to feel that there is a light at the end of the tunnel. My practical advice is not to give up hope and follow best practices in addition to the following techniques to enhance your defenses.

Multi-Factor Authentication

Most ransom-driven attacks come from remote access points. The most powerful preventive measure that discourages most of the current attacks is a more complex authentication than just username and password. Implementation of multi-factor authentication solutions may discourage most of the cybercriminals from attacking your infrastructure via authenticated access.

Anti-Virus and EDR Monitoring

Your defenses should work to protect you, but we often see the cybercriminals gaining a foothold on the network and bypassing the defenses. Yet, a single failure should not cause a full-scale breach. Most ransomware groups are skilled in bypassing and turning off defenses like anti-virus. In monitoring for viruses and malware, you should also monitor your anti-virus and EDR agents. Disabling or shutting down the anti-virus or EDR agents should be considered a critical event. And do not forget to keep your exclusion lists to a minimum and very specific. Too often, zealous administrators will exclude major components rendering defenses less potent.

Defend Your Backups

Ransomware is not as scary if you have good backups. But the bad guys know that too. By now, they are experts in backups and replication. Monitor your backup servers, procedures, coverage, encryption keys and alert on any unauthorized modifications. If you rely on your backups, you should make it your priority to monitor your backup systems and configurations.

Monitoring for Infiltration and Exfiltration

Since our defenses are not perfect, we need to keep improving our monitoring for intrusions. Reactive defenses perhaps will not stop the initial incident but will make you aware of the situation with enough time to respond. Tune your security event monitoring and react quickly. The bad guys know when to strike, and most attacks are preventable if only certain security events get proper attention.

With ransom attacks, the main concept is data exfiltration. Most companies lack the ability to detect data being siphoned from the network, and we must get better in detecting these data streams.

Training and Awareness

Today, the most effective defense against ransom and ransomware is still the human factor, and we should approach this from several old and new angles.

  1. Employee Training – Train your employees to recognize phishing attacks, use better passwords and become liaisons of the security group and IT department to help detect cyberattacks.
  2. Build a Team – In dealing with ransom and ransomware, you need a larger team that is prepared to deal with the worst. In addition to cybersecurity, privacy, compliance and IT, the team should have executive’s involvement in policy and procedure settings, legal, PR, human resources, business and many other stakeholders may be involved. And don’t forget about your partners, including external IT, legal, security and ransomware negotiation advisors. When you have a crisis, it is not the time to start planning the basics. Challenge your insurance companies to make sure that you will get the best responders covered by your policy.
  3. Test, Test, Test – You test your backups, you conduct your pen tests, but did you test if your company can detect and respond to ransom or ransomware attacks? Simple testing methodologies may show your vulnerabilities faster and more efficiently than many other exercises. Test detection, test response, test decision-making under pressure. In properly tailored tabletop exercises around ransom and ransomware, you can work out technology issues and policy decisions for different scenarios to be able to respond to the real event with training and skills.

There is much stress and confusion around the current state of ransom and ransomware attacks, and there is a long road ahead to cure this plague. Every time I help the victims of these attacks, there is a feeling that if the company were only a little bit more aware, a little bit more prepared, it wouldn’t have fallen victim. Hence, my goal is to share experience, tools and techniques so there are fewer victims and more safeguards against ransom and ransomware.

Click here to read part 1.

Alex Holden

CISO, Hold Security, LLC

Security Strategy & Architecture


Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs