nDiscovery-Logo-Header.png
Ë
By Becky Metivier • April 19, 2018

Ransomware Defense Tips - Incident Response Preparation

As Ransomware attacks continue to escalate in scale and scope, it is more important than ever to be able to defend your organisation against this type of cyberattack. Especially when it comes to preparing your incident response protocols. Preparation and practice are the secrets to success. So, if you are comprised, you can recover quickly with little or no damage… and without having to pay a ransom. 

Here’s how you can ensure that your organisation is ready to confidently respond to, and survive, a ransomware attack.

Step #1: Design Preparation

  • Design an “air-gap” backup strategy. One important defense mechanism against ransomware is to ensure that current backups of all your important data are “air-gapped.” This means there is a separation from your network / production environment and your back-up environment. Careful planning is required, and there are many options available. Whichever strategy you determine is right for your organisation, be sure that you test the restore process frequently.   
  • Designate off-site and off-network locations for backup media and recovery materials.
  • Confirm that your insurance policy covers a Ransomware attack and include their protocols in your plan. Many times, in order for a claim to be paid, you must engage with the insurance company exactly as they require. Be sure you know what their protocols state.
  • Create (and practice) an Incident Response testing plan. Practice is a good way to build organisational intelligence and memory around how you respond. Results will be much better once everyone has some practice responding to different types of events and incidents.

Step #2 – Operational Preparation

  • Document data flows and external endpoints.
  • Ensure your Business Impact Analysis (BIA) and recovery procedures are up-to-date.
  • Be prepared to do business off-line.
  • Engage a forensics partner or train current staff on forensics procedures. This can help you succeed on the backside of an incident. Make sure you have a resource who can do a post-mortem forensics investigation – so you can hopefully figure out what happened, how it happened, why it happened, how to keep it from happening again, and even possibly track down the perpetrators. 
  • Ensure your internal and external communications plans are up-to-date and available.
  • Ensure that necessary documents are available off-line to team members. These include all business continuity plans, directory of contacts, and communication scripts.

Step #3 – Technical Preparation

  • Ensure that all your system restoration tools are available off-line. These include back-up software and license keys.  Be sure to refresh your back-up tools every quarter.
  • Execute your “air-gap” backup strategy. Be sure to test restoration from off-site media every quarter, and be prepared to restore your systems from scratch.
  • Ensure monitoring and alerting tools are working as designed. Also make sure that you are logging the right events on your perimeter devices, as well as all the servers in your organisation’s network. That way as the event is unfolding, you will have the logs available for forensics and incident response to do an effective job.  
  • Conduct external penetration tests.
  • Perform backup recovery on a regularly scheduled basis.
  • Know your internet connectivity points. Be sure you are prepared to disconnect your internal network from the Internet.