A Comprehensive Analysis of CISA’s #StopRansomware Guide

Daemon Behr

[Post 29 – 30 in 30]

Introduction

The Cybersecurity and Infrastructure Security Agency (CISA) has updated its “#StopRansomware Guide” in May 2023. This guide is a treasure trove of strategies to combat ransomware attacks. But what does it contain, and how can you use it to protect your digital assets? Let’s dive in and find out!

Click here to access the full version of the guide from CISA.

The Evolution of Cyber Threats and the Importance of Staying Ahead

Before we delve into the specifics of the guide, it’s important to understand the context in which it was created. Cyber threats have evolved significantly over the years, with attackers constantly finding new ways to exploit vulnerabilities in systems and networks. Ransomware, in particular, has emerged as a major threat, with attackers encrypting data and demanding a ransom in exchange for the decryption key.

The #StopRansomware Guide is a response to this evolving threat landscape. It provides a comprehensive set of guidelines to help organizations mitigate the risk of ransomware attacks. The guide is marked TLP:CLEAR, which means the information can be freely distributed, reflecting CISA’s commitment to promoting cybersecurity awareness and preparedness.

Unpacking the Guide: Key Insights

The Importance of Regularly Reviewing File Types

One of the key insights from the guide is the importance of regularly reviewing file types in your filter list. This might seem like a minor detail, but it’s a crucial aspect of cybersecurity. Cybercriminals are constantly innovating, and they often use seemingly harmless file types as attack vectors. For example, the guide mentions that OneNote attachments have been used in phishing campaigns to deliver malware.

To stay ahead of these evolving threats, the guide recommends conducting a semi-annual review of file types in your filter list and updating it accordingly. This proactive approach can help you identify and block potential attack vectors before they can be exploited (Page 10).

The Power of DMARC Policy

Emails are often the gateway for ransomware attacks. Attackers can spoof or modify emails from valid domains to trick recipients into clicking on malicious links or opening infected attachments. To fortify this entry point, the guide suggests implementing the Domain-based Message Authentication, Reporting and Conformance (DMARC) policy.

DMARC is an email authentication protocol that uses Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to detect and prevent email spoofing. By implementing DMARC, you can significantly reduce the risk of spoofed or modified emails from valid domains, adding an extra layer of security to your email communications (Page 10).

Why Disabling Macro Scripts Matters

Macro scripts in Microsoft Office files transmitted via email can be a delivery mechanism for ransomware. These scripts, which are designed to automate tasks in Office applications, can be exploited by attackers to deliver malicious code.

The guide advises disabling these scripts to prevent such attacks. It’s worth noting that recent versions of Office are configured by default to block files containing Visual Basic for Applications (VBA) macros, displaying a warning that macros are present and have been disabled. This is a clear indication of the potential risks associated with macro scripts and the importance of taking proactive measures to mitigate these risks (Page 10).

Mitigating the Risk of Remote Access

Remote access and remote monitoring and management (RMM) software can be a double-edged sword. While they offer convenience and efficiency, they can also be exploited by cybercriminals. If not properly secured, these tools can provide attackers with a gateway into your network, allowing them to install malware, steal sensitive data, or carry out other malicious activities.

The guide provides several strategies to mitigate this risk. One of these is auditing remote access tools on your network. This involves identifying all the remote access tools in use, assessing their security configurations, and ensuring that they are up to date. The guide also recommends detecting abnormal use of RMM software, which could be an indication of a cyber attack.

Another strategy is to block both inbound and outbound connections on common RMM ports and protocols at the network perimeter. This can prevent unauthorized remote access to your network, adding an extra layer of security. However, it’s important to balance this with the operational needs of your organization, as some legitimate services may also use these ports and protocols (Page 15).

The Role of Network Segmentation

Network segmentation is a crucial strategy to contain the impact of any intrusion affecting your organization and prevent or limit lateral movement on the part of malicious actors. This involves dividing your network into smaller, isolated segments, each with its own set of controls and security policies.

The guide emphasizes the importance of implementing Zero Trust Architecture (ZTA) in this context. ZTA is a security model that assumes no trust by default, requiring verification for every user, device, and network flow. By implementing ZTA, you can ensure that even if an attacker manages to infiltrate one segment of your network, they won’t be able to move laterally to other segments.

The guide also highlights the importance of maintaining separation between IT and operational technology. This can prevent a cyber attack from spreading from your IT systems to your operational systems, which could have serious consequences for your organization’s operations (Page 15).

The Value of Comprehensive Network Diagrams

The guide advises developing and regularly updating comprehensive network diagrams that describe systems and data flows within your organization’s network. These diagrams can provide a visual representation of your network, making it easier to understand its structure and identify potential vulnerabilities.

Network diagrams can also be a valuable tool for incident responders. In the event of a cyber incident, they can help responders understand where to focus their efforts, identify the scope of the incident, and determine the best course of action. The guide recommends updating these diagrams regularly to ensure that they accurately reflect the current state of your network (Page 15).

Best Practices for Ransomware and Data Extortion Prevention

The guide also provides a list of best practices for ransomware and data extortion prevention. These practices are designed to help you proactively protect your organization from ransomware attacks and minimize the potential damage if an attack does occur.

