Blog

Originally written for Forbes: How To Prepare For A Ransomware Attack (forbes.com)

Let’s start by working our way back. To set the scene: You and your team successfully repelled a ransomware attack. You stop it before it spreads, disrupts your work or steals your data. You avoid the dreaded “I” word (incident).

Sure, there were a few malicious email attachments, and some credentials were compromised. However, your team quickly identified and contained the compromised endpoints, effectively executing a well-practiced plan. It’s truly magnificent!

So, how did you succeed where so many others have failed?

A Plan Of Action

First, you had a plan that your team not only knew about but also practiced and could execute competently. That leads me to my first recommendation: Have a plan and be able to execute it, with a hard emphasis on the “execute” part. So many organizations have a plan, and it could be a great one, but if you don’t execute the plan well, then what’s the point?

Second, your team had the necessary visibility to detect malicious activity before the ransomware could cause significant damage. This was achieved by identifying the right malicious data (telemetry) and then collecting it someplace where your team can hunt through it and build analytics to highlight possible problems (detections). Proper data collection, effective detection capabilities and training are crucial for success.

You might expect me to mention vulnerability scanning, but it’s not the ultimate solution to your ransomware problem. Ransomware attacks often start with access methods that don’t require exploitation, such as phishing emails. Not to mention the constant parade of zero-day vulnerabilities that unless your vulnerability management program lets you identify and patch in less than 24 hours, odds are exploitable vulnerabilities will always be a challenge. This leads you back to identifying and responding once an adversary gains access.

Just to note—I’m certainly not suggesting you abandon your vulnerability management program. Just be realistic about the total effectiveness of preventing these kinds of attacks.

In short, here’s the plan that has led to our success.

1. Have a plan.

2. Ensure your team can execute the plan effectively.

3. Collect the right data (telemetry).

4. Apply effective analytics (detections) to the collected data.

5. Train your team to effectively utilize security tools and gather telemetry for reliable detections.

You may be looking at this list and thinking, “Yep, check on all of those! I’m set.”

However, how are you grading the maturity of each? How do you discover the gaps?

When you were in school, how did teachers score your level of retention of material throughout the year? Testing.

Testing, Testing, Testing

In this case, test your plan by executing adversary activity within your environment.

Frequently, this takes form in a network penetration test, but I would argue a singular pentest will not fully express the success or failure of a program. Pentests generally tell you how effective an attack path may be in a given scenario, but often, those actions reflect the individual pentester’s capabilities rather than a true adversarial attack.

Instead, consider unit and functional testing, then a full dress rehearsal. Unit testing evaluates specific security tool performance, while functional testing combines telemetry and detection. Full dress rehearsals, such as tabletop exercises or red team exercises, simulate real adversary attacks.

In unit testing, ask specific questions like “Does our EDR prevent the execution of regsvr32.exe to execute an unknown DLL?” This allows you to establish a baseline or an understanding of the current state. Then, you can continuously test and monitor changes to ensure the security tool remains effective. You’ll also get a chance to see what telemetry the unit test action generates and whether any detections built for it are correctly tuned.

As a quick aside, I have seen a lot of situations where a security tool blocks something, such as the example above, and the SOC teams will close the alert without investigation. Cue, my brain exploding.

I get it; most teams are frequently drowning in a sea of alerts, and there is just not enough time in the day, but my goodness- something just happened where your tools had to block an issue expressly! Wouldn’t you want to know what happened? What if there happened to be other activity that didn’t get blocked?

One way to help reduce these vast volumes of alerts is to write more effective detections in the first place.

Here is where functional testing can come into play—the execution of a chain of events to see if we can leverage our telemetry to put together multiple detections into a single incident. In addition to the benefit of using functional testing, we can also test tuning out the normal activity in the environment. This gives us fewer, but better alerts that our team can now investigate. The findings lead to feedback in detections and/or telemetry, which then leads to amplifying your team’s plan and their ability to execute it.

The reality is that so many security teams spend their days just closing false positive alerts that they don’t spend much time preparing to identify and expel an intrusion. It’s imperative to prioritize practicing the execution of an incident response plan.

Once all of that has been done, you’re ready for a full dress rehearsal—which means simulating the exact tactics and techniques of these adversaries to ensure you understand the timing of everything: detection, response and containment times.

These processes for working through your preparations will continually influence the others. As your detection and mitigation capabilities improve, so will your plan. As the team exercises the plan more often, they will find the need for increased capabilities in the security tools or their ability to use them. But, testing at each stage will give you real metrics and data to understand the maturity of your preparation and where your next improvement should be.

That way, when opening night comes (and I promise it will), you will have already performed these tests enough times to know you’re ready.