Initial access is relatively consistent across all ransomware variants.
Organizations should maintain user awareness and training for email security as well as consider ways to identify and remediate malicious email as soon as it enters an employee’s mailbox. Organizations should also ensure they conduct proper patch management and review which services may be exposed to the internet. Remote desktop services should be correctly configured and secured, using the principle of least privilege wherever possible, with a policy in place to detect patterns associated with brute-force attacks.
In this article we bring you 12 practical recommendations:
There are a number of private and public threat intelligence sources, which vary significantly in cost. Organizations should use this information to understand how new threats can affect their existing defenses and how to detect them if they may have been affected. Some of the most common sources of threat intelligence information include:
→ Telefónica Tech as part of the CTA (Cyber Threat Alliance)
→ unit42.paloaltonetworks. com
→ infraguard.org
→ cisa.gov/ais
→ isc.sans.edu
This includes patching VPN servers and upgrading from Server Message Block Version 1 (SMBv1) to limit adversaries from using the file sharing protocol to move laterally within the systems.
By doing this, threat actors cannot gain access to disable or delete backups to prevent recovery.
Recovery processes should be implemented and rehearsed frequently with the most critical systems and information in order to minimize downtime and cost to the organization in the event of a successful ransomware attack.
This is one of the main reasons why it is important to be alert to any intrusion in the corporate network and be able to remedy it as soon as possible. Once cybercriminals successfully obtain backup copies, the company has no other way of recovering their information.
on standard and advanced phishing and social engineering techniques. Implement hygiene measures, such as not sharing credentials with other co- workers, reporting any suspicious emails, or avoiding the use of company devices for personal activities. It is important to tailor the education to fit your organization and employee roles.
For all remote access, internet accessible and business email accounts. Adopt account administration best practices across the organization, including requiring unique and complex passwords that are at least 15 characters in length so they cannot be easily brute-forced.
And ensure all external remote administration is conducted through an enterprise-grade MFA VPN.
And do not reuse local administrator account passwords to prevent initial access by attackers, privilege escalation, and lateral movement across the network. Also, disable all administration tools that are not strictly required in order to minimize the risk of any attack.
Annual inventories are no longer sufficient. Organizations must use management tools across their attack surface that allow them to automate and keep these inventories up to date, in order to identify and eliminate exposed servers that are no longer in use.