Every organization—from local governments, healthcare providers and financial institutions, down to small- and medium-sized enterprises, energy plants and healthcare providers—is struggling with the growing threat of ransomware attacks.
Headline grabbing criminal operations have impacted Fortune 500s, hospitals, and critical infrastructure, and it feels like just a matter of time before your business becomes the next victim of LockerGoga or SamSam.
General consensus on the best way to prepare for the eventuality of a ransomware hit seems to be having regular, up-to-date, secure onsite, and cloud backups. These should be able to bring a business operation back and online with minimal disruption, thus reducing the cost of downtime and avoiding large payouts that would motivate criminals to continue pursuing these operations.
Even with update backups, however, the cost of a compromise can be substantial, and the process of reinstating operations time consuming. Both the time needed to recover, and the price tag of a successful attack seem to be increasing over time, as a recent research has discovered.
In Q4 2018 it took organizations an average of 6.2 days to get back up and running, as compared to 7.3 days in Q1 2019. This downtime costs businesses an average of more than $60k, but in certain cases the cost of the downtime can itself exceed the cost of the ransom, making it more cost effective for organizations to pay criminals to have their data back.
If paying the ransom is not an option, or malware removal, and executing a recovery plan would cause too much downtime for your organization to be able to afford it, how can you effectively recover from a ransomware attack hitting your business?
The only real answer is to prevent the attack altogether by having the right security measures in place. This may sound impossible, but by taking certain steps companies can dramatically strengthen their security posture, thus reducing the probability of falling victim of a ransomware attack.
Understand How Ransomware Attacks Unfold
Rule #1 of an effective security strategy: Know Your Enemy
Ransomware is nothing but a package of malware attacks that aim to get around internet security suites, most commonly deployed with a phishing or spear phishing campaign aimed at tricking users into clicking on a malicious link or downloading a compromised attachment.
Often, these emails are designed to look like they are coming from someone in the high ranks of an organization, which increases the likelihood that an employee will open the message and execute whichever action it prescribes.
Once they have infected an end user’s machine, these malwares start looking for privileged credentials. These credentials give criminals access to the most sensitive areas of the network, allowing them to obtain valuable data and, ultimately, critical control over the entire IT infrastructure, and with it the ability to lock files and halt business processes.
At this point, cybercriminals simply need to wait for companies to pay the ransom, conscious that every second of downtime translates in revenue loss.
Protect Your Assets with Privileged Access Management
Although the destructive nature of ransomware attacks has been widely documented by the news coverage of some of the worst, high profile cases, it is important to remember that these malicious software are only capable to compromise the portion of the network and data that they can gain access to.
To put it simply, if privileged credentials are well protected and inaccessible from an end users’ machine, a ransomware infection will remain limited to that single machine, unable to spread to the critical processes that cause operational collapse if halted through good network monitoring and management.
By implementing solid privileges access management (PAM) procedures, companies can protect their crown jewels from ever being compromised, even in the eventuality of an intruder gaining access to the network.
Key Concepts of PAM
The key components of a successful PAM strategy are:
Leverage a password vault. Password vaults generate privileged access credentials that are valid for a single session. This means that there are no sensitive credential sitting around for an intruder to find, but that each access is performed with a password that becomes obsolete as soon as the session is terminated.
Monitor and record privileged sessions. Whenever a user accesses a privileged area of the network, the session should be monitored and recorded. This allows security teams to be alerted if suspicious behavior is detected, and the monitoring tool can remotely end the session if the risk is deemed over a certain threshold.
Use behavioral biometrics. Through machine learning, behavioral biometrics tools are able to collect behavioral markers of each privileged user, including keyboard strokes and mouse movements. These markers are then computed into a continuously updated behavioral profile, which serves as the blueprint of what normal activity should look like. In this way, suspicious activity can be spotted immediately, and actions can be taken to terminate the session.
Follow the principle of least privilege. Users should be given access to the smallest portion of the network they need to do their job, and not more. This includes restricting which users are allowed to download and run which software and applications on their systems.
As ransomware attacks continue to increase in popularity, organizations need to become proactive in their security efforts. Every ransom paid is a further incentive for cybercriminals to continue with their operations, which is why the effort to counteract this type of attack should be a collective one.
By understanding how ransomware works and by implementing the appropriate PAM procedures—including password vaults, behavioral biometrics, privileged session management, and least privilege—companies can all contribute to make these business-crippling attacks obsolete.