Why ransomware response is more important than protection

As the high-profile attacks by the Albuquerque Public School District, Kronos, CS Energy, Kaseya, JBS USA and Colonial Pipeline illustrated, ransomware is one of the most significant threats to businesses in the world. whole world. This can cause a lot of damage to a business beyond the financial cost of paying the ransom. Downtime, lost opportunities, and the expense of ransomware removal and recovery can quickly add up. According to the European Union Agency for Cybersecurity’s 2021 Threat Landscape report, the average cost of resolving a ransomware attack in 2021 was $1.85 million, nearly double what it was the previous year. And things aren’t going to get better anytime soon. This begs the question, “What can organizations do to minimize the impact of falling victim to a ransomware attack”?

A ransomware attack can cripple an organization in minutes, leaving it unable to access critical data and unable to conduct business. But that’s not all – more recently, threat actors have gone from simply infecting systems with ransomware to multi-faceted extortion where they publicly name (and shame) victims, steal data and threaten to disclose them to the public or sell them. In response, organizations should consider the following steps to mitigate the risk of ransomware attacks:

Strategic preparation: covers everything from cyber risk assessment, table top exercises, security awareness training and secure data backups to penetration testing.

Prevention: includes the application of security measures such as patch management, application whitelisting, spam filters, least privilege, as well as the deployment of anti-malware and endpoint security software.

Incident Response: Organizations should invest in forensic services and tools to address:

investigation ransomware attack, allowing them to determine how the incident occurred and obtain evidence to prepare for litigation;

remediation hardening the environment so that attackers no longer have access to it and to prevent further spread of ransomware;

eradication effortsaimed at eliminating the attacker from the environment, for example by disabling accounts, resetting passwords, (r)establishing multi-factor authentication and, ultimately, getting rid of ransomware;

recovery effortsfocusing on restoring the enterprise, the main objection being to achieve this in a secure way without risking re-infecting the infrastructure.

In a recent webinar, Eric Hanselman, Principal Research Analyst at 451 Research, pointed out, “The reality is that while organizations are very concerned about recovery time from ransomware attacks, they often focus only on tools to prevention, without planning for the worst. case scenario: being the victim of an attack. The numbers speak for themselves: in 2021, 54% of all ransomware attacks succeeded despite preventive measures in place.

The need to focus on preparedness and response

In turn, it is important to increase an organization’s preparedness against ransomware and to ensure that the necessary tools for remediation, eradication and recovery are not only in place, but also functioning. as expected. This is especially true for endpoint recovery, which is an essential tool for remote workers to perform their assigned work tasks in today’s work environment from anywhere. While endpoint recovery efforts are still considered a secondary priority compared to restoring critical infrastructure (e.g. Active Directory, database servers, application servers, mail servers) and business applications, the shift to remote work places increased demands on already strained IT and security. teams when it comes to recovering employee devices.

Additionally, ransomware attacks often put endpoints in a state where they are either vulnerable to reinfection or nearly impossible to reimage/recover because the necessary tools no longer work. Ultimately, this creates increased challenges for IT and security teams who, by the time they are tasked with recovering employee devices, have already exhausted their resources.

Increasing Resilience in Ransomware Response

In this context, more and more organizations are turning to ransomware response offerings that allow them to assess their ransomware readiness for endpoints, monitor their cyber hygiene across the entire fleet of devices and accelerate endpoint recovery by leveraging always-on connectivity and automated recovery capabilities for key security. and management tools, as well as automated script commands.

These offers offer the following features:

Check endpoint ransomware mission-critical readiness identifying key controls (e.g., anti-virus/anti-malware, endpoint protection, or endpoint detection and response solutions) and device management tools needed to minimize exposure to ransomware and ensure accelerated recovery efforts .

Enable cyber hygiene against ransomware on endpoints Establishing application resiliency policies to ensure identified critical security applications and device management tools are installed and functioning as intended.

Assess device security posture by continuously detecting and reporting anti-malware software, as well as detection and response software deployed on all devices in the fleet.

Discover sensitive endpoint data scanning endpoints for financial information, social security numbers, personally identifiable information (PII), protected health information (PHI), and intellectual property to identify at-risk devices and provide backup appropriately using existing tools.

Self-healing for endpoint security and device management software leveraging application resilience to keep critical tools installed, healthy, and efficient to ensure they are available for recovery.

Inform users in a timely and coordinated manner displaying messages on users’ devices, avoiding unnecessary support calls and fragmented communications.

Speed ​​up recovery tasks collecting accurate information, running custom workflows, and automating device recovery commands by leveraging a library of custom scripts to facilitate tasks such as identifying machines that have been infected and encrypted, endpoint quarantine (e.g., disable networking or unlock specific device ports), or support for device reimaging.

Ultimately, organizations need to look beyond preventative measures when it comes to dealing with today’s ransomware threats and invest in ransomware response, which improves their ability to prepare. and quickly recover endpoints from ransomware attacks.

Torsten George is currently a Cybersecurity Evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He is also a member of the strategic advisory board of vulnerability risk management software vendor, NopSec. He is an internationally renowned computer security expert, author and speaker. Torsten has been part of the global IT security community for over 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks and best practices in IT security. He is also co-author of the book Zero Trust Privilege For Dummies. Torsten has held leadership roles at Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link and Everdream Corporation (acquired by Dell).

Previous columns by Torsten George:
Keywords:

About Sandra A. Powell

Check Also

Voters will decide if Monte Creek will get a fire protection service | infonews

FILE PICTURE (KIM ANDERSON / iINFOnews.ca) 08 May 2022 – 15:33 …