Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Your Money or Your Data: Ransomware Readiness Planning

Today’s blog installment brings us to the end of our 30-week journey that covered 30 cybersecurity topics that I felt would be of interest to a wide variety of security practitioners, such as Security Architects, Security Admins, and Security Auditors. I hope everyone found it as helpful as I found it to write.

So, let’s move on with our last topic.

There are so many expressions like “a stitch in time saves nine,” referring to how doing something immediately is better than the consequences that could happen if you do nothing. Ransomware Readiness Planning is all about ‘doing something in preparation for potential disaster.” In fact, ransomware is so common it has its own defense methodology, used by compliance standards like NIST, ISO, and GDPR.

Ransomware readiness processes can be broken into the following steps:

  • Prepare
  • Respond
  • Recover

Let’s talk about each of these 3 steps.

 

1. Prepare

There are many ransomware preparedness guides available, so it’s not necessary to build one from scratch. For example, CISA has its 'stop ransomware readiness guide' and Cyberreadiness.org has a ransomware playbook. Microsoft’s Rapid Modernization Plan (RaMP) is a great resource for security modernizations based on Zero Trust principles. RaMP includes a Ransomware Readiness guide that’s easy to understand and provides many use case examples.

Image 1 Microsoft’s ransomware protection steps
Image 1: Microsoft’s ransomware protection steps

 

All the steps for ‘prepare’ are well described in RaMP:

  • Adopt a Cybersecurity framework
  • Prioritize mitigation
  • Make it harder to get in
  • Limit the scope of damage
  • Prepare for the worst
  • Promote awareness and ensure there is no knowledge gap
  • Ensure that you have appropriate technical controls in place
  • Establish an incident handling process
  • Prepare for a quick recovery

 

2. Respond

The ‘respond’ steps can be found here:

  • Contain affected systems until they can be remediated
  • Disable compromised accounts
  • Perform root cause analysis
  • Apply relevant patches and configuration changes on affected systems
  • Block ransomware communications using internal and external controls
  • Purge cached content

 

3. Recover

One process on the steps for ransomware recovery is here. Recovery is dependent on the resources from which the data was stolen. For example, if the file(s) were taken from SharePoint, the recovery may involve recovering a specific version of those files from SharePoint (online) or an Azure backup session (on-prem).

 

Ransomware Protection Use Cases

In terms of use cases, it can be useful to organize your defensive solutions in a table as shown below.

People tend to relate better to use cases than rules and regulations. There’s a great ransomware walkthrough example here from Microsoft.

Or consider creating a table for mapping specific conditions to solutions, as shown below.

As new use cases arise, refer to this table or add new sections as needed.

Include the table in your ransomware readiness processes/procedures as a planning and discussion tool.

For more granular tracking, extend the table columns with roles/responsibilities for each associated data owner.

Table 1 Ransomware Readiness Use Cases and Tracking Table
Table 1: Ransomware Readiness Use Cases and Tracking Table

 

Summary

Not having recovery plans in place is a recipe for disaster (and dismissal). Ransomware readiness solutions are well-documented and built into many modern security solutions. Ultimately, protecting against ransomware is everyone's responsibility, underlining the importance of collective action in keeping your data secure.

References

 

About This Blog Series

Follow the full series here: Building Defenses with Modern Security Solutions

This series discusses a list of key cybersecurity defense topics. The full collection of posts and labs can be used as an educational tool for implementing cybersecurity defenses.

 

Labs

For quick walkthrough labs on the topics in this blog series, check out the story of “ZPM Incorporated” and their steps to implementing all the solutions discussed here.

 

Compliance

All topics mentioned in this series have been mapped to several compliance controls here.

About the Author

David Broggy is Senior Solutions Architect, Implementation Services at Trustwave with over 21 years of experience. He holds multiple security certifications and won Microsoft's Most Valuable Professional (MVP) Award for Azure Security. Follow David on LinkedIn.

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo