Learnings from CISA Ransomware Guide

CISA released Ransomware Guide last year. I found it to be very informative and hence thought of sharing the gist of learnings from the CISA Ransomware Guide. Before I dive into the learnings from the guide, I want to highlight CISA tag line:

Defend Today, Secure Tomorrow

This makes perfect sense with focus on “proactive cybersecurity for protection” or “defend to secure“.

CISA Ransomware Guide is organized into 2 parts as below:

1. Ransomware Prevention Best Practices – This maps to the defend or protect part and it covers multiple aspects/dimensions as we will see a little later in this article.
2. Ransomware Response Checklist – The response part is essentially the reactive part wherein organizations need to detect and contain the attack.

Let us dive right in.

Ransomware Prevention Best Practices

This focuses on different Infection Vectors from Ransomware perspective, as below:

Internet-facing vulnerabilities and misconfigurations

Major part of this maps to identifying vulnerabilities and periodic patching. Most vulnerability scanning solutions are scheduled and hence do not offer continuous protection. Organizations need to leverage proactive vulnerability scanning solutions which offer continuous protection.

Identifying and plugging in misconfigurations is equally important. For example disable ports, protocols and services that are not being used for business purpose. For example – Remote Desktop Protocol (RDP) or disabling outdated versions of Server Message Block (SMB) protocol.

Phishing

CISA Ransomware Guide mentions that the organization needs to start with cybersecurity user awareness and training program along with conducting organization-wide phishing tests or campaigns to gauge level of awareness achieved.

Organizations should implement filters at email gateway to filter out emails with known malicious indicators. Also, organizations should ensure that their web firewalls block known bad URLs, IPs, etc. A good Threat Intelligence Platform (TIP) solution needs to be utilized here.

Precursor Malware Infection

Organizations need to ensure that antivirus and anti-malware signatures are up to date and better option is to turn on “automatic updates” for both solutions. Enable application directory allowlisting to only allow authorized software to run. Deploy an Intrusion Detection System (IDS) to detect command and control activity and other potentially malicious network activity that occurs prior to ransomware deployment.

Third Parties and Managed Service Providers

Organizations needs to take into consideration risk management and cyber security of their third parties or managed service providers, especially given that the chain is as strong as its weakest link. MSPs have been an attractive target for attackers for ransomware impacting client organizations.

Ransomware Response Checklist

This focuses on three areas as below:

Detection and Analysis

This involves the following:

1. Determining which systems were impacted and immediately isolate them.
2. If you are unable to disconnect systems from the network, then power them down.
3. Triage impacted systems for restoration and recovery.
4. Perform initial analysis and document the same.
5. Share analysis information with relevant stake holders and authorities.

Containment and Eradication

This includes:

1. Preserve evidence (system images, logs, etc.)
2. Consult authorities (Federal Law Enforcement) for possible decryptors available.
3. Research trusted guidance for particular ransomware.
4. Identify systems and accounts in the initial breach.
5. Identify any dormant malware (persistent).
6. Rebuild critical systems based on pre-configured images.
7. After environment is rebuilt, issue password resets for all affected systems and address any gaps in security identified.

Recovery and Post-Incident Activity

This mainly involves:

1. Reconnect systems and restore data.
2. Document lessons learnt from the incident.

The document also provides General Best Practices and Hardening Guidance as below:

• Employ Multi-Factor Authentication (MFA).
• Apply principle of Least Privilege.
• Leverage best practices and enable security settings in association with cloud environments.
• Develop and keep updated a comprehensive network diagram.
• Employ logical or physical network segmentation.
• Ensure your organization has a comprehensive asset management approach. 
• Restrict usage of PowerShell using Group Policy to specific users on a case by case basis.
• Secure your Domain Controllers (DCs)
• Retain and secure logs from both network devices and local hosts.
• Baseline and analyze network activity over a period of months to determine and establish normal behavioral patterns.

ThreatWatch is a Proactive Cybersecurity Solution which can help identify organizational assets which are vulnerable to Ransomware and malware attacks. This intelligence can help security teams plug in these gaps and prevent a ransomware attack. To learn more about how ThreatWatch can help secure your organization, write to us at info@threatwatch.io