No Tears for WannaCry: Five Steps Every CISO Should Consider for Protecting Your Organization from Ransomware
Over the past few days WannaCry malicious malware variants affected hundreds of organizations across the world. This cyberattack spread primarily by exploiting a vulnerability whose manufacturer had issued a critical security update over two months ago.
While there are certainly reasons why it may take an organization some time to patch vulnerable systems, including the risk of updating live systems, two months should be plenty of time for any organization to take appropriate steps to secure their environment.
With the recent malware fresh in our memories, this is a good time for CISOs and cybersecurity teams to review their strategies and operational posture. Here is a list of five critical security things that every organization should have in place:
Ask yourself the fundamental question: ‘What would I do differently if I knew I was going to be compromised?’ With that frame of mind, the first two things you should do are:
1. Establish an incident response team
Far too often, internal confusion about how to respond to an active threat delays an adequate response. That’s why it is essential that an incident response team is designated, with clearly defined roles and responsibilities assigned to team members. Lines of communication also need to be established, along with a chain of command and a decision making tree. To be effective, this team needs to be intimately familiar with business and communications processes and priorities, which systems can be safely shut down, and how to determine if a live threat will affect components of your organization’s infrastructure. A variety of threat scenarios need to be considered, and where possible, drills need to be run to identify gaps in procedures and tools to ensure that a response is immediate and effective. And, the incident response team needs to have a means of communicating that does not rely on the availability or integrity of the organization’s IT.
2. Limit bad consequences by using Consequence-based engineering
An effective security strategy requires more than deploying security technology into your infrastructure. Security planning needs to start with an analysis of your architecture with an eye toward engineering-out the bad Consequences that can happen should an attack or a breach occur. The counter-ransomware example would include ensuring that your key information assets are backed up and stored offline. More generally, Consequence-based engineering involves understanding your key assets, determining what sorts of threats your organization is most vulnerable to – such as remote access denial, corrupted applications or data, or rendering key IT or operational assets unavailable– and engineering as much of that risk out by design, to eliminate or minimize the potential of such consequences if a threat is realized.
The next three steps are more operational-oriented. Alone, each is insufficient. Together, they represent ‘defense in depth’.
3. Prevent compromise by practicing good hygiene
Establish and maintain a formal patching and updating protocol. Ideally, this would be automated and measured. In addition, a process needs to be implemented to identify and either replace or take offline those systems that can’t be patched. For the past fifteen years, our FortiGuard threat research and response team has been monitoring, documenting, and responding to threats on a global scale. In our experience, the vast majority of compromises could have been prevented if organizations had simply taken the time to update or replace vulnerable systems. In addition, regularly make a good copy of your key assets, scan them for malware, and then physically store them offline in case ransomware or a similar disabling cyberattack does indeed hit you.
4. Protect your network by creating and using signatures
While new attacks are a real risk, most breaches are actually caused by attacks that have been around for weeks, months, or sometimes even years. Signature-based detection tools allow you to quickly look for and block an attempted infiltration’s execution.
5. Detect and respond to yet-to-be-seen threats by using behavior-based analysis
Not all threats have a recognizable signature. Behavior-based security tools can look for covert command & control systems, identify inappropriate or unexpected traffic or device behavior, disable things like zero-day variants via detonation chambers/sandboxing, and correlate data to identify and respond to advanced threats.
And just on the horizon, is the need to use modeling and automation to predict risks, and shorten the time between detection and response, and implement and integrate new approaches suited to your organization’s unique profile.
For example, ”auto-resiliency” to a combined worm / ransomware attack like the one we just witnessed could include automated measures to detect the threat in cyber-relevant time, automatically isolate key assets, the automatic creation of new, pristine network capacity or infrastructure, either locally or in the cloud, and the automatic redeployment of critical tools and assets from secure storage to get your organization back online as fast as possible.
The Fortinet Security Fabric has been designed to provide a security framework that utilizes advanced threat intelligence sharing and an open architecture so you tie your security and networking components into a single, automated, and proactive defense and response system. It also enables you to seamlessly integrate new technologies as they are developed so your network can quickly implement the latest security strategies and solutions. And perhaps most promising, it represents a strategy for ‘future proofing’, i.e., the ability to seamlessly add advanced techniques and technologies as they emerge, without throwing out your existing enterprise.
The disruption that ransomware can cause is not insignificant – WannaCry will, indeed, be a painful experience. Though no solution is foolproof, the above steps can go a long way in minimizing future tears.