In the race to detect and contain ransomware on their networks, many organizations fail before they are out of the gate. The reason has very little to do with technology, and more so a great deal to do with process.
“But we bought all the good tools!”, such organizations protest. Good security technologies implemented and optimized properly are certainly one piece of the puzzle, however organizations, with large or small budgets, can use good processes and procedures to narrow their attack surfaces.
As discussed in a blog written by Sean Mason of Cisco Security, organizations can be rated on their overall Threat Management Maturity by what level of capabilities they have in the categories of People, Process and Technology. Without documented processes and procedures, IT departments frequently rely on tribal knowledge and react to incidents in an ad-hoc fashion. Time to remediation is longer due to lack of assigned roles and responsibilities, and little or no pre-written and rehearsed action plans. In the case of ransomware, the time to remediation for some organizations can be the difference between being in business and going under.
The question then is, how best to prepare for ransomware infections that are becoming a daily occurrence for a majority of organizations? The answer is a Runbook, which is focused specifically on detecting, containing and remediating ransomware. At its simplest, a runbook is a series of steps to undertake when a specific incident occurs. This is considerably less complicated than developing a full Incident Response Plan (which doesn’t necessarily tackle the heart of the incident) and there are a number of good resources on the Internet to assist with the development of one.
To be effective, a ransomware runbook should address the following:
The ways in which a ransomware incursion could be identified on a network. For less mature organizations, this is usually an end-user notifying the helpdesk or local IT support person. It may also include IT team members recognizing an abnormal condition on a system they are responsible for. As organizations mature, this may also include alerts produced via security technologies, or via centralized monitoring platforms (e.g.: SIEM).
Ransomware comes in a wide variety of types these days. To effectively contain a ransomware threat, it is imperative that it be identified properly. Actions in this section of the runbook would address the attributes of the suspected infection (e.g.: file extension, infection vector, files created, file owner). While time is of the essence during a hunt for patient zero in a ransomware investigation, improper identification can lead to incorrect containment steps.
This is commonly referred to as “stopping the bleeding” and involves making sure the active infection is contained or terminated so damage to network systems is halted. In the case of ransomware, ensuring the executable responsible for encrypting files is no longer able to run or communicate out are common containment steps. The runbook should consider both host-based and network containment steps.
Analysis & Remediation
The inclusion and level of analysis in a runbook will largely depend on the level of capability an organization has. While full forensic analysis on a host is possible for some organizations, many do not have the skill set or time to engage in this level of investigation. Once containment has been validated, analysis may be as simple as running additional anti-virus or anti-malware scans on a host. Indeed, analysis may not even occur and the remediation step may simply be a re-image of the affected host. A runbook should also include host and network remediation steps that address the initial infection vector, as well as how the malware was able to run on the host in the first place.
A ransomware runbook, like any other runbook written to address a specific and known threat, should be written with the organization’s actual capabilities in mind. It should also be reviewed frequently and updated based on new tactics, techniques and procedures that attacker may use as ransomware continues to evolve. A runbook will not stop all ransomware attacks, however it will enhance an organization’s ability to respond and remediate faster and more efficiently.
The following is a list of prevention, mitigation and safeguards that organizations can take to reduce their impact to Ransomware based threats and incorporate into existing process, procedures and architecture.
Ransomware Prevention, Mitigation and Safeguards
- LAYERED HOST AND NETWORK-BASED SECURITY DEFENSES – Each system should be protected with DNS layer protections to prevent devices from connecting to sites hosting ransomware and endpoint protection for detecting and preventing the latest ransomware variants. At an organizational level, strong email and web threat protections in addition to network security (Intrusion Prevention Systems and Next-Generation Firewalls) should be utilized in also detecting and preventing the latest ransomware variants.
- PATCHING LIFE CYCLE– A patching level cycle should be utilize to deploy updates to all systems for known Common Vulnerabilities and Exposures (CVE) in commonly used software such as but not limited to: Adobe Flash, Adobe Acrobat, Microsoft Silverlight, Oracle Java, Microsoft Internet Explorer, and Microsoft Office; where exploits can take advantage of programmatic errors and unsecure code.
- REMEDIATION/UPGRADE PLAN FOR UNSUPPORTED OS (Operating Systems)- Develop a remediation/upgrade plan for unsupported and unpatched OS, such as: Windows XP, Windows 2000 and 2003 systems or consider the use of application white listing.
- BACKUPS/CONTINGENCY PLANNING- A backup policy/contingency plan, procedure, and technology for systems should be developed and utilized in the event that the loss of data on a system occurs
This blog post was originally written for the Cisco Security Blog and was co-authored by Aaron Varrone.