I recently read a technology forum post where a system administrator described symptoms of post-traumatic stress disorder after their company was attacked by ransomware. The recent State of Data Security report from Rubrik Zero Labs even found that 96% of individuals suffered emotional or psychological impacts as a direct result of experiencing a cyberattack.
As I read through the replies, fellow practitioners expressed their support and shared their own experiences with ransomware - how their company recovered, how much data they lost, lessons learned, and how they prepared for future attacks. It was amazing to see the community rally around the author and offer their wisdom.
Remarkably, as the conversations turned technical they didn’t funnel down into a single vendor, product, or feature as the superior solution to ransomware. Instead, what surfaced was far more fundamental: multi-factor authentication, layered defenses, and always having reliable backups to turn to. No wild claims, product placement, or buzzword bingo. In short, the collective advice of the community formed a pragmatic approach to data security. One where breadth is more valued than depth, and being prepared to recover data is paramount.
In this blog post, we are going to take a page from fellow practitioners and discuss a few practical strategies to help safeguard your data, and hopefully, your sanity.
Take a two-sided approach to data security
As I continued reading through the stories in the forum post, it was clear that the human element was often the culprit of a ransomware attack (see: initial access). Whether it was an end-user clicking a malicious link or a misconfiguration by an administrator, the human element was often to blame. Data gathered by Verizon confirms the anecdotal replies in the post, finding that 82% of breaches involve the human element. As one contributor summarized regarding human behavior and security mishaps: “It’s not an IF scenario, it is a WHEN scenario and all companies should plan for it”.
It’s easy to blame the success of ransomware on the failure of edge security devices, application security, or endpoint protection. But, in many cases, there is little these solutions can do if the human element is involved - essentially building a bridge for the adversary to walk into the environment. So, are these security measures even required? Absolutely, yes. But, a modern approach to data security must be two-sided. One which protects data from the outside in at the edge or endpoint, and the other protects data from the inside out by applying layered protections closer to data. Thus, adopting a modern security strategy means implementing measures presuming that the environment is already breached.
To help provide clarity and ideas on post-access behaviors, The DFIR Report has curated a handful of tactics, techniques, and procedures used by adversaries during a campaign - all of which are helpful to illustrate the timeline and potential vulnerabilities once an environment is breached. What you will find is that there are some techniques that cannot be prevented, but only mitigated (e.g. Pass the Hash), which is a harsh dose of reality, and highlights the importance of a defense-in-depth strategy.
Inventory your systems and your data
Implementing and maintaining an inventory management system of your hardware and software assets is essential to good cybersecurity hygiene. It not only quantifies your assets for financial and budgetary needs, but it also builds a strong foundation for disaster recovery by scoping the assets needed during a ransomware recovery. A great implementation example is captured in the NIST Special Publication 1800-5c, which walks through a reference deployment that combines the use of inventory management with the integration of active and passive sensors for data collection and detection of potentially malicious events. Having an asset inventory in hand, and potentially detecting adversarial actions, is a must-have for any data security strategy.
But, if we dig into this DFIR Report profiling an intrusion, it becomes clear that there is a need to also inventory data. In the report, this particular adversary accessed multiple sensitive documents containing cyber insurance information, as well as documents containing environment passwords. Additionally, they also moved laterally to access the backup and recovery server console. Fortunately, the adversary was detected and evicted from the environment after additional enumeration attempts were made in the environment.
Given the level of access achieved by the adversary, the harm done by an attack on the environment would have likely been significant. The adversary could have exfiltrated sensitive data, encrypted data to debilitate the environment, and delete or encrypt backup copies in an attempt to remove the possibility of recovery or face double extortion. Clearly, this highlights the equal importance of maintaining an inventory of your data, as well as your systems, to ensure that sensitive data isn’t openly available to an adversary.
Additionally, it underscores that adversaries are continuing to seek out backups in an environment as part of their campaign. By taking away the ability to recover, attackers make it much more likely that they’ll get a payment. As such, it is critical to apply additional layers of protection to a backup solution such as multi-factor authentication, role-based access control, and possibly network segmentation to mitigate access to backup data. Ultimately, it circles back to the process of securing data by presuming a breach.
Apply the Pareto principle
Jumping back to the forum post, the most evident suggestion by the community is to closely manage, test, and protect your backup copies. In the majority of ransomware cases mentioned in the thread - other than the somewhat peculiar story of physically unplugging cables from a core switch during an attack - organizations had to turn to backups to restore copies of their data. Similar to the Pareto principle, the effort to protect your backup data is going to be a highly effective step toward being prepared to recover from ransomware. This recent blog post concisely outlines the measures to think about when revamping your data security strategy.
Although not frequently mentioned in the forum post, password hygiene is a high-priority/low-budget item to be addressed. The most easily addressed is weak passwords for both user and service accounts. Weak passwords are more susceptible to kerberoasting since there is a higher likelihood that offline brute-force attempts will be successful. If your backup solution relies upon Active Directory to function, it is also advisable to create an isolated domain for it to operate under. Cumbersome? Yes, but it certainly could be a worthwhile effort to slow an adversary down.
What now?
In the short term, there is likely to be no shortage of work as you help your organization adjust to emerging cyber threats and ransomware attacks. As you start or continue on the journey toward building a data security strategy, let’s recap a few of the highlights in this post:
First, take a two-sided approach to data security - presume breach.
Second, inventory your systems AND your data - You can only protect what you know about.
Finally, apply the Pareto principle to data security and always prioritize your ability to recover.
If you are interested in getting hands-on with your ransomware response plan, check out our upcoming Save the Data workshops. In these live tabletop experiences, you’re put in the shoes of the key players and stakeholders in a ransomware attack scenario so you leave with a better understanding of all the elements that go into a ransomware recovery plan.