With critical infrastructures and healthcare providers in the crosshairs, government agencies have urged organizations to implement tougher security measures that could reduce the scope and severity of ransomware assaults.
The message is clear: improve your defenses, or join forces with someone who can (like a MDR provider, for example).
This raises two questions. First, what do these preventative measures look like? Second, for companies that may lack the time, knowledge or resources to implement these measures personally, how might a MDR provider be able to help?
Top ransomware controls
From CISA to NIST and CIS to SANS, there’s really no shortage of resources available for companies who wish to study up on effective anti-ransomware protections. Below, we’ve compiled a shortlist of the most essential measures organizations can implement to counteract the ransomware menace.
#1: Maintain offline, encrypted backups and store them separately. Ransomware works by depriving organizations access to their own systems and data. Organizations can mitigate the sting of such attacks by regularly backing up their data on offline hard drives.
#2: Develop and maintain a living cyber incident response plan. An incident response plan is a document that informs what an organization’s stakeholders should do before, during, and after a suspected security incident. This makes sure that everyone is on the same page and understands each of their responsibilities in the event of a ransomware attack.
#3: Regularly patch software, hardware, and operating systems to the latest versions. Patching IT assets on a regular basis is the most effective way to keep adversaries from exploiting discovered vulnerabilities.
#4: Properly configure devices and applications, and enable security features. Many security products are configured with default permissions or settings right out of the box, but there’s no guarantee these settings offer the best security. It’s incumbent on organizations to review their applications and activate dormant security features where possible.
#5: Enable multifactor authentication. MFA requires a user to submit multiple forms of verification to prove their identity. In addition to a password, MFA might require a user to input a code sent to their smartphone, or to answer a personal question that only they would know. By adding multiple checks, MFA significantly reduces an attacker’s chances of impersonating someone they’re not.
#6: Use segmentation to separate business units or IT resources. Identity segmentation and network segmentation can reduce the likelihood of ransomware moving laterally through a network. By restricting access and operations based on identity or network behavior, organizations can limit the spread of infection and better contain the threat.
#7: Provide cybersecurity awareness training. Study after study confirms that people are often the weakest link in an organization’s cybersecurity operation. Ransomware attacks exploit human trust and error by persuading victims to let down their guard. Ransomware awareness training can help employees better spot suspicious activity and report to the appropriate channels.
Where MDR fits in
Organizations may be able to implement at least a few of these measures on their own, but ‘a few’ isn’t good enough. As expressed by one respondent in CyberRisk Alliance’s recent ransomware study, “all the threat actors know that they just need to find one door ajar, one vulnerability to pivot in.” Indeed, organizations that neglect to implement the majority of these measures will make themselves attractive targets for opportunistic bad actors.
By enlisting the services of a managed detection and response (MDR) vendor, however, organizations need not be sitting ducks. In fact, the nature of a MDR partnership means that many of these core requirements — like device configuration, patching, vulnerability scanning, or asset management — will naturally be fulfilled in the course of doing business.
Here’s just a handful of ways that MDR can help fortify ransomware defenses.
#1: There’s a plan for that. Recall the need for a cyber incident response plan? MDR can make sense of alerts, prioritize the most critical vulnerabilities, and take action on a client’s behalf to eliminate the threat.
#2: Improved analytics and threat assessments. MDR allows organizations to make sense of the security alert maelstrom bombarding their SOC daily. Drawing from their pool of expertise, providers can give customers insights about their attack surface and routine updates on the latest vulnerability data collected by its teams of experts stationed around the world. Over time, the steady stream of insights can help organizations identify persisting weak points as well as actions that can eliminate these weaknesses.
#3: Vulnerability scanning. With the aid of a MDR provider, organizations may discover IT assets and potential entry points they didn’t even know they had. MDR teams pull no punches when it comes to surveying every inch of the threat environment. Threat hunters are trained to scour the network and identity suspicious behavior, and frequently employ advanced technologies (like AI or XDR) to assist their hunts.
#4: Configuring devices and applications. Ransomware attacks commonly use misconfigurations in devices and applications to gain a foothold into the network. An MDR service can help organizations track and identify potential misconfigurations, and suggest corrective measures for the client to take.
#5: MDR can assist with cyber hygiene and awareness. As part of the relationship, some MDR providers work closely with the customer to help them develop in-house SOC capabilities and skills over time. MDR units may also send the customer regular reporting and intelligence concerning the latest vulnerabilities so the customer can take appropriate measures to plug these vulnerabilities.