No cyber attack prevention strategy can be 100% effective 100% of the time — this is a reality that’s well-acknowledged. Organizations worldwide are already seeing a spike in ransomware attacks, leaving many CISOs wondering if their company is next. Hence, having a mitigation strategy to accompany the prevention plan is a must. Here, Derek Brost, Director, Professional Services — Security & Compliance at InterVisionOpens a new window , discusses how continued cyber hygiene can mitigate ransomware attacks.Â
As the threat of ransomware becomes a growing risk to companies, it can be difficult to know how best to evolve to meet the challenges of data protection and fast response. As cybercriminals become more sophisticated, threats of ransomware will continue to evolve and grow. Â
Since many organizations utilize the cloud in one way or another, AWS being the most popular, it’s imperative that IT departments prepare for how to mitigate a ransomware attack in this type of environment.Â
Here are three steps companies can take to secure their AWS environments against potential fallout from a ransomware attack on business endpoints.Â
1. Segment, Segment, Segment
Highly segmented virtual network access for legacy systems, untrusted devices, and by user class help IT teams contain the spread of ransomware when it’s detected. Ransomware may spread by way of rapid network endpoint and gateway connection attempts, spraying out for a foothold and data. Thankfully, in modern, highly programmable software-defined cloud networking this segmentation can be equally fast to define, deploy, rollback, redirect, mirror, block, etc. With these core networking API capabilities, it’s important to invest in pervasive detective, responsive, and automated preventive security controls with sufficient logical barriers for timely containment and eradication in an incident response situation.
For example, it’s good practice that administrators, users, contractors, VIPs, etc. have segmented access, and potentially even highly isolated access. In conventional on-premise networks this may be readily accomplished by Network Access Control (NAC) solutions, which although still applicable in an AWS environment for posture management, may not be the first-step readily achievable via AWS’ codified technical policies, solid Identity and Access Management (IAM) integration, and virtual network segmentation. Following demarcation of access, establishing a role-based access approach at the next layer to systems, applications and storage buckets will help to drive further logical access segmentation and still use the same policy constructs.
A role-based access approach is relatively straightforward, but segmentation beyond that may challenge organizations who struggle to determine and record the ports, protocols, and services needed among systems across network segments. This level of segmentation helps with containing ransomware exploitation and limiting lateral movement. The foundational information required is relatively easy to access in the form of AWS VPC Flow Logs, but be aware that analytical tools are highly valuable in accelerating time-to-implementation for protective measures and are almost always required to make sense of environments, even of modest size or scale. There are numerous commercial tools that can be further leveraged from standard flow logs, some that can even capture more significant detail for critical system, service, and user mapping.
Learn More: Reopening the Office? Don’t Forget to “Quarantine†Infected Devices
2. Enable Application Use from a Higher Access Layer
With a distributed workforce as the new norm, many IT groups are grappling with how best to both enable ongoing operations while protecting sensitive data that might live on company devices and laptops. While Bring Your Own Device (BYOD) and Mobile Device Management (MDM) policies, practices, and tools continue to be highly important and more relevant than ever in remote workforces, it is important to always update your view and approach on how better to provide services to an increasingly distributed workforce. AWS’ end-user computing solutions allow you to leverage significant security capabilities very quickly and inexpensively compared to acquiring and standing the necessary infrastructure up yourself.
When it comes to ransomware risk mitigation, it may be good to utilize AWS AppStream 2.0 for remote workers and administrators – it is browser-based application hosting using the AWS cloud that elevates data storage and computing to a higher access layer. Important assets are kept off the device and there’s no need for a VPN, just a connection to the Internet. An interesting use-case to consider is moving traditional bastion hosts and administrative access terminals to this access layer and complementing it with the standard AWS services for Multi-Factor Authentication (MFA), VPC, Data Loss Prevention (DLP), encryption, intrusion detection, and many more.Â
This is especially advantageous for contract workers, vendor technology companies with privileged access, and similar temporarily trusted access. In a ransomware incident, typically only the employee device would be compromised, but in the event of an advanced threat, the risk can be greatly controlled. If corporate-owned, IT would wipe and recover the device, but with browser-based hosting, there’s no need to worry about corrupted organizational files on that device—less to worry about. And if third-party owned, it’s not your problem anymore and you can easily block access until appropriate risk and compliance assurances are given.
Learn More: Caution! Ransomware Crisis Is Not Going Away. Here’s How to Act on It
3. Leverage the Power of a Good Recovery Plan
Perhaps the best-known way to mitigate the fallout of ransomware is having a good backup & recovery plan. Indeed, having good data protection allows your IT team to retrieve clean copies and restore the business to normal without having to pay the cybercriminal a hostage fee. Not to mention, paying the cybercriminal doesn’t always guarantee you’ll get your data back – I’ve seen an increase in attacks that never give the data back or end up disclosing it regardless of payment.Â
End users should have a cloud repository to backup all files on their devices, to prevent the loss of too much IP after a ransomware attack. The immutability of backups is essential, meaning datasets can’t be changed or moved after copying, encrypted often both in transit and at rest. The good news is that technology advancements in recent years have added rocket fuel to creating a strong offsite and/or offline backup & recovery strategy, as the speed and effectiveness of recovery can be achieved using Disaster Recovery as a Service (DRaaS) paired with a Backup as a Service (BaaS) solution. It’s been especially painful to watch when organizations have localized on-network, Windows-based backup solutions also get compromised in ransomware attacks and the realization hits that all the data is compromised; do not let your organization fall prey to this dire situation.
Here, DRaaS and BaaS can be targeted to a segmented AWS landing zone, which allows both quick retrievals of non-corrupted information and high-speed recovery of those assets after a ransomware breach has occurred. Not all DRaaS providers (only oneOpens a new window can, to my knowledge) can do this targeting of DRaaS to AWS though, so be sure to dig into the proper research.Â
Learn More: Encrypted Traffic Is a Backdoor for Malware — Defend Your Networks Now
Summing Up
Ransomware grows as a widespread threat when companies pay the ransom fees, so having a better mitigation plan is key not only in the moment but for the long term as well. Strategizing among your IT team and business leadership is the first step toward protecting your most critical assets, and educating your workforce is key to preventing cyberattacksOpens a new window . As more companies leverage the AWS cloud to run business operations, the protection of assets in those environments are substantially important – but you’re not alone in doing this. Leveraging a third-party provider can help offload some of the burdensome management aspects for your IT department to focus on business agility.Â
Let us know if you liked this article on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!