Incident Response Learnings: How to Avoid a Cyberattack Including Ransomware

 

I would like to convey some insights from our incident response experience to help other organizations avoid falling victim to cybercriminals. Breaches are damaging, for example ransomware often halts operations lasting from one to two weeks when essential systems are encrypted. Often the governments and businesses have taken prudent steps to protect themselves, however there are some common threads where I think many businesses need to be reeducated.

 

Here are some crucial steps in protecting your business from cybercriminals:

  • Replace Antivirus with Endpoint Detection and Response. Antivirus is out of date and does not offer the same protection it did 5 years ago. Antivirus works on threat signatures and often doesn’t stop ransomware spreading. It needs to be replaced with an Endpoint Detection and Response (EDR) tool that utilizes AI and machine learning to identify the behavior of the threat. In all our Incident response engagements, the clients thought their Antivirus had them covered against ransomware and it failed them. I cannot stress this one enough.

 

  • Ensure someone is reviewing the security alerts of the security tools in place. During forensics, we have seen situations where security tools are alerting on the activities of cybercriminals and show systems were compromised several months before the attack. No one was checking the alerts and, unfortunately, no one saw them. Steps could have been implemented to shut the attackers out before too much damage was done.

 

  • Keep devices, operating systems, and applications current. In several situations, servers and laptops were not kept up to date with the latest operating systems and security patches. This meant that there were more vulnerabilities and opportunities for cybercriminals to gain access into the environment and perform activities such as command and control.

 

  • Protect the email channel and appropriately train staff. Several breaches we have responded to started via email; some through malicious file downloads and others through credential compromises where staff have unwittingly shared their login details mistaking a phishing email for a legitimate Microsoft password renewal. The right email protection will stop a substantial proportion of threats from ever getting into the business, and good security awareness training for your staff will help the team to identify and not engage with those that get through.

 

  • Set up good access controls including password management. Passwords should be complex and require MFA. Whenever feasible, avoid granting access to systems that are unnecessary for a staff member to have. So often these simple steps would have thwarted the cybercriminal.

 

  • Ensure backups are diversified and some are offline. In several situations, the backups could not be used to get the organization back up and running because they had been encrypted by the ransomware. Depending on when ransomware is identified and shut down, the organization will want to utilize the most current backup, so keep several and test the process to know it will work before it’s called upon.

In conclusion, modernizing your cybersecurity approach is paramount in safeguarding your organization against the evolving threat landscape. Replacing outdated Antivirus solutions with Endpoint Detection and Response (EDR) tools, driven by AI and machine learning, is crucial for proactive threat identification. Moreover, the importance of actively reviewing security alerts cannot be overstated, as early detection of cybercriminal activities can significantly mitigate potential damage. Keeping all devices and systems up to date is vital to minimizing vulnerabilities and reducing the avenues for unauthorized access. Emphasizing email security through robust protection and comprehensive staff training serves as a pivotal defense against breaches originating from phishing and malicious attachments. Strong access controls, including stringent password management and MFA, play a pivotal role in thwarting cyberattacks. Lastly, maintaining diversified and offline backups ensures that, in the event of a ransomware incident, the organization can efficiently recover and resume operations. By adopting these practices, organizations can fortify their cybersecurity posture and better protect themselves against emerging threats.

 

Article Written by Rob Mayo-Smith,

COO of Simply Secure Group