Ransomware Preparedness Checklist (GP)

Issue link:

Contents of this Issue


Page 1 of 2

2 Deploy a security monitoring tool or utilize a managed Security Operations Center Deploying a security incident event monitoring (SIEM) tool is one of the most important components to detecting and proactively responding to malware attacks. This allow you to correlate signs of an attack early in the reconnaissance stage. Ensure that file integrity is monitored; unexpected or unauthorized file integrity changes are important indications of a potential ransomware attack. If you don't have the staff or tools to run your own SIEM, look to Managed Security Providers (MSP) who can provide SOC-as-a-Service offerings to build and implement managed detection and response services for you. Train your users Educating your users will help mitigate security risks. Having a security awareness plan to educate your first line of defense, your users, is probably as important as any security tool. Users must be able to recognize phishing emails, understand the threat they pose, and know what to do, and not to do, when they receive these types of emails. Hire a security service provider to develop, social engineer, and email Phishing campaigns in order to test your users' abilities to recognize potential threats. Employees are often the first to encounter ransomware; they may be the cause of it. Educate employees about the various types of threats they may encounter and what they should do. Endpoint Detection and Response (EDR) The bad guys are also finding ways around antivirus detection software. This causes AV software to be silent, even when under attack. This is where Endpoint Detection and Response (EDR) can help. The goal of EDR is to look for bad behavior and alert the end-user and administrators. Earlier warning of infection speeds response time to stop the spread of the infection. Please ensure that all devices are protected using EDR. This includes all network connected assets to include medical devices and IoT where capable. Endpoint Detection and Response operates via two key principles: • Continuous monitoring / anomaly detection for new and changing files • Immediate response to a detected threat Have a post-COVID-19 Runbook and a Playbook that clearly addresses ransomware. COVID-19 changed the way hospitals use systems, networks and information technology. It also changed care delivery and in many cases workflow and even billing rules. Most organizations in the throes of either crisis or planning for one, did not have time to update these critical documents, let alone test them. Now is the time to update Runbooks (systems and networks) and Playbooks (for the broader business). Figuring out your ransomware response in the middle of an attack is the worst possible time. Increase situational awareness There is evidence that malicious actors were present within networks weeks before the launch of the ransomware. All organizations should increase awareness on the entire security stack to investigate and ensure you can detect or prevent the event before the attack is executed. The tactics and techniques of the attack are straight forward. • Someone within the organization falls suspect to phishing email • Bad actors infiltrate the network, discover, and steal credentials • Once high value targets are compromised, i.e. domain controllers, file shares, etc., the attack is executed. 6 7 8 9 10

Articles in this issue

view archives of Checklists - Ransomware Preparedness Checklist (GP)