DTS Solution
DTS Solution

Ransomware Incident Response Plan – Part 1

Ransomware Incident Response Plan - Part 1
Ransomware was and still is one of the most dangerous attacks that can cause catastrophic consequences to the endpoint system if not responded properly. The following article is specially created for preparing incident response teams against this particular attack, but it is generally excellent guidance for everyone who would like to have clear and step-by-step approach on how to prepare, identify, contain, remediate and recover from the dangerous attacks of ransomware.
The following is part one of the overall incident response plan where we are going to discuss in our opinion the most critical phases of the incident response plan, which are the preparation and identification phases, because our goal is to prevent the compromise rather than allow it to be executed and completed, hence we will concentrate more on the phases mentioned above, but as well as we will cover other phases in part two and part three which are important as well.
Before jumping into the phases and steps we would like to give brief introduction about ransomware, to explain what it is and how does it work.
Ransomware is a type of malware from crypto virology that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid. While some simple ransomware may lock the system in a way which is not difficult for an expert to reverse, more advanced malware uses a technique called crypto viral extortion, in which it encrypts the victim’s files, making them inaccessible, and demands a ransom payment to decrypt them.

In a properly implemented crypto viral extortion attack, recovering the files without the decryption key is an intractable problem and difficult to trace digital currencies such as Ukash or Bitcoin and other cryptocurrency are used for the ransoms, making tracing and prosecuting the perpetrators difficult. As was already said we will divide the incident response plan into 5 phases and first phase is preparation from we shall start.

Ransomware Incident Response Plan-Part 1

Ransomware was and still is one of the most dangerous attacks that can cause catastrophic consequences to the endpoint system if not responded properly. The following article is specially created for preparing incident response teams against this particular attack, but it is generally excellent guidance for everyone who would like to have clear and step-by-step approach on how to prepare, identify, contain, remediate and recover from the dangerous attacks of ransomware.
The following is part one of the overall incident response plan where we are going to discuss in our opinion the most critical phases of the incident response plan, which are the preparation and identification phases, because our goal is to prevent the compromise rather than allow it to be executed and completed, hence we will concentrate more on the phases mentioned above, but as well as we will cover other phases in part two and part three which are important as well.
Before jumping into the phases and steps we would like to give brief introduction about ransomware, to explain what it is and how does it work.
Ransomware is a type of malware from crypto virology that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid. While some simple ransomware may lock the system in a way which is not difficult for an expert to reverse, more advanced malware uses a technique called crypto viral extortion, in which it encrypts the victim’s files, making them inaccessible, and demands a ransom payment to decrypt them.

In a properly implemented crypto viral extortion attack, recovering the files without the decryption key is an intractable problem and difficult to trace digital currencies such as Ukash or Bitcoin and other cryptocurrency are used for the ransoms, making tracing and prosecuting the perpetrators difficult. As was already said we will divide the incident response plan into 5 phases and first phase is preparation from we shall start.

1. Preparation Overview
On the preparation phase the company or the incident response team must realize that malicious actors often use phishing to infect a system with ransomware, hence it is very important to have a phishing policy. The chance of being compromised by ransomware can be decreased by conducting routine phishing tests, so employees will be able to detect a phishing email before clicking on any dangerous links or attachments.
To be ready for potential attacks such as ransomware the systems must be updated including the software with the latest security patches. This critical preventative step will make it harder for malicious actors to compromise your system. As ransomware became one of the most used and dangerous attack in a manner of data loss and system corruption, the company or the incident response team must prioritize the data that is most critical to the organization and back it up.

The recommended practice for backup is to periodically test the backups and verify the validity and reliability of the backups. For being ready and prepared there is yet another crucial step to cover to stay on the safest side and that is to deploy preventive cybersecurity resources. This can range from an anti-malware solution that includes endpoint or heuristic monitoring to advanced EDR (Endpoint Detection & Response) solution. Compared to the traditional anti-virus solutions which only detects malware at a signature level which can be ineffective in case of a new-born ransomware. Hence, we must implement advanced threat detection systems for cyber security resilience. The company or the incident response team should develop an incident response (IR) plan that is created specifically for a ransomware attack. It is crucial to prepare for targeted attacks that can affect broad swaths of your company.

1. Preparation Overview

On the preparation phase the company or the incident response team must realize that malicious actors often use phishing to infect a system with ransomware, hence it is very important to have a phishing policy. The chance of being compromised by ransomware can be decreased by conducting routine phishing tests, so employees will be able to detect a phishing email before clicking on any dangerous links or attachments.
To be ready for potential attacks such as ransomware the systems must be updated including the software with the latest security patches. This critical preventative step will make it harder for malicious actors to compromise your system. As ransomware became one of the most used and dangerous attack in a manner of data loss and system corruption, the company or the incident response team must prioritize the data that is most critical to the organization and back it up.

The recommended practice for backup is to periodically test the backups and verify the validity and reliability of the backups. For being ready and prepared there is yet another crucial step to cover to stay on the safest side and that is to deploy preventive cybersecurity resources. This can range from an anti-malware solution that includes endpoint or heuristic monitoring to advanced EDR (Endpoint Detection & Response) solution. Compared to the traditional anti-virus solutions which only detects malware at a signature level which can be ineffective in case of a new-born ransomware. Hence, we must implement advanced threat detection systems for cyber security resilience. The company or the incident response team should develop an incident response (IR) plan that is created specifically for a ransomware attack. It is crucial to prepare for targeted attacks that can affect broad swaths of your company.

