(844) 627-8267 | Info@NationalCyberSecurity
(844) 627-8267 | Info@NationalCyberSecurity

Federal Agencies Publish New Version Of The #StopRansomware Guide – Security | #ransomware | #cybercrime

To print this article, all you need is to be registered or login on Mondaq.com.

On May 23, 2023, the Cybersecurity and Infrastructure Security
Agency (CISA) published a second edition of the #StopRansomware Guide (the Guide). The Guide,
first published in September 2020, aims to help organizations
reduce the risk of ransomware attacks, and it provides best
practices to prevent, detect, respond to and recover from such
incidents. The 2023 version contains updated guidance and best
practices in the areas of initial infection vectors, cloud backups,
zero trust architecture and ransomware response.

The Guide draws on operational insight from CISA, the Federal
Bureau of Investigation (FBI), the National Security Agency, and
the Multi-State Information Sharing and Analysis Center (MS-ISAC),
in coordination with the Joint Ransomware Task Force. The Guide
aims to assist information technology professionals and others in
developing effective cyber incident prevention and response

Since the initial version of the Guide, ransomware concerns have
only intensified. Ransomware attacks have increased in both number
and impact in recent years across all sectors. Federal agencies
have observed ransomware incidents in at least 14 of 16 critical infrastructure sectors,
including attacks against organizations in the healthcare sector, energy sector and financial services sector. The new version of
the Guide responds to the increased sophistication and frequency of
ransomware attacks since the publication of the original 2020 version.

Updates in the 2023 Guide

The #StopRansomware Guide provides cyber incident detection and
response information in two parts. Part 1 is dedicated to
ransomware and data extortion preparation, prevention and
mitigation best practices. Part 2 provides a step-by-step
ransomware and data extortion response checklist for organizations
responding to a ransomware attack. The Guide provides additional
recommendations for preventing common initial infection vectors,
updates recommendations to address cloud backups and zero trust
architecture, and expands the ransomware response checklist with
threat-hunting tips. More detail on each of these updates is
included below.

  • Common Initial Infection Vectors. The
    updated Guide provides new recommendations related to compromised
    credentials. The Guide recommends, among other things, improving
    password security training, implementing phishing-resistant
    multifactor authentication, and subscribing to credential
    monitoring services for the dark web to identify potential

  • Cloud Backups. The Guide suggests
    that companies consider using a multicloud solution for backing up
    critical data to avoid vendor lock-in for cloud-to-cloud backups if
    all accounts under the same vendor are affected by an attack. The
    Guide cautions against using immutable storage solutions that can
    protect stored data without the need for a separate environment, as
    these solutions do not always meet compliance criteria under
    certain regulations.

  • Zero Trust Architecture. The Guide
    also recommends implementing zero trust architecture, a framework for
    securing data and infrastructure where devices and users are not
    trusted by default.

  • Threat-Hunting Tips. The Guide also
    expands the ransomware and data extortion response checklist with
    threat hunting tips for detection and analysis of ransomware. This
    expansion provides a list of specific threats or suspicious
    circumstances to search for during a ransomware response, including
    newly created accounts, anomalous VPN device logins or other
    suspicious logins, and signs of endpoint modifications, remote
    usage, or unexpected software among other system changes.

Other Useful Insights

In addition to making key cybersecurity recommendations, the
Guide outlines the nature of law enforcement’s interest in a
company’s investigation information. The Guide’s checklist
includes a list of items (e.g., malware samples, PowerShell scripts
executed on the network, bitcoin wallets used to pay the ransom)
that CISA, MS-ISAC or other law enforcement agencies may request as
part of a victim company’s cooperation during the incident. In
our experience, the provided list is a helpful and representative
outline of potential requests victim companies may receive from law
enforcement agencies, such as the FBI or the U.S. Secret Service,
as part of their investigations.

One thing to keep in mind for companies that are closely
cooperating with law enforcement: the sensitivity or breadth of a
law enforcement investigation may make it so that an agency is
unable to immediately share information with a victim company in
return. While this is not a reason to be uncooperative—there
are many good reasons to cooperate with law enforcement, including
if a company is planning to make a ransomware
payment—expectations should be appropriately set for company

On the topic of ransom payment, the Guide reinforces the current
position of US government agencies on whether an organization
should pay ransom: the Guide-authoring organizations “do not
recommend paying ransom” and provide a number of arguments
against making a payment (including the potential for sanctions
risk), implicitly acknowledging that organizations may have
compelling arguments in favor of payment. This statement in the
Guide highlights what it does not provide: a framework for how to
decide whether to make a payment.

The pay/no-pay decision is complex, and cyber incident response
plans should at least contemplate who will be responsible
for making this decision, the requisite authority to approve a
payment, and the involvement of in-house legal and outside counsel
in the various stages of payment, including evaluating the legality
of a payment. Many organizations go further, outlining specific
questions or key decision points that inform whether a payment will
be made and how. Even if an organization does not believe it will
ever make a ransom payment, planning for the mechanism of payment
(e.g., considering who will facilitate negotiations, how certain
currencies will be obtained and transferred) is important advance
planning if a company ultimately decides to pay.

Key Takeaways

Organizations looking to better protect against ransomware
attacks should keep the following considerations in mind:

  • Ransomware attacks have increased in number and effect in
    recent years, and all sectors have felt the impact of these

  • The #StopRansomware Guide provides a reasonable starting point
    for best practices and a step-by-step checklist for responding in
    case of an attack.

  • The 2023 update provides expanded best practices responsive to
    developments in the field, including new common initial infection
    vectors, cloud backups and zero trust architecture recommendations,
    and threat-hunting tips.

The agencies behind the #StopRansomware Guide also publish
timely cybersecurity alerts and advisories (CISA, FBI) on an ongoing basis to keep stakeholders
updated on burgeoning threats.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Technology from United States

Does My Company Need An Acceptable AI Use Policy?

Lowenstein Sandler

Artificial intelligence has become an integral part of many businesses. AI applications ranging from chatbots and customer service voice assistants to machine learning algorithms help companies efficiently…

Will AI Be Regulated, And If So, How?

Katten Muchin Rosenman LLP

The doom and gloom prognosticators are predicting that AI will “impact” up to 80% of all jobs in the next ten years. However, that’s likely not an outcome that regulators can stop. Indeed, other concerns…

Source link

National Cyber Security