Preventing Cybersecurity Attacks: CISA Issues New Ransomware Prevention Guidelines
The Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) recently released a joint Ransomware Guide.
Published on September 30, the document contains various resources to inform best practices and ways to prevent, protect, and respond to a ransomware attack. The new Ransomware Guide is divided into two separate parts, the first one about Ransomware Prevention, the second about Ransomware Response.
The Cybersecurity and Infrastructure Security Agency (CISA) is the Nation’s risk advisor. The agency works with various governmental and private partners to defend the country from malicious actors and build more secure and resilient infrastructures.
A graphic from the Cybersecurity and Infrastructure Security Agency (CISA). Image courtesy of CISA.
The Center for Internet Security (CIS) is one of CISA’s partners, funded by the Agency. CIS is a non-profit community united under the vision of creating best practices guidelines for securing IT systems and data.
It is also home to the Multi-State Information Sharing and Analysis Center (MS-ISAC), a resource for cyber threat prevention, protection, response, and recovery for the U.S. State, local, tribal, and territorial government entities. The new Ransomware Guide is the fruit of the collaboration between CISA and MS-ISAC.
The organizations are now distributing the document to inform and enhance network defense and reduce exposure to a ransomware attack.
Ransomware Infection Vectors
According to the new Ransomware Guide, three main ransomware infection vectors companies should be prepared to fend off. Phishing is the first of them, with malicious emails being one of the leading causes of ransomware infections in the automation industry.
For example, earlier this year, COVID-19-related phishing emails were used as bait in malware attacks on several industrial companies. The second category of infection vectors the Ransomware Guide mentions is precursor malware infections.
The cover of the Ransomware Guide. Image courtesy of CISA.
In other words, a ransomware infection may be the last step in a network compromise strategy, activated as a way to obfuscate previous post-compromise activities.
Finally, third parties’ hygiene practices or managed service providers could compromise a company’s security system, as data held by them could be exposed and targeted by malicious actors.
Upkeeping Prevention Tactics
To defend from cyberattackers and avoid Ransomware infections, the Ransomware Guide suggests using multi-factor authentication (MFA). They specifically recommend this for webmail, virtual private networks, and accounts that access critical systems.
They also recommend strong password hygiene in the report, including advice related to changing passwords regularly, using strong passwords, and enforcing account lockouts after a specified number of login attempts. Furthermore, the principle of least privilege should be applied to all services so that users can only have the access they need to perform specific tasks.
In February, a ransomware infection shut down a US natural gas pipeline for two days. However, the attacker did not manage to achieve admin access to any PLCs in charge of compression equipment, so the damage was contained.
The Ransomware Guide lists various additional acceptable practices to prevent ransomware, including enabling security settings in cloud environments, developing a network diagram describing systems and data flows networks, and employing physical means of network segmentation.
Ransomware Response Checklist
In cases where preventions measures do not prove useful, and a company falls still victim to a malicious attack, the Ransomware Guide also describes an initial five-steps response checklist:
- Determine which systems were impacted and isolate them
- If disconnecting them from the network is not possible, power them down to avoid further spread of the ransomware infection
- Triage impacted systems for restoration and recovery
- Document an initial understanding of the attack
- Engage both external and internal employees and stakeholders with a comprehensive understanding of what they can provide to help mitigate, respond to, and recover from the incident
The report then describes containment and eradication and information on how to deal with recovery and post-incident activity.
For more information, check out the full text of the Ransomware Guide.