Ransomware – Hindsight is 20/20


Three things many companies wished they had actioned before a ransomware attack.

There are few things worse than discovering that your business has been compromised. Be it a phish, ransomware, hack or malicious attack, it’s going to leave a long legacy of damage and complexity behind it. According to Martin Potgieter, Co-Founder and Technical Director at Nclose,

“There are three things that most breach victims wished they had checked, or done differently, after they’ve been hit with a ransomware attack.”

“The first is to ensure that the company firewall is filtering outbound traffic as aggressively as it is filtering inbound traffic.  Once an attacker gets a foothold within a network if there is unrestricted outbound access, they have the freedom they need to download malicious payloads and exfiltrate data and download tools for their attack,” says Potgieter. The common firewall problem is simple – the rules get old and dated and companies don’t audit them often enough. Many firewalls that went into the pandemic were not customised to handle the complexities that it introduced in the shape of remote working. Gaps and vulnerabilities appeared, and most companies didn’t even realise they were there, until it was too late. This draws a thick black line under the importance of consistent firewall audits and regular assessment of all firewall rules.

“Often people realise that just one rule change could have slowed down or prevented the attack,” says Potgieter. “This isn’t a great realisation when you’ve just had your entire system locked down or have to pay hefty fines for being in breach of regulations. There are specific technical controls that can be implemented and updated that will help companies to resolve this issue and ensure that their firewalls are configured for minimum required access and best practice in terms of network segregation.”

The second mistake that companies make is not to protect their backups. One of the first things that an organisation does when it has been compromised is to go to the backup system and restore the data, especially if they’ve fallen victim to ransomware. They access their backups to avoid paying the ransom, only to discover all the backups have been deleted. “When these attacks happen, the attackers often go in and delete the backups,” says Potgieter. “The problem is that most companies look at backups as a business continuity or operational process that’s in place to restore the system if a server goes down, not as the last stand for the organisation. The attackers think differently. It’s a very common thing for companies hit by ransomware to go straight to their backups and, when they discover these are empty, it’s devastating.”

To manage this particularly unpleasant side-effect, companies need to test their backup systems to ensure they can restore them from multiple points and put controls in place to prevent anyone from being able to delete the backup at all. Many backup systems have moved from offline tape backups to online backups, and although online systems are more convenient, they are not as safe from malicious deletion of backups.

 

“The third factor is the lack of a tested incident response playbook,” says Potgieter. “Some mature organisations have incident response playbooks, so they know what needs to be done in the event of an attack, and how to respond to different types of attack. This will never completely resolve the issue, but it can help the business significantly as the attack plays out. The problem is that many companies have a playbook they’ve not tested, or they don’t have one at all.” It’s essential that the business has a clear plan in place to ensure that everyone does the right thing, at the right time, to mitigate data loss and the impact of the attack. If nobody knows what the plan is, or what needs to be done, then it can have serious repercussions, particularly in the event of a data breach that requires the company share the insights with the clients, regulatory bodies, and the media.

 

“It’s a complex situation – on one hand the company is investigating the cause of the attack and may want to wait until it has more information before going to the media and customers, but on the other hand they can’t be seen as withholding information,” concludes Potgieter. “This is where an incident response plan comes in handy. It needs to outline how PR, technical and legal people respond to the attack, and ensures that information is disseminated within a clear timeframe so that the company’s reputation isn’t put at risk.”

Organisations face a tedious task in addressing their cybersecurity short falls, as Gartner points out, this has become a board-level issue that requires companies revise how they approach their security systems and frameworks.  This is not the time to regret an old firewall rule or lack of incident response processes but rather the time to revise and revisit systems and processes to ensure that there is continuous improvement in these particular facets as an organisation moves into a complex and challenging 2022.

Staff writer