One of the best strategies for ransomware defence consists of layers that work to protect the organisation on multiple fronts. Read about each of the 10 layers we consider to be essential.
1. Asset management
Knowing your environment and understanding the dependencies within it are critical to your ransomware defence strategy. Remember that forgotten machines are ideal attack vectors. Old operating systems and apps should be firewalled.
2. Security training
Phishing is becoming more complex. In addition, attacks through social media are becoming increasingly pervasive. General security training is critical so that staff feel also prepared when they are offsite (which is becoming increasingly common). Therefore, it’s vital to provide them with clear access to security team members when they have questions or require support.
3. Update and configuration
Apply security updates diligently. In short, this means all systems — no exceptions.
Also, take stock of what is in active use and what you no longer use. Specifically, you should remove unused software, close unused ports and stop services not in active use.
4. Email scanning
Email is a primary attack vector for ransomware. For this reason, one of the best ransomware defences is anti-phishing software. This is available as a managed service. It is most effective when offered alongside end-user training.
[Interested in empowering your staff as your organisation’s first line of ransomware defence? Learn more in our on-demand webinar]
5. Endpoint protection
Endpoints present the ideal entry point. Endpoint protection (EP) software protects the internal network. Therefore, deny network access where EP software is:
- Not present
- Turned off
- Out of date
[Check out our brochure to find out how Proact can assist your organisation with endpoint protection]
6. Segment network
Keeping disparate systems on separate networks is a highly effective defence. So, you’ll want to control borders between:
- Backup server and storage
- Manufacturing equipment
- Individual departments
- Office floors
- Primary/DR sites, etc.
7. Backup isolation
Isolating backups is critical, as these are often the primary attack target. Further measures to protect backups include providing only the backup team with access, using two-factor authentication (2FA) or privileged access management (PAM).
External Backup as a Service can offer ideal support here, because:
- It can store data offsite and off network
- It can prevent domain admins from obtaining access
- If the BaaS provider is isolated, then destructive requests will be questioned
[Learn more about Proact’s Backup as a Service offering]
8. Access control
Attackers want domain admin credentials. To make it more difficult for the bad actors to get these credentials, provide admin users two different types of IDs: An admin ID and a user ID. The admin ID should only be accessible with 2FA or PAM. Furthermore, this ID should not be allowed to manage backup or networks.
Visibility of an attack is absolutely essential. So, make sure to enable alarms for:
- Endpoint breaches
- Network segment failures
- Unexpected backup access
- Unusual user access
SIEM and UEBA are also recommended to make this possible.
[Read our SIEM starter guide]
10. Response time
Understand attack alerts and plan response actions. For example, come up with plans for the following situations:
- Attack on backup solution
- Laptop infected and on VPN
- Attack on key business service
Give the response team the authority to act straightaway. Subsequently, don’t let their actions be dependent upon one person’s decisions (i.e. Managing director, CEO, etc.).
[Check out our blog article about building an in-house ransomware response team]
Proact is your partner in protection, and we have years of experience helping organisations to develop their ransomware defence plans. Find out more about how we work to protect and secure your data here, or get in touch with us at firstname.lastname@example.org.