  • Maintain offline, encrypted backups of critical data: Regularly back up your data and store the backups offline, where they can’t be accessed by ransomware. Test the availability and integrity of these backups regularly to ensure that you can restore your data if needed.
  • Regularly update “golden images” of critical systems: Maintain up-to-date images of your critical systems, which can be used to quickly restore these systems in the event of a ransomware attack.
  • Conduct regular vulnerability scanning: Regularly scan your systems and networks for vulnerabilities, and patch these vulnerabilities as soon as possible. This can help you prevent attackers from exploiting these vulnerabilities to infiltrate your network.
  • Ensure all on-premises, cloud services, mobile, and personal devices are properly configured: Make sure that all your devices and services are configured with security in mind. Disable unnecessary ports and protocols, enable security features, and regularly update your software and firmware.
  • Limit the use of RDP and other remote desktop services: If you need to use remote desktop services, make sure they are properly secured. Use strong, unique passwords, enable two-factor authentication, and restrict access to these services to only those who need it.

Triage impacted systems for restoration and recovery: In the event of a ransomware attack, quickly identify and prioritize the systems that need to be restored. This should be based on a predefined critical asset list that includes information systems critical for health and safety, revenue generation, or other critical services, as well as systems they depend on.

  • Examine existing organizational detection or prevention systems: Regularly review your detection and prevention systems to ensure they are effective. Look for evidence of precursor “dropper” malware, such as Bumblebee, Dridex, Emotet, QakBot, or Anchor. A ransomware event may be evidence of a previous, unresolved network compromise.

Your Ransomware and Data Extortion Response Checklist

Finally, the guide provides a checklist for responding to ransomware and data extortion incidents. This checklist can serve as a roadmap, guiding you through the steps you need to take to respond effectively to an incident.

  • Initial Detection and Analysis: The first step in responding to a ransomware attack is to identify the type of ransomware affecting your systems. This can be done by looking at the ransom message, the file extension, or the ransom note left by the attackers.
  • Containment: Once you’ve identified the ransomware, the next step is to contain the incident. This involves isolating affected systems from the network to prevent the ransomware from spreading to other systems.
  • Eradication: After containing the incident, you need to eradicate the ransomware from your systems. This could involve restoring the system to its pre-infection state, reinstalling the operating system, or replacing the system.
  • Recovery: The recovery phase involves restoring systems and data from clean backups. It’s important to ensure that these backups are free from any infections before you use them to restore your systems.
  • Post-Incident Activity: After the incident has been resolved, it’s important to conduct a post-incident review to identify lessons learned and improvements to be made to your incident response plan. This can help you prevent similar incidents in the future and improve your overall cybersecurity posture.
  • Reporting and Notification: Finally, it’s important to report the incident to relevant internal and external stakeholders. This could include your IT department, managed security service providers, cyber insurance company, and departmental or elected leaders. Also, report the incident to—and consider requesting assistance from; in Canada, your local police, the RCMP NC3, or the CCCS. In the US; CISA, your local FBI field office, the FBI Internet Crime Complaint Center (IC3), or your local U.S. Secret Service field office.

Conclusion

In conclusion, the “#StopRansomware Guide” by CISA is a comprehensive resource that provides valuable insights and practical strategies to mitigate the risk of ransomware attacks. By implementing these guidelines, we can collectively build a safer digital space. Remember, the best defence against ransomware is prevention and preparedness.

Your Next Steps

Now that you’re armed with this knowledge, it’s time to take action. Review the full guide, implement the best practices, and share this information with your colleagues.

Disclaimer: This blog post is a summary of the “#StopRansomware Guide” by CISA. For a complete understanding, please refer to the full guide.

Thanks for reading this far.

My aim with this campaign is to provide readers with valuable content, insights, and inspiration that can help in their personal and professional lives. Whether you’re looking to improve your productivity, enhance your creative strategies, or simply stay up-to-date with the latest news and ideas in cybersecurity, I’ve got something for you.

But this campaign isn’t just about sharing our knowledge and expertise with you. It’s also about building a community of like-minded IT and security focused individuals who are passionate about learning, growing, and collaborating. By subscribing to the blog and reading every day, you’ll have the opportunity to engage with other readers, share your own insights and experiences, and connect with people in the industry.

So why should you read every day and subscribe? Well, for starters, you’ll be getting access to some great content that you won’t find anywhere else. From practical tips and strategies to thought-provoking insights and analysis, the blog has something for everyone that wants to get current and topical cybersecurity information. Plus, by subscribing, you’ll never miss a post, so you can stay on top of the latest trends and ideas in the field.

But perhaps the biggest reason to join the 30-in-30 campaign is that it’s a chance to be part of something bigger than yourself. By engaging with the community, sharing your thoughts and ideas, and learning from others, you’ll be able to grow both personally and professionally. So what are you waiting for? Subscribe, and for the next 30 days and beyond, let’s learn, grow, and achieve our goals together!

Discover more from Designing Risk in IT Infrastructure

Subscribe to get the latest posts sent to your email.