On May 11, 2021, the Security and Cybersecurity Agency (CISA) and the Federal Bureau of Investigation (FBI) released a joint advisory (Advisory) that encourages owners and operators of critical infrastructure assets. (CI) (e.g., communications companies, energy, defense, and transportation, among others) to “adopt a higher state of consciousness” in light of the recent DarkSide ransomware attack against a U.S. pipeline operator. The Advisor recommends a number of actions that CI entities should consider implementing to prevent and mitigate the effects of ransomware attacks. The warning comes days after the ransomware attack that caused the shutdown of the operations of a US pipeline operator.
This OnPoint summarizes CISA and FBI mitigation recommendations and provides practical tips for companies to prepare and defend against ransomware attacks.
CISA and FBI mitigation recommendations
Preventing an attack: The warning includes several recommendations for companies to mitigate the risk of ransomware attacks. These include: requiring multifactor authentication (MFA) for remote access to enterprise networks; enable strong spam filters to block fishing emails; conduct user training on fishing attacks; regular software updates and security patches; filter network traffic to block known malicious IP addresses; limit access to resources through networks, including restricting and / or securing remote access features; use antivirus and antimalware programs to regularly scan IT network assets; and implement unauthorized execution prevention, although steps such as disabling macro scripts from emailed files, implementing the application allow you to list, monitor / block incoming connections from anonymization services, and deploy signatures to detect and / or block the incoming connection of post-exploitation tools such as Cobalt Strike Servers.1
Reducing the impact of an attack: The warning also contains mitigation recommendations for IC entities to reduce the risk of serious disruptions in the event of successful ransomware attacks. These recommendations include: implementing and ensuring strong network segmentation between IT and operating technology (OT) networks; organize OT assets into logical zones; identify the interdependencies of OT and IT networks and develop manual solutions or controls; regularly test manual controls; implement regular data backup procedures; and ensure that user and process accounts have limited access rights.
During an attack: Finally, the Advisory also recommends that in the event of a ransomware attack, companies isolate affected systems, shut down other equipment and devices, and protect backups.
The adviser also states that CISA and the FBI “do not encourage criminals to pay a ransom,” and notes that “paying a ransom can encourage opponents to turn to additional organizations, encourage other criminal actors to participate in the crime.” distribution of ransomware and / or financing illicit activities “. The decision to pay a redemption claim is specific to facts and circumstances and must take into account legal considerations, such as whether the threatening plaintiff is on the list of sanctioned entities in the Office for the Control of Foreign Assets ( OFAC) of the United States Treasury Department.
Practical tips for companies
With migration to work from home last year, cyberattacks of all kinds increased exponentially in 2020 and 2021, but the title for 2020 was rescue attacks. Rescue attacks increased by 150% in 2020. In 2021 only this activity increased, with high-profile rescue attacks against critical infrastructure, private companies and municipalities taking hold. The amount of ransom demanded in these attacks has also increased dramatically in 2021, with claims reaching tens of millions of dollars. In addition to increasing sophistication and frequency, the methods used by threat actors have also changed. Along with encrypting enterprise systems with ransomware, threat actors also have access to servers and filter out confidential and confidential files — sometimes up to a terabyte of information — and then contact the company with an extortion lawsuit, that is, a cryptocurrency payment to keep the data private.
How can companies reduce risk?
In addition to the technical recommendations of the advice, there are a number of measures that companies should consider now to reduce the risk of a rescue attack and that, if it occurs, the company has reduced the risk. risk of damage. This includes:
- Back up company data periodically (daily when possible) in a segregated environment from other company systems and test them regularly;
- Review the company’s incident response plan to make sure that, in the event of an attack, it is clear who is responsible for what actions and that legal personnel are notified immediately;
- Review the company’s cyber insurance and make sure a ransom payment is covered and that the level of coverage reflects the current reality of rescue claims;
- Make sure MFA is enabled on all company accounts and that there are strong spam filters;
- Establish a secure communication channel in a secure text messaging application so that senior management can communicate in the event of a cyberattack;
- Educate and train the company’s employee base on fishing emails (impersonation) and threat actor methods designed to click on links;
- Assess the need for a prophylactic threat hunt by a reputable forensic firm retained by a lawyer; i
- Evaluate key vendor / vendor cybersecurity protocols and programs.
1) The advisor notes that actors in the DarkSide threat were observed using CobaltStrike.