From the desk of
Trey Stokes
THE ULTIMATE GUIDE TO SURVIVING THE
RANSOMWARE APOCALYPSE
What is your favorite post-apocalyptic TV show or movie? Maybe it’s Zombieland, The Last of Us, or I am Legend. How are our heroes able to prevail? Jessie Eisenberg’s character in Zombieland, Columbus, had a handy guide. Look at Pedro Pascal’s character from The Last of Us, Joel. In addition to being incredibly handsome, Joel was a carpenter from Texas. Working as a carpenter, he kept fit, had good dexterity, and was a problem solver. Growing up in Texas, he likely would have hunted with his brother, so he knew how to handle a gun. Will Smith’s character, Dr. Robert Neville, in I Am Legend, is a scientist. He is one of the few people in New York capable of building a lab to create a vaccine and save humanity. Were these characters successful because they were good-looking, had a handbook, or easy-going Bob Marley tunes? No, it was because they were prepared and effective when disaster struck. Let’s look at how you can prep and protect yourself from Ransomware, the zombie apocalypse equivalent of cyber-attacks.
Rule #1: Cardio Assess
In last week’s post, I laid out quick definitions for ransomware and its impact. In short, cybercrime, specifically ransomware, is a multibillion-dollar industry. In this attack method, hackers infiltrate your systems, often through a social engineering scheme, and then they download malicious software and encrypt your data so that you cannot access it. These attacks are not reserved for nation-states; they often target small and medium businesses. Cybercriminals are betting that they can be more effective running a volume-based attack rather than being a big game hunter. It is much easier to compromise 1000 small businesses with ineffective controls and low barriers to entry rather than put many months or years of work into infiltrating a single high-value target. This brings virtually every business into the crosshairs of ransomware groups, so we all need to pay attention. When you think about your cyber prep, I would recommend starting with an assessment. Whether you believe it or not, you already have some capabilities, but it’s unlikely you have everything. You probably have a gun but no bullets, or maybe they are the wrong caliber, so assessing your information assets, what you want to protect, the threats, your vulnerabilities, your staff, their capabilities, what you have outsourced, and your gaps are all things that you will want to know. You can find excellent guidance on assessing your risk by visiting the National Institute of Standards and Technology (NIST) website. You can also look at this guide on cyber risk assessments from another government agency, CISA.
Rule #2: Double Tap Plan & Patch
Once you have a baseline, it is imperative to define how your organization would like to approach risk management. This requires drafting an Information Security Policy. You can find great security policy templates by visiting SANS. These must be customized to fit your organization’s needs and risk management philosophy. For a small organization, this may be just a few pages or paragraphs. For a complex organization, these could be hundreds of pages with a high level of specificity. Once you create the appropriate policies, you need to define plans and procedures for how these policies will be carried out. Most people will be familiar with an Incident Response Plan (IRP). This is the plan you will follow when the fit hits the shan. You can find an example from the California Department of Technology here.
Having your ransomware “go bag” (IRP) is not enough. You’ll need some additional standards for other domains of risk management. One I’d like to focus on is vulnerability management.
Microsoft defines vulnerability management as: “a continuous, proactive, and often automated process that keeps your computer systems, networks, and enterprise applications safe from cyberattacks and data breaches”. A few things that I would like to stress here. First, 70% of cyber-attacks exploit patchable vulnerabilities. That effectively means that vulnerability management teams are not doing their job. That is because this is a full-time job, and it is too much for a small team with competing responsibilities to handle. If we can’t do it ourselves, then we need to outsource, right? Well, that can be complicated too. From personal experience, half of the Managed Service Providers who ensure small businesses that they are handling patching are not doing it effectively. That is why it is important to make sure you have service-level agreements with your provider to hold them to a patching schedule. You should also perform periodic 3rd party penetration test to make sure that they are sticking to these agreements. This will test the effectiveness of your patch management program and other technical controls in your network. In short, it’s like the apocalypse: trust no-one.
Rule #3: Beware of Bathrooms Still Beware of Bathrooms but also Train
Finally, to prevent ransomware, I would recommend cybersecurity training for all employees. Remember when Joel teaches Ellie how to shoot? Training is becoming more important than ever because, as Forbes points out, hackers are leveraging AI to craft well-worded and persuasive social engineering campaigns. Gone are the days when these attempts would be rife with misspellings. Criminals can now use regional dialects or ask a Chat GPT to generate a more persuasive message to increase their effectiveness.
As they say, an ounce of prevention is worth a pound of cure, or maybe it’s worth a few bitcoin? Either way, prevention is the first step, so doomsday preppers unite. In addition to your bunker, you’ll need tools and experts to detect, respond, and recover. Put all this together, you might be the last man or woman standing against ransomware. If you have further questions, you can find me on LinkedIn. I’ll continue to explore ransomware, its impact, who is behind it, and how you can prevent, detect, respond, and recover from threats. Until next time, stay safe and think twice before you click.