IntroductionComsec Group recently created a ransomware readiness service, which maps the gaps, validates the readiness level of an organization against ransomware attacks and provides concrete recommendations for remediation and improvement.
The WannaCry ransomware that struck recently and exploited a vulnerability found by NSA was leaked by TheShadowBrokers hacking group about two months ago. It is the biggest and most notable example of ransomware that includes the ability to spread without further user interaction, significantly increasing the ransomware threat, and making this service a lot more relevant.
So what is this service?One approach for confronting the ransomware threat, is just to pray and hope it won't hit you, and if it does, to try and recover or just pay the ransom. However, this can take time and more importantly, as was seen in WannaCry, there is no guarantee that you will get your files back even if you pay.
But there is another way: Organizations can actively test if their infrastructure is ready to counter the threat of ransomware, either by preventing the ransomware from executing, or preventing any real damage by allowing quick recovery from backups.
Our ransomware readiness service tests exactly that.
Incident ResponseNIST defines a cyber framework that includes five different activities in a cyber incident:
- Identify – Develop the institutional understanding to manage cybersecurity risk.
- Protect – Develop and implement the appropriate safeguards, prioritized through the organization’s risk management process, to ensure delivery of critical infrastructure services.
- Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
- Respond – Develop and implement the appropriate activities, prioritized through the organization’s risk management process (including effective planning), to take action regarding a detected cybersecurity event.
- Recover – Develop and implement the appropriate activities, prioritized through the organization’s risk management process, to restore the capabilities or critical infrastructure services that were impaired through a cybersecurity event.
Details of the Ransomware Readiness ServiceThe ransomware readiness service tests the organization's readiness level in each stage of the incident response process in order to understand the risk of ransomware, test the organization's protection and detection mechanisms, test the response procedures and verify the recovery process.
The service includes the following steps.
- Identify management awareness in the organization of the threat of ransomware
- Mapping the relevant response procedures for ransomware and general cyber attacks in the organization, highlight the gaps and recommending improvements for these procedures.
- Web protection: Ensure safe internet browsing by reviewing and adjusting the organization’s web browsing policy to reduce the risk of a malicious executable (or document) being downloaded.
- Mail protection: Ensure that an appropriate solution for inbound emails exists by reviewing and adjusting the organization’s anti-spam and malicious activity policy. This includes, amongst other things, the detection of malicious files, even if they are not detected as malicious based on anti-virus signatures.
- User permissions: Ensure that the user workstations are hardened. This includes ensuring that malware can’t be executed by accident (for example, due to an autorun script in a USB drive), and examining any endpoint protection solutions.
- Limit users' domain permissions: This includes reviewing servers and workstations in the domain in order to ensure that users do not have permissions to execute code remotely. In addition, this review includes restricting writable folders on the domain, to reduce the risk of malware spreading itself via network shares.
- Servers and endpoint configuration and patching: Ensuring that servers and workstations are updated with the latest security patches in a timely manner in order to reduce the risk of ransomware exploiting known vulnerabilities.
- Testing endpoint protection: Testing the configuration and update policy of the antivirus and EDR (Endpoint Detection and Response) in order to detect or even prevent the ransomware from executing in real-time.
- IRT (Incident Response Team): Comsec’s IRT is always available for future support in the event of a security incident caused by ransomware (or any other malware). Comsec investigates the ransomware in order to assess the "family" which it comes from and whether there is a known method of decrypting the files without paying the ransom. Comsec has a registered bitcoin wallet to pay the ransom if needed, as a last resort, following our assessment of the likelihood of the files being decrypted even after paying.
- User awareness training: Perform phishing exercises with scenarios such as fake websites, malicious links, malicious files etc., including a detailed report showing statistics of the extent to which the user was susceptible, e.g. opened email, opened link, downloaded file, ran file.
- Backups: Ensure that files are constantly backed up in order to minimize damage in the event of a ransomware attack and that regular restoration tests are carried out.
In conclusion: In order to better mitigate the risk of ransomware and other modern cyber threats, you should test your readiness across the full chain of events and activities that can occur in such an event, in order to prevent the threat from occurring and\or to limit the damage if it does occur.
For further details and for any question please contact us: