Ransomware has been top of mind for many of us in the cybersecurity industry as we have seen an increasing number of attacks impacting hospital networks, local governments and the broader supply chain. A ransomware attack on a company typically results in lost access to data and systems for some period of time and comes with a financial impact through lost revenue and money spent on recovery efforts. When a ransomware attack is directed at a company that is part of the supply chain, it can have a much wider impact as just one service provider can have a direct effect on hundreds or thousands of companies. 

Understanding your organization’s readiness for the threat of ransomware is imperative, and knowing how the vendors in your supply chain factor into your readiness preparedness is a critical piece of your overall strategy.

It can be overwhelming trying to ensure all your defenses are covered and that you have done everything you can to prevent or lessen the impact of a ransomware attack. A strong strategy is far-reaching and multi-layered — encompassing architecture, endpoints, users and so much more. 

So where should you start? A structured, logical approach can help bring some order to understanding your organization’s ransomware readiness. To help do this, let’s look at three primary categories: prevention, containment and recovery. 

Prevention

Our primary objective is to keep ransomware out of our environment, preventing it from ever getting in from the start. From this defensive posture, we need to look at your infrastructure from the perimeter controls all the way to the end users. While we could cover this topic at length, we will focus our attention on the gaps where ransomware is most commonly being introduced. 

• Remote desktop protocol (RDP). While not a new technology or a new attack vector, RDP has been a regular target due to vulnerabilities, misconfiguration or susceptibility to brute force attacks. With the recent rise in the remote work force and the corresponding rise in RDP usage, attackers are having a field day with the new targets. Prevention activities here include limiting the number of open ports, strong authentication controls (including multi factor authentication) and a solid vulnerability management program. 
• Phishing. Phishing emails can be especially dangerous as they can bypass many of your security controls allowing malicious content to be delivered directly to what is most often your weakest security link — the end user. Phishing emails typically try to gain user credentials or contain malicious attachments or links, ultimately providing attackers a direct path into your environment. Prevention activities here include the use of an email security solution, security and awareness training for end users, and endpoint detection and response solutions.

Ultimately, the recommended prevention techniques are not new. They are the same key principles the information security community has been discussing for some time — restricting what’s accessible from the internet, vulnerability scanning, patching and strong authentication controls. 

Containment

So in spite of your best efforts, ransomware gets into your environment. How can you stop the spread? Consider a fire in a building: The containment strategy comes before the actual fire through the use of firewalls, flame-retardant materials, etc. It’s the same for attacks like ransomware. Here are two key containment strategies:

• Privileged account use. Attackers love to target privileged accounts as they provide high levels of access to systems and data as well as the necessary permissions to execute malicious code. Password reuse, service account passwords stored in clear text, easily guessed passwords, etc. are all common issues contributing to account compromise.

A holistic approach to privileged account management is the key here. This includes understanding what privileged accounts you have and what they have access to; how they are used (e.g. domain admin vs. service account); and how those accounts are accessed and managed (e.g. the use of a privileged account management solution). 

• Network segmentation. Flat networks are a dream scenario for an attacker. Once credentials are obtained, they can move freely across an organization’s entire network and have unfettered access to systems and data. At a minimum, you should use segmentation to restrict lateral movement as much as possible so that an attacker would have a much more difficult time traversing your network and gaining access to additional systems and data. 

Recovery 

Aside from an incident response plan, the most critical plan to aid in your recovery efforts is a business resiliency plan. How will the business continue to function? A strong resiliency plan will help to restore functionality of your core business systems.

Common attack vectors for organizations include third-party vendors in the supply chain. So how can we identify and reduce the risks our vendors present? First, answer these critical questions: 

• Who are your vendors? 
• What service does each vendor provide to your organization? 

Actually identifying who your vendors are is no simple task. Is it possible you have vendors that have access to your network or data and you don’t know about it? Absolutely. The reality is the ability exists to go directly to a cloud-based solution and with nothing more than a credit card and a few mouse clicks, you now have a vendor with access to your data. If you don’t know who they are, it’s impossible to assess their risk to your organization. As for what they do, the vendors in your supply chain can perform all sorts of services. Some inherently provide a higher risk to your company based on the data or internal systems they have access to. 

Answering these questions is a great starting point to perform adequate assessment activities against those vendors. The goal is to gain sufficient comfort that the vendors have the appropriate controls in place to protect your systems or data based on the services they are providing for you. There are many assessment strategies to leverage including the review of certifications such as SOC or ISO, assessment questionnaires like the SIG, penetration test results, etc. Regardless of how you approach it, validating your vendors have these controls in place can reduce the risk to your organization being impacted in the event of an attack.

As systems become more connected and complex, attackers may still find some way through your defenses. But being prepared for a ransomware attack can significantly reduce the impact and outage to your organization. With an in-depth defense strategy, along with appropriate containment and resiliency plans, your organization’s cyber strength can only rise.

Gary Brickhouse is chief information security officer of GuidePoint Security.

