To print this article, all you need is to be registered or login on Mondaq.com.
On May 23, 2023, the Cybersecurity and Infrastructure Security
Agency (CISA) published a second edition of the #StopRansomware Guide (the Guide). The Guide,
first published in September 2020, aims to help organizations
reduce the risk of ransomware attacks, and it provides best
practices to prevent, detect, respond to and recover from such
incidents. The 2023 version contains updated guidance and best
practices in the areas of initial infection vectors, cloud backups,
zero trust architecture and ransomware response.
The Guide draws on operational insight from CISA, the Federal
Bureau of Investigation (FBI), the National Security Agency, and
the Multi-State Information Sharing and Analysis Center (MS-ISAC),
in coordination with the Joint Ransomware Task Force. The Guide
aims to assist information technology professionals and others in
developing effective cyber incident prevention and response
policies.
Since the initial version of the Guide, ransomware concerns have
only intensified. Ransomware attacks have increased in both number
and impact in recent years across all sectors. Federal agencies
have observed ransomware incidents in at least 14 of 16 critical infrastructure sectors,
including attacks against organizations in the healthcare sector, energy sector and financial services sector. The new version of
the Guide responds to the increased sophistication and frequency of
ransomware attacks since the publication of the original 2020 version.
Updates in the 2023 Guide
The #StopRansomware Guide provides cyber incident detection and
response information in two parts. Part 1 is dedicated to
ransomware and data extortion preparation, prevention and
mitigation best practices. Part 2 provides a step-by-step
ransomware and data extortion response checklist for organizations
responding to a ransomware attack. The Guide provides additional
recommendations for preventing common initial infection vectors,
updates recommendations to address cloud backups and zero trust
architecture, and expands the ransomware response checklist with
threat-hunting tips. More detail on each of these updates is
included below.
- Common Initial Infection Vectors. The
updated Guide provides new recommendations related to compromised
credentials. The Guide recommends, among other things, improving
password security training, implementing phishing-resistant
multifactor authentication, and subscribing to credential
monitoring services for the dark web to identify potential
hacks. - Cloud Backups. The Guide suggests
that companies consider using a multicloud solution for backing up
critical data to avoid vendor lock-in for cloud-to-cloud backups if
all accounts under the same vendor are affected by an attack. The
Guide cautions against using immutable storage solutions that can
protect stored data without the need for a separate environment, as
these solutions do not always meet compliance criteria under
certain regulations. - Zero Trust Architecture. The Guide
also recommends implementing zero trust architecture, a framework for
securing data and infrastructure where devices and users are not
trusted by default. - Threat-Hunting Tips. The Guide also
expands the ransomware and data extortion response checklist with
threat hunting tips for detection and analysis of ransomware. This
expansion provides a list of specific threats or suspicious
circumstances to search for during a ransomware response, including
newly created accounts, anomalous VPN device logins or other
suspicious logins, and signs of endpoint modifications, remote
usage, or unexpected software among other system changes.
Other Useful Insights
In addition to making key cybersecurity recommendations, the
Guide outlines the nature of law enforcement’s interest in a
company’s investigation information. The Guide’s checklist
includes a list of items (e.g., malware samples, PowerShell scripts
executed on the network, bitcoin wallets used to pay the ransom)
that CISA, MS-ISAC or other law enforcement agencies may request as
part of a victim company’s cooperation during the incident. In
our experience, the provided list is a helpful and representative
outline of potential requests victim companies may receive from law
enforcement agencies, such as the FBI or the U.S. Secret Service,
as part of their investigations.
One thing to keep in mind for companies that are closely
cooperating with law enforcement: the sensitivity or breadth of a
law enforcement investigation may make it so that an agency is
unable to immediately share information with a victim company in
return. While this is not a reason to be uncooperative—there
are many good reasons to cooperate with law enforcement, including
if a company is planning to make a ransomware
payment—expectations should be appropriately set for company
leaders.
On the topic of ransom payment, the Guide reinforces the current
position of US government agencies on whether an organization
should pay ransom: the Guide-authoring organizations “do not
recommend paying ransom” and provide a number of arguments
against making a payment (including the potential for sanctions
risk), implicitly acknowledging that organizations may have
compelling arguments in favor of payment. This statement in the
Guide highlights what it does not provide: a framework for how to
decide whether to make a payment.
The pay/no-pay decision is complex, and cyber incident response
plans should at least contemplate who will be responsible
for making this decision, the requisite authority to approve a
payment, and the involvement of in-house legal and outside counsel
in the various stages of payment, including evaluating the legality
of a payment. Many organizations go further, outlining specific
questions or key decision points that inform whether a payment will
be made and how. Even if an organization does not believe it will
ever make a ransom payment, planning for the mechanism of payment
(e.g., considering who will facilitate negotiations, how certain
currencies will be obtained and transferred) is important advance
planning if a company ultimately decides to pay.
Key Takeaways
Organizations looking to better protect against ransomware
attacks should keep the following considerations in mind:
- Ransomware attacks have increased in number and effect in
recent years, and all sectors have felt the impact of these
attacks. - The #StopRansomware Guide provides a reasonable starting point
for best practices and a step-by-step checklist for responding in
case of an attack. - The 2023 update provides expanded best practices responsive to
developments in the field, including new common initial infection
vectors, cloud backups and zero trust architecture recommendations,
and threat-hunting tips.
The agencies behind the #StopRansomware Guide also publish
timely cybersecurity alerts and advisories (CISA, FBI) on an ongoing basis to keep stakeholders
updated on burgeoning threats.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Technology from United States