The current ransomware landscape:
As most companies are now aware, Ransomware has become one of the top threats to an organisations infrastructure and security. Ransomware is malicious code that renders the files and/or operating environment of an endpoint unavailable until a payment is made to the cyber criminal.
According to Gartner, the rapid evolution and sophistication of cyber attacks and the migration of assets to the hybrid multi-cloud create a perfect storm. IT leaders must integrate security tools into a cooperative, consolidated ecosystem using a composable and scalable cyber security mesh architecture (CSMA) approach. 1
Every organisation has multiple opportunities to stop a ransomware attack before it steals any data and creates locks on computers and files. The more sophisticated ransomware is becoming, the more stages there are within an attack. In the ideal world, the objective is to prevent an attacker from gaining a foothold that will allow them to begin their attack. Prevention is the key phrase here, and is a step some organisations can forget about. However, if an attacker does get in, the next stage would be equipping the organisation to detect, identify and respond to the early stages of an attack, such as network discovery, command and control communications, lateral movement, data collection and staging, ex-filtration and encryption are critical.
By 2024 Gartner envisions that organisations adopting a CSMA to integrate security tools to work as a collaborative ecosystem will reduce the financial impact of individual security incidents by an average of 90%.1 Backing this with well-trained, -skilled, and -practiced employees, staff, and service providers helps organisations greatly reduce their risk of ransomware.2
Key steps in reducing ransomware risk:
We have seen a huge move in digital organisations to enable work-from-anywhere and utilise cloud services. While we all know the benefits of this model, it can also open up a greater range of possible entry points for ransomware campaigns.
According to our partners Fortinet, the entirety of the attack surface must be identified and security controls distributed across it, including office and home work spaces, corporate and public networks, hybrid and cloud applications, workloads, user and IoT devices, and more.3
Isolation: According to Network security experts the first step that should be taken, is to isolate the ransomware to prevent the spread from one device to another through their network connections. To do this you should shut down the system that has been infected. Shutting it down prevents it from being used by the malware to further spread the ransomware.
As ransomware becomes more sophisticated, and organisation become more susceptible to multistage ransomware campaigns that are designed to evade traditional technologies, organisations need to complement strong threat prevention with ongoing inspection for attacks that may have slipped through.
Identify: The next step is to identify the type of malware the attack is using. This will highlight the specific case of ransomware used to infect your system. In most cases within Ward solutions, knowing the kind of malware used can help an incident response team find a solution. We are familiar with all the latest strains of ransomware and when a new strain appears, we ensure we are educated as soon as possible. It is important for your team to have the same level of familiarity if possible.
Our partners Fortinet say, “The decryption keys of some ransomware attacks are already known, and knowing the type of malware used can help the response team figure out if the decryption key is already available. If it is, they can use it to unlock your computer, circumventing the attacker’s objective.” 4
It is important to note that your IT team or a Ward solutions security consultant can determine other ways of dealing with the attack once the malware has been identified.
“To understand your remediation options, your IT team or outside consultant will need to know what kind of malware they are dealing with, making early identification a critical step.” 5
Integration: Another key component in protecting your network from ransomware attacks is to close the gaps within departments and break down silos. Doing this removes the ambiguity of identifying individual aspects of a ransomware attack or cyber campaign components. The quality of individual controls will always remain an important factor in network security, it is vital that the sharing of this knowledge is seamlessly integrated throughout the company.
Ensure scalability: As ransomware attacks and threat volumes increase, and are currently at the highest recorded levels, team and network design must be enabled for high scalability.
“Utilise artificial intelligence (AI) and other advanced analytics to supplement human security experts. But don’t overlook the human element—augment teams with outsourced expertise for after-hours coverage or specialised security skill sets and continue to raise security awareness among employees.” 6
We at Ward solutions understand the difficulties in employing an organic model that allows for scalability. Your SOC and NOC team are more than likely at maximum capacity when it comes to dealing with ransomware attacks. Our experts provide a 24 x7 model with OPEX opportunities that allow teams within the organisation feel relaxed knowing our team is there to help.
Ward Solutions is a full service, full security lifecycle provider. If you don’t have the right manpower, tools and expertise then consider partnering with a Security consultancy and managed cloud security service provider with the knowledge and skills to help supply or augment your CISO, Security engineering and security operations resources. Talk to us today to see how we can help.