Ransomware attacks keep increasing in volume and impact largely due to organizations’ weak security controls. Mid-market companies are targeted as they possess a significant amount of valuable data but lack the level of protective controls and staffing of larger organizations.
According to a recent RSM survey, 62% of mid-market companies believe they are at risk of ransomware in the next 12 months. Cybersecurity leaders’ sentiment is somewhere on the spectrum between “top-of-mind” to “this gives me serious migraines.”
As ransomware is still the preferred way for actors to monetize their access, there’s a dire need to understand organizational levels of preparedness, and to identify and remediate gaps before an attacker can exploit them.
Lean cybersecurity teams can quickly gauge their ransomware readiness by following the NIST CSF framework, asking themselves, “Do we have something like this in place?” for each of the core functions: “Identify,” “Protect,” “Detect,” “Respond,” and “Recover”:
Identify
Asset management is the process of knowing what all your organization’s critical assets are, where they’re located, who owns them, and who has access to them. Data needs to be classified so that access may be governed, and the company benefits from ensuring the integrity of the data. An organization only needs to protect the confidentiality of some of its data based on its classification. Controls that ensure the utility and authenticity of data bring an organization real value.
Protect
Identity is a form of data that defines the relationship between a person and an organization. It is verified through credentials (username and password) and, when compromised, a security event becomes an incident. For example, using leaked credentials allows threat actors to install ransomware onto your computers. According to the Microsoft Defender Report 2022, following 98% of basic security hygiene such as Multi-Factor Authentication (MFA), applying zero-trust principles, keeping software updated, and using extended detection and response anti-malware still protects against 98% of attacks.
Another key aspect of protecting identities is awareness training — helping an employee recognize a malicious attachment or link. When it comes to breach simulations, it’s important to reward employees that did well rather than penalize those who didn’t. Carried out incorrectly, breach simulations can severely hinder employees’ trust in their organization.
Good data security can protect your data from ransomware and allow you to recover from an attack. This means having access management, encryption, and backups in place. Although this sounds basic, many organizations fall short in at least one or two of the above. Other controls that fall under the “Protect” function of NIST CSF are vulnerability management, URL filtering, email filtering, and restricting the use of elevated privileges.
Restricting software installations is essential — if you can’t install software, you can’t install ransomware. However, some ransomware can successfully exploit existing vulnerabilities which permit an elevation of privilege, bypassing restricted installation control.
Which brings us to the next control under the “Protect” function of NIST CSF: policy control. Policy enforcement software can reduce the number of staff needed to implement controls like restricting use and installation to only authorized software or restricting use of elevated privileges.
Detect
Technologies that address the requirements for controls under this function can really make a difference, but only if accompanied by a human element. A lot of acronyms here: User and Entity Behavior Analytics (UEBA), Centralized Log Management (CLM), Threat Intelligence (TI), and EDR/XDR/MDR.
Ransomware is easily detected by good UEBA because it does things that no good software does. This technology can only detect ransomware — it can’t prevent or stop it. Prevention requires other software, like phishing prevention, Security Continuous Monitoring, and EDR/XDR/MDR. According to IBM’s Cost of a Breach 2022 report, organizations with XDR technologies identified and contained a breach 29 days faster than those without XDR. Also, organizations with XDR experienced 9.2% reduced cost of a breach, which might sound like a small improvement, but with an average cost of a breach is USD 4.5 million, this represents almost half a million USD in savings.
Respond
Regardless of how good the organization’s controls and tools may be, there will always be something that requires a human response. Having a plan and testing it dramatically reduces the cost of the breach — by USD 2.66 million on average, per the report.
Additional controls can maximize your ransomware readiness: having communication templates (to ensure the team knows what, how, and whom to contact during an incident), performing mandatory event analysis, and deploying Security Orchestration, Automation, and Response (SOAR) technology as either a separate product or a native part of an XDR solution.
Recover
Having a recovery plan, immutable cloud backups, and an incident communications plan are the three key controls to maximize your organization’s ransomware readiness.
A recovery plan for ransomware must include the means to recover encrypted data, reestablish operational systems, and restore customer trust in the event of a breach.
Ransomware works by preventing access to data. If that data can be restored from a device not infected by the ransomware (immutable backup), then the path to recovery can be swift and relatively cost free. Per the Microsoft Defender 2022 report, 44% of organizations impacted by ransomware did not have immutable backups.
An incident communication plan improves the organization’s ability to respond and minimize reputational damage by providing mechanisms for quickly alerting and coordinating internal and external stakeholders while monitoring customer sentiment.
To help cybersecurity leaders build ransomware resilience, Cynet is providing a quick, NIST-based ransomware readiness assessment along with a deeper dive into the core functions.