Detecting & Mitigating Ransomware Events
Ransomware is considered the “pest” of cyberattacks—annoying but not terribly harmful. The primary motivation in a ransomware attack is to make a quick, safe profit on ransom funds by downloading various types of malicious software to make key information unavailable to users.
At the same time, recently documented attacks have shown ransomware can be a mere “smoke screen” to divert attention while the attacker siphons, or exfiltrates, highly valuable data—such as personally identifiable information, protected health information, trade secrets and internal communications—out of the organization.
Exfiltration can have disastrous effects on the organization, from loss of public confidence to lost business and lawsuits. Given the stakes involved, it’s essential for an organization to conduct a forensic investigation of a ransomware incident to determine if exfiltration occurred.
Forensic Investigation Functions
- Forensically preserve affected systems
- Collect relevant logs & activity
- Maintain chain of custody of evidence
- Reconstruct event timeline
- Identify threat actor tactics
- Determine if data exfiltration occurred
- Quantify extent of data exfiltration
Successful data exfiltration requires a robust and proactive investigative response and mitigation. For instance, when data exfiltration is suspected, insurance companies often require a forensic investigation as part of the settlement process. Insurers are increasingly reluctant to pay without an investigation.
Forensic investigations also can uncover deficiencies and weaknesses in an organization’s cybersecurity planning and execution and form the basis for a robust post-breach cybersecurity assessment. A formal post-breach cybersecurity assessment has three phases.
Phase 1: Systems/Architecture Review
During this phase, the primary objective is to review current documentation, e.g., data flows and network diagrams, systems inventory and configurations, security policies and procedures, to gain a full understanding of the cybersecurity environment. Missing documentation is noted. A full network and systems architecture review may be conducted—along with network and system security testing—to identify vulnerabilities and document inconsistencies.
Phase 2: Cybersecurity Process & Control Review
A formal review of cybersecurity processes and controls should be performed using a robust, risk-based and generally accepted framework, e.g., the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), ISO 17799, SANS 20.
A framework can help determine whether appropriate cybersecurity processes and controls are in place and appropriately functioning. The NIST CSF consists of five core functions, i.e., identify, protect, detect, respond and recover as well as categories and activities, e.g., asset management, governance, risk management and security continuous monitoring. Taken together, they represent those processes and controls that must be in place to identify risk, protect key information assets, detect and respond to a cybersecurity threat and—should a breach occur—recover from it. In addition, the frameworks can help drive efficiency within the assessment process by establishing an inventory of relevant control activities and related risks.
Perhaps most beneficial is that the NIST CSF allows for process maturity levels to be defined for each area. The NIST CSF implicitly recognizes that not all process areas are at the same level of maturity and allows the company to identify the extent to which policies and procedures have been defined, are implemented and up-to-date, communicated to employees, etc. Companies can set target maturity levels for each process area and gaps may be prioritized, enabling the company to work toward continuous improvement.
Discussions of gap prioritization involve management determining the company’s “cybersecurity risk tolerance” to make financial and workforce allocation decisions. These discussions are critical for the assessment/gap analysis to succeed, as they help demonstrate the broad acceptance of and ownership for the assessment results among management. Through this process, management identifies the organization’s acceptable risk level and finalizes the prioritization of remediation efforts.
Phase 3: Remediation Road Map
Based on the finalized gap analysis, management should develop action plans that address the prioritized remediation efforts. The action plans will include:
- Remediation activities to complete, e.g., updating policies and procedures
- Type of investment, e.g., people, process and/or technology
- High-level estimate of effort to complete remediation
Remediation initiatives may include drafting policies, employing processes to implement user access provisioning, performing network vulnerability or penetration testing, etc. The resulting road map helps senior leadership, the board of directors and stakeholders have confidence that the organization’s cybersecurity program can respond to current and future risks.
A common recommendation from post-breach cybersecurity assessments is improved detection of potential breaches. Robust monitoring software, or endpoint protection, will often detect and isolate malware associated with ransomware. However, we’ve seen many cases where alerts are ignored, misunderstood or disabled altogether—eliminating a front-line tool to mitigate ransomware attacks.
An essential tool in identifying ransomware is proactive monitoring of firewall and other system activity in real time. Firewall activity logs can tell what happened, when and how the breach was found. Real-time monitoring software of firewall activity can stop many attacks before they occur, but is rarely implemented. Some of the better “behavior-based” systems even employ powerful machine-learning algorithms to learn and understand “normal” organizational behavior and quickly identify “abnormal” behavior that could indicate ransomware or another threat.