Prepare for Ransomware

Recently technical guidance was released for CIOs and CISOs on how to prepare for a ransomware attack. This guide was a joint effort of multiple Federal agencies to address the growing concern of ransomware. In, “How to protect your Networks from Ransomware,” they provide some suggestions for prevention and response. We have created a checklist below to help you based on their recommendations. You can review your current polices, procedures and plans to see if you are covering the recommendations listed below.

In addition, I have incorporated into the checklist recommendations found in Tripwire’s recently released whitepaper. There is considerable overlap in the recommendations found in Tripwire’s whitepaper and the interagency guidance.

I would like to note that the controls found in NIST Cybersecurity Framework and NIST SP 800-53 cover these recommendations. As an auditor, I strongly recommend adopting either NIST’s Risk Management Framework or NIST’s Cybersecurity Framework as a mature response to cyber risk. If you are not there yet use this checklist to see where you are and address the specific risk of ransomware.

I have divided the recommendations into 3 categories of what you can do to prevent, detect, and respond to ransomware and malware in general.

Prevention

• Has senior management been briefed on the risks to operations (mission, functions, image, or reputation), assets, individuals, other organizations and the Nation?

• Do you have cybersecurity awareness and training program for all users?

• Do you have advanced threat protection for email?

• Do you have SPAM filtering?

• Do you have anti-phishing prevention?

• Do you have domain-based message authentication, reporting & conformance?

• Do you scan all email for executables and malware?

• Do you prevent email spoofing?

• Do you prevent or filter office files with macros?

• Is your firewall configured to block known malicious IP addresses?

• Do you filter DNS requests from known malicious domains?

• Do you have a centralized patch management process?

• Do you patch vulnerabilities within 30 days of release for all technologies (IT, IoT and OT)?

• Do you have anti-malware on all systems that support it?

• Do you update anti-malware as close to real time as possible?

• Have you set regular anti-malware scan to run automatically?

• Does your anti-malware support ransomware prevention and detection?

• Are all privileged accounts setup with the least privilege needed?

• Do you have access control in place to limit access only to those users that need access?

• Do you have application whitelisting and Software Restriction Policies in place?

• Do you have a data classification scheme setup?

• Consider disabling Remote Desktop Protocol (RDP).

• Do you have a formal documented Business Continuity Plan?

• Do you have regular backups? (How often depends on business and mission criticality)

• Do you verify and test backups to see if they can be recovered?

• Do you protect backups (physical and logical access to backups)?

• Do you store backups so that they are not permanently connected to the network (air gap)?

• Do you conduct annual penetration tests?

• Do you perform periodic vulnerability assessments?

• Do you perform internal and external vulnerability scans at least monthly?

• Do you address the vulnerabilities found in a timely manner?

• Do you have an accurate inventory of software, services, and hardware?

• Do the you have these controls extended into any cloud environment?

Detection

• Do you have a mature change management process?

• Do you have configuration baselines for all systems?

• Do you have configuration monitoring?

• Do you have file integrity monitoring?

Response

• Do you have a formal documented Incident Response Plan (IRP)?

• Does your IRP include steps to isolate the infected systems immediately?

• Does your IRP include steps to isolate and power off devices that not completely corrupted?

• Does your IRP include steps to secure backups by taken them offline?

• Does your IRP include steps to contact the FBI or US Secret Service immediately?

• Does your IRP include steps to collect evidence including partial portions of the encrypted data?

• Does your IRP included changing all online and network passwords?

• Does your IRP include complete eradication of the malware such as deleting corrupt register keys?

• Does your IRP include post-incident investigation to determine root cause and determine prevention controls?

• Has senior management discussed, in advance, the risks of paying the ransom?

Resources

1. How to Protect Your Networks from Ransomware https://www.justice.gov/criminal-ccips/file/872771/download

2. Verizon 2019 Data Breach Investigations Report https://enterprise.verizon.com/resources/reports/dbir/

3. Tripwire 2019 Version DBIR Response Checklist https://www.tripwire.com/it-resources/

4. Darktrace Discoveries 2018 https://www.darktrace.com/en/resources/#white-papers

5. CIS Critical Security Controls - Version 7.0 Https://www.sans.org/critical-security-controls/

6. NIST Cybersecurity Framework https://www.nist.gov/cyberframework

7. NIST Computer Security Resource Center https://csrc.nist.gov/

8. Computer Security Incident Handling Guide NIST SP 800-61 Rev. 2 https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final

#Guidelines #ConfigurationManagement #Vulnerability #ChangeControl #Ransomware #IncidentResponse #Business #BusinessContinuityPlan #NIST #Malware #Antimalware #ITControlEnvironment #Permissions #Threats #RiskManagement #PenetrationTest #FIM #IRP #BCP #Spam #Phishing #Cybersecurity #SecurityAwareness