2. Identification
For initial identification and detection, a good approach is to get signatures and IOCs into your IDS. It is highly recommended as a best practice to use a threat intelligence sources to block and alert on the presence of anomalies that have a chance of being associated with ransomware in your network traffic. There are numerous signatures for most of the popular ransomwares out there such WannaCry and NotPetya traffic. These practice alone will not protect you from a ransomware because ransomwares can be modified and changed hence, we want to have more defense than just the detection. However, these signatures can be a useful source for the most widely distributed tools that enterprises tend to use.
Perform continuous anti-virus and overall endpoint security scans, to detect and discover unusual registry keys, malicious files, encrypted data, unusual directories, unusual amounts of internet traffic flow, unexplained system crashes, unauthorized and unexplained installation of software. Check the anti-virus notifications, scans, and Windows Event Logs for more details about the malicious activity. Request system updates and patches. In case of phishing emails that may contain or lead users to the ransomware, the company or the incident response team must use tools that detect malicious attachments or perform attachment scanning to look for malicious attachments. This technique is your best automated defense against ransomware emails.
The recommended practice for backup is to periodically test the backups and verify the validity and reliability of the backups. For being ready and prepared there is yet another crucial step to cover to stay on the safest side and that is to deploy preventive cybersecurity resources. This can range from an anti-malware solution that includes endpoint or heuristic monitoring to advanced EDR (Endpoint Detection & Response) solution. Compared to the traditional anti-virus solutions which only detects malware at a signature level which can be ineffective in case of a new-born ransomware. Hence, we must implement advanced threat detection systems for cyber security resilience. The company or the incident response team should develop an incident response (IR) plan that is created specifically for a ransomware attack. It is crucial to prepare for targeted attacks that can affect broad swaths of your company.
Click here to read our step-by-step hands-on approach on how to prepare and identify ransomware attacks

2. Identification

For initial identification and detection, a good approach is to get signatures and IOCs into your IDS. It is highly recommended as a best practice to use a threat intelligence sources to block and alert on the presence of anomalies that have a chance of being associated with ransomware in your network traffic. There are numerous signatures for most of the popular ransomwares out there such WannaCry and NotPetya traffic. These practice alone will not protect you from a ransomware because ransomwares can be modified and changed hence, we want to have more defense than just the detection. However, these signatures can be a useful source for the most widely distributed tools that enterprises tend to use.

Perform continuous anti-virus and overall endpoint security scans, to detect and discover unusual registry keys, malicious files, encrypted data, unusual directories, unusual amounts of internet traffic flow, unexplained system crashes, unauthorized and unexplained installation of software. Check the anti-virus notifications, scans, and Windows Event Logs for more details about the malicious activity. Request system updates and patches. In case of phishing emails that may contain or lead users to the ransomware, the company or the incident response team must use tools that detect malicious attachments or perform attachment scanning to look for malicious attachments. This technique is your best automated defense against ransomware emails.
Click here to read our step-by-step hands-on approach on how to prepare and identify ransomware attacks

See also:

Azure Security 101

December 20, 2020

Cyber Threat Intelligence and OSINT

August 19, 2020

DIFC Data Protection Law- How to Achieve Compliance?

September 20, 2020

Linkedin X-twitter Facebook Youtube

© Copyrights 2024.
All rights reserved by DTS Solution 
– Cyber Security Redefined

Solutions

Network and Infrastructure Security
Zero Trust and Private Access
Endpoint and Server Protection
Vulnerability and Patch Management
Data Protection
Application Security
Secure Software and DevSecOps
Cloud Security
Identity Access Governance
Governance, Risk and Compliance
Security Intelligence Operations
Incident Response

Industry

Critical Infrastructure
Education
Energy and Utilities
Enterprise and Service Providers
Financial Services and FinTech
Government
Healthcare and BioTech
Legal
Manufacturing
Media and Entertainment
Retail and Ecommerce
Technology and Digital

Services
Cyber Strategy
Cyber Secure
Cyber Operations
Cyber Response
Cyber Resilience
Products

COMPLYAN
FYNSEC
HAWKEYE CSOC WIKI
Firewall Policy Builder

Other

About Us
Awards
Board of Directors
Leadership
Careers
Support
Contact
Vendors
Resources
Press Center
Privacy Policy

  Dubai

Office 4, Oasis Center
Sheikh Zayed Road
PO Box 128698
Dubai, UAE

+971 4 3383365
[email protected]
   Abu Dhabi

Office 7, Floor 14
Makeen Tower, Al Mawkib St.
Al Zahiya Area
Abu Dhabi, UAE

+971 2 6573566
[email protected]

   Kuwait

Mezzanine Floor, Tower 3
Mohammad Thunayyan Al-Ghanem Street, Jibla
Kuwait City, Kuwait


+971 4 3383365
[email protected]

   London

160 Kemp House, City Road
London, EC1V 2NX
United Kingdom
Company Number: 10276574

+44 20 3287 3942
[email protected]

The website is our proprietary property and all source code, databases, functionality, software, website designs, audio, video, text, photographs, icons and graphics on the website (collectively, the “Content”) are owned or controlled by us or licensed to us, and are protected by copyright laws and various other intellectual property rights. The content and graphics may not be copied, in part or full, without the express permission of DTS Solution LLC (owner) who reserves all rights.

DTS Solution, DTS-Solution.com, the DTS Solution logo, HAWKEYE, FYNSEC, COMPLYAN, FRONTAL, HAWKEYE CSOC WIKI and Firewall Policy Builder are registered trademarks of DTS Solution, LLC.