Ransomware has been top of mind for many of us in the cybersecurity industry as we have seen an increasing number of attacks impacting hospital networks, local governments and the broader supply chain. A ransomware attack on a company typically results in lost access to data and systems for some period of time and comes with a financial impact through lost revenue and money spent on recovery efforts. When a ransomware attack is directed at a company that is part of the supply chain, it can have a much wider impact as just one service provider can have a direct effect on hundreds or thousands of companies. 

Understanding your organization’s readiness for the threat of ransomware is imperative, and knowing how the vendors in your supply chain factor into your readiness preparedness is a critical piece of your overall strategy.

It can be overwhelming trying to ensure all your defenses are covered and that you have done everything you can to prevent or lessen the impact of a ransomware attack. A strong strategy is far-reaching and multi-layered — encompassing architecture, endpoints, users and so much more. 

So where should you start? A structured, logical approach can help bring some order to understanding your organization’s ransomware readiness. To help do this, let’s look at three primary categories: prevention, containment and recovery. 

Prevention

Our primary objective is to keep ransomware out of our environment, preventing it from ever getting in from the start. From this defensive posture, we need to look at your infrastructure from the perimeter controls all the way to the end users. While we could cover this topic at length, we will focus our attention on the gaps where ransomware is most commonly being introduced. 

• Remote desktop protocol (RDP). While not a new technology or a new attack vector, RDP has been a regular target due to vulnerabilities, misconfiguration or susceptibility to brute force attacks. With the recent rise in the remote work force and the corresponding rise in RDP usage, attackers are having a field day with the new targets. Prevention activities here include limiting the number of open ports, strong authentication controls (including multi factor authentication) and a solid vulnerability management program. 
• Phishing. Phishing emails can be especially dangerous as they can bypass many of your security controls allowing malicious content to be delivered directly to what is most often your weakest security link — the end user. Phishing emails typically try to gain user credentials or contain malicious attachments or links, ultimately providing attackers a direct path into your environment. Prevention activities here include the use of an email security solution, security and awareness training for end users, and endpoint detection and response solutions.

Ultimately, the recommended prevention techniques are not new. They are the same key principles the information security community has been discussing for some time — restricting what’s accessible from the internet, vulnerability scanning, patching and strong authentication controls. 

Containment

So in spite of your best efforts, ransomware gets into your environment. How can you stop the spread? Consider a fire in a building: The containment strategy comes before the actual fire through the use of firewalls, flame-retardant materials, etc. It’s the same for attacks like ransomware. Here are two key containment strategies:

• Privileged account use. Attackers love to target privileged accounts as they provide high levels of access to systems and data as well as the necessary permissions to execute malicious code. Password reuse, service account passwords stored in clear text, easily guessed passwords, etc. are all common issues contributing to account compromise.

A holistic approach to privileged account management is the key here. This includes understanding what privileged accounts you have and what they have access to; how they are used (e.g. domain admin vs. service account); and how those accounts are accessed and managed (e.g. the use of a privileged account management solution). 

• Network segmentation. Flat networks are a dream scenario for an attacker. Once credentials are obtained, they can move freely across an organization’s entire network and have unfettered access to systems and data. At a minimum, you should use segmentation to restrict lateral movement as much as possible so that an attacker would have a much more difficult time traversing your network and gaining access to additional systems and data. 

Recovery 

Aside from an incident response plan, the most critical plan to aid in your recovery efforts is a business resiliency plan. How will the business continue to function? A strong resiliency plan will help to restore functionality of your core business systems.

Common attack vectors for organizations include third-party vendors in the supply chain. So how can we identify and reduce the risks our vendors present? First, answer these critical questions: 

• Who are your vendors? 
• What service does each vendor provide to your organization? 

Actually identifying who your vendors are is no simple task. Is it possible you have vendors that have access to your network or data and you don’t know about it? Absolutely. The reality is the ability exists to go directly to a cloud-based solution and with nothing more than a credit card and a few mouse clicks, you now have a vendor with access to your data. If you don’t know who they are, it’s impossible to assess their risk to your organization. As for what they do, the vendors in your supply chain can perform all sorts of services. Some inherently provide a higher risk to your company based on the data or internal systems they have access to. 

Answering these questions is a great starting point to perform adequate assessment activities against those vendors. The goal is to gain sufficient comfort that the vendors have the appropriate controls in place to protect your systems or data based on the services they are providing for you. There are many assessment strategies to leverage including the review of certifications such as SOC or ISO, assessment questionnaires like the SIG, penetration test results, etc. Regardless of how you approach it, validating your vendors have these controls in place can reduce the risk to your organization being impacted in the event of an attack.

As systems become more connected and complex, attackers may still find some way through your defenses. But being prepared for a ransomware attack can significantly reduce the impact and outage to your organization. With an in-depth defense strategy, along with appropriate containment and resiliency plans, your organization’s cyber strength can only rise.

Gary Brickhouse is chief information security officer of GuidePoint Security.