Ransomeware attacks are increasing rapidly, and the attacks result in many business operations being severely impacted as a result of critical system downtime and the loss of sensitive data.
The attacker will always have the benefit of choosing time and attack vector. However, the battle is not lost. By learning from actual attacks, we can articulate the key actions your organization can take to detect before impact, investigate when it happens, and minimize consequences when it does.
1. Set up managed EDR from a skilled service provider
If we look back a few years, organizations’ primary security strategy was to establish perimeter protection with traditional IT-security measures such as firewalls and anti-virus. Nowadays, cyber-attackers are much more advanced, making their way into a company’s network in different ways.
Since the organization must assume breaches, we need to be better at detecting them when they start to move around inside your company’s network.
Endpoint detection and response (EDR) is a system to gather and analyze security threat-related information from clients, servers, and other end-points to find security breaches as they happen and facilitate a quick response.
A common mistake is just buying a product, thinking that it will solve the problem. Unfortunately, we have met many customers who had a security breach, and the common factor is that they did not have a managed EDR with a skilled service provider.
Therefore, we recommend setting that up immediately since it’s crucial for your ability to defend against ransomware and other types of cyberattacks.
2. Have ransomware secure back-ups for critical systems
Most companies have backups to ensure speedy restoration of critical systems if a server crashes. But there is an essential distinction between a standard backup and a ransomware secure backup.
When a ransomware attack happens, the attackers usually target the organization’s critical systems, encrypt the environment and destroy the backups making them impossible to restore.
When this happens, most people just pay the criminals to get their data back, which unfortunately increases the likelihood of being attacked again since the criminals know they will probably pay.
If you have ransomware secure backups, it is much easier to say no when the attackers strike, knowing you can save your company.
Free cyber security workshop!
You’ll get actionable advice on how to develop your cyber security strategy and what actions you need to take. No strings attached!
Book your workshop here!3. Save adequate logs to be able to find patient zero and understand data loss
As we mentioned before, an attacker has many ways into the company, making it impossible to be entirely safe. That is why we talk about managed EDR and secure ransomware backups.
Even though you stop them early, pretty often, they have already stolen a lot of your data. And if you don’t have adequate logs, you won’t be able to answer these critical questions:
- Did they steal anything?
- What did they steal?
- When did they steal it?
- And how much did they steal?
All systems can generate logs. You need somewhere to store the logs where the attackers can’t reach and destroy them. So when required, you should be able to look at your logs and recreate the chain of events to find patient zero and understand data loss.
The hardest part is knowing what logs to save and how long. The general recommendation for most organizations is to keep 12 months of AD, Firewall, and application logs for critical systems.
However, this can be expanded in more detail based on the specific requirements, threats, and business operation of the organization in scope for the discussion
4. Use multifactor authentication and protect your high privilege access users
A common way for a ransomware group to enter your company is to perform phishing. One way to help prevent damage from occurring is to have multifactor authentication.
Multifactor should be used everywhere by everyone in your organization, although most important is protecting your high privilege access users. These are the people who have access to all systems, who assign permissions to others, and those who can go in and make changes to systems.
Even though the attacker usually comes in via a vulnerability or phishing mail through a regular employee, they will often look around until they find the person with the master key. And when they do, they can damage the whole company.
Most multifactor authentication is based on one of three types of additional information:
- Things you know (knowledge), such as a PIN or password
- Items you have (possession), such as a smartphone or a security key
- Something you are (inherence), such as a biometric like fingerprints or face recognition
It could be a code sent to your phone, an app, or a security key. When you have multifactor authentication, you have to prove who you are, which makes a big difference because the attacker can’t recreate this kind of authentication.
Multifactor authentication is an easy step to take action on, making things harder for criminals looking to steal your data.
5. Establish vulnerability management
We recommend to set up a robust vulnerability management program. Today most cyberattacks are initiated via exploiting known vulnerabilities present in the organization’s IT estate or supply chain. The problem is not new but complex. We highly recommend our Clients continuously inform themselves to understand which vulnerabilities are actively being used. These should be patched with urgency.
Overall, it is good practice to establish a robust vulnerability scanning service to understand your vulnerabilities. You should also include a simple prioritization model on which exposure to patch first and select and continuously follow metrics such as “mean time to patch critical vulnerabilities” or “percentage of servers with no critical vulnerability.”
This will allow you to identify potential process weaknesses in your IT operation and enable your team to work with better precision.
We hope that you, with this article, have gained some more knowledge about how to protect your company against cyber attackers. Since the cyber threat landscape is constantly changing, we might have to update this list in the near or far future.
If you need help finding the right technology or need cyber security advice for your company, you are welcome to contact us.
Now it’s time to take action!
Get in touch!
Reach out to learn more or discuss how we can help you in your work.
