Free Cybersecurity and Infrastructure Security Agency (CISA) ransomware resources to help reduce your risk
The Cybersecurity and Infrastructure Security Agency (or CISA) exists and is committed to helping U.S. state, local, territorial and tribal (SLTT) governments defend against cyber risk and collaborate to build a more secure cyber future. CISA is not a regulator, and all their work is voluntary. CISA provides incident response services and tools to governments at all levels and helps share resources against ransomware attacks towards organizations.
What is the motivation for CISA to create resources to reduce ransomware risk?
We should begin by understanding and accepting that there is no such thing as perfect cybersecurity. Every computer system that man has ever developed is vulnerable to a certain extent and thus needs to be secured. CISA understands this and that is why it partnered with Infosec to host a ransomware webinar with Amy Nicewick, the Communications Management Section Chief Cyber Security Division at CISA, and David Stern, the Head of Cyber Security Communications Management Section Chief of Cyber Security.
You can watch the full webinar, CISA Resources to Reduce Ransomware Risk, to learn more about how ransomware attacks work, measures to protect against them and how to respond if you get infected.
What are some of the key messages shared by CISA?
CISA shares some key messages to organizations to help them secure their infrastructure from cyberattacks. These messages are important and must be followed to the letter to ensure that organizations are safeguarded from cyberattacks. These are nuggets that will be discussed some more later on. These key messages from CISA are:
- Keep calm and patch on — Ensure that you are using updated and patched software.
- Backing up is your best bet — Make sure that you take offline backups regularly.
- Suspect deceit? Hit delete — Delete anything that looks suspicious, and you’re unaware of.
- Always authenticate — Always use Two-Factor and Multifactor authentication to all accounts.
- Prepare and practice your plan — Ensure that you have policies and you have them implemented.
What are the most common attack vectors for ransomware?
When ransomware hits an organization, it is mostly delivered through some common attack vectors, as discussed by Amy Nicewick in the webinar. Let us consider some of these attack vectors.
- Phishing — Phishing involves the cybercriminal sending a well-crafted email to the target. Once this email is clicked on, the malicious download begins and could contain the ransomware payload that eventually encrypts the data on the target computer.
- Compromised websites — Cyber Criminals could host ransomware on websites that they control, and once they lead you to these, the ransomware payload can get downloaded and infect the target computer.
- Malvertising — Infected advertisements on websites can infect your computer with ransomware. All it takes is for you to be served with a malicious ad that bypasses the browser’s security mechanisms.
- Exploit kits — Cybercriminals can develop exploits that target certain vulnerabilities affecting systems. When these exploits are run, they cause unauthorized access to the target.
- Downloads — Cybercriminals can infect malicious websites with malware, which, when visited, automatically download malware (in this case ransomware) and infect the target.
What are the CISA ransomware resources that can be used to prevent the attacks above?
CISA provides a ransomware guide that includes recommendations, best practices, recommended incident response policies and procedures, cyber hygiene services and several checklists that organizations can use to protect against or respond to ransomware attacks.
As David Stern states in the webinar, “When you take precaution measures in advance, you interrupt the business model of the adversary. This prevents a ransomware attack that would require you to pay the ransom.” He goes ahead to state, “…raise awareness, empower your employees, because, humans are the weakest link, yet also can be the strongest link once armed with the right knowledge,” He emphasizes the importance of patching software, “…patch software, do not use end of life software, have a plan.”
The ransomware guide is divided into two main sections, Section I and Section II.
Section I: Best practices
This section of the ransomware guide encourages you to consider several important things that we shall briefly discuss.
a) Be prepared
Being prepared requires that you maintain offline and encrypted backups of data and regularly test these backups. You should create, maintain, exercise a basic cyber incident response plan and associated communications plan.
b) Internet-Facing Vulnerabilities and Misconfigurations
You should conduct regular vulnerability scanning and regularly patch and update software and operating systems. Do not use software that has come to its end of life.
You must also ensure that using MFA and 2FA is not optional and must be compulsory.
You should conduct cybersecurity awareness and training. This equips your employees with the right knowledge on how to browse online. You should also implement DMARC policy and verification and disable macro scripts for Office files transmitted via email.
d) Precursor Malware Infection
You must ensure that you update anti-malware software and signatures. Also, you should use the application directory allowlisting on all assets and implement an IDS.
e) Third Parties and Managed Service Providers (MSPs)
You must consider the risk management and cyber hygiene practices of third parties and MSPs. Attacks coming from MSPs might come as phishing emails or even third-party updates.
Section II: Ransomware response checkbook
This section includes the ransomware response checkbook. Here, we briefly discuss the best responses to ransomware attacks and the tools that can be leveraged to help prevent such attacks. There are some important things to note.
- Paying ransom does not guarantee that your decryption key will be sent to you or that there will not be subsequent attacks.
- You should take a system image and memory capture of a sample of affected devices.
- Research trusted guidance for ransomware variants and examine IDS/IPS and logs.
- Conduct extended analysis to identify persistence mechanisms.
- Rebuild systems based on a prioritization of critical services.
What are some online tools for vulnerability scanning by CISA?
You can have your internet-facing assets scanned by CISA and get weekly reports by emailing CISA at firstname.lastname@example.org, with the subject line “Request Vulnerability Scanning Services.”
Vulnerabilities being exploited in the wild can be scanned for on your infrastructure, and CISA will be able to immediately reach out to you in case these vulnerabilities are identified.
You can register for web application vulnerability scanning by emailing email@example.com with the subject line “Request Web App Scanning Services.” You will get monthly and quarterly updates.
You can register for a phishing campaign assessment by emailing firstname.lastname@example.org with the subject line “Request Phishing Campaign Assessment Service.” You will get monthly and quarterly updates. This campaign takes six weeks.
You can also have some policy assessments to see the maturity of your security policies.
The Cyber Resilience Review is a more detailed interview-based assessment. It evaluates your organization’s operational resilience and cybersecurity practices to provide an organization with a greater awareness of its network posture.
The Cyber Infrastructure Survey is a much simpler and lighter assessment that focuses on assessing an organization’s critical services against cybersecurity controls grouped into five domains.
The malicious Domain Blocking and Reporting service helps prevent IT systems from accessing malicious domains, limiting infections.
To sign up for the MDBR, visit https://www.cisecurity.org/ms-isac/services/mdbr/
CISA provides quite a lot of documentation that can be used to effectively prevent cyberattacks and increase the resilience of your IT infrastructure. It should be noted that cybersecurity is hard work and should be taken seriously to avoid losing even more in terms of the initial investment in effort. If not taken seriously, you will lose more effort, money and lost data.