Initial access is relatively consistent across all ransomware variants.

Organizations should maintain user awareness and training for email security as well as consider ways to identify and remediate malicious email as soon as it enters an employee’s mailbox. Organizations should also ensure they conduct proper patch management and review which services may be exposed to the internet. Remote desktop services should be correctly configured and secured, using the principle of least privilege wherever possible, with a policy in place to detect patterns associated with brute-force attacks.

In this article we bring you 12 practical recommendations:

1.   Subscribe to sources of threat intelligence Information:

There are a number of private and public threat intelligence sources, which vary significantly in cost. Organizations should use this information to understand how new threats can affect their existing defenses and how to detect them if they may have been affected. Some of the most common sources of threat intelligence information include:

→ Telefónica Tech as part of the CTA (Cyber Threat Alliance)

→ unit42.paloaltonetworks. com

→ infraguard.org

→ cisa.gov/ais

→ isc.sans.edu

2. Keep your software up to date with the latest version as updates often patch security vulnerabilities.

This includes patching VPN servers and upgrading from Server Message Block Version 1 (SMBv1) to limit adversaries from using the file sharing protocol to move laterally within the systems.

3. Maintain regular backups of your files and systems and ensure the backups are stored off-network.

By doing this, threat actors cannot gain access to disable or delete backups to prevent recovery.

Recovery processes should be implemented and rehearsed frequently with the most critical systems and information in order to minimize downtime and cost to the organization in the event of a successful ransomware attack.

This is one of the main reasons why it is important to be alert to any intrusion in the corporate network and be able to remedy it as soon as possible. Once cybercriminals successfully obtain backup copies, the company has no other way of recovering their information.

4. Conduct comprehensive, rigorous end-user training

on standard and advanced phishing and social engineering techniques. Implement hygiene measures, such as not sharing credentials with other co- workers, reporting any suspicious emails, or avoiding the use of company devices for personal activities. It is important to tailor the education to fit your organization and employee roles.

5. Leverage log aggregation systems to increase log retention, integrity, and availability.

6. Understand where sensitive data lives and implement strong access controls to protect that data. Monitor and audit access regularly.

7. Invest in a trusted endpoint detection and response platform to help with ransomware detection, and employ the use of firewalls to block malicious traffic.

8. Implement strict policies surrounding the use of employee-owned devices for work-related activities and limit user privileges whenever possible.

9. Enhanced passwords & integrate multi-factor authentication (MFA)

For all remote access, internet accessible and business email accounts. Adopt account administration best practices across the organization, including requiring unique and complex passwords that are at least 15 characters in length so they cannot be easily brute-forced.

10. Disable any direct external RDP access

And ensure all external remote administration is conducted through an enterprise-grade MFA VPN.

11.  Limit the use of privileged accounts

And do not reuse local administrator account passwords to prevent initial access by attackers, privilege escalation, and lateral movement across the network. Also, disable all administration tools that are not strictly required in order to minimize the risk of any attack.

12. Create and maintain an asset inventory.

Annual inventories are no longer sufficient. Organizations must use management tools across their attack surface that allow them to automate and keep these inventories up to date, in order to identify and eliminate exposed servers that are no longer in use.

And explore our Intelligent Managed Security Services to protect your business's digital assets.