In the past, a ransomware attack would target a single computer and ask the victim for $500. 但现在, what we see during our own cyber-incident response services and in incidents reported publicly, 攻击者愿意多花一点时间 fully compromise a network before launching their ransomware.
Why go for a $500 ransom here and there, 当攻击者能够破坏并加密整个网络时, extorting victims for $1 million or more? With that said, it might be thought that smaller organizations are less juicy targets. 事实是, organizations with limited security resources are the easiest targets and are frequently targeted by attackers. Here are the questions organizations should be asking themselves before ransomware or other malware hits, 为什么.
如果攻击者具有与您的IT团队相同的网络访问级别, 他们能摧毁吗?, 覆盖或以其他方式损坏现有备份?
攻击者专门针对备份进行攻击的情况并不少见. If all of the organization’s backups are on the network or accessible from the network, they are potential targets. A ransomware-tolerant backup solution should ensure regular backups that cannot be overwritten, even by an attacker that has obtained all the administrator passwords for the network. 这可能意味着包括磁盘/磁带上的定期备份, which are rotated off-site, or using technology that allows backup archiving in a way that prevents the possibility of anyone overwriting existing backups. 如果你的生产数据被勒索软件加密, 备份可能是恢复数据的唯一选择, 因此,安全备份对于任何规模的组织都极其重要.
您是否有定期测试的事件响应程序?
IT和安全团队总是面临时间和预算的挑战, so it is understandable that often, incident response programs are lacking, 未测试的, 很少更新, 或不存在. If you do have an incident response program, 定期用桌面练习测试它,并验证它的有效性.
Do you have resources to call if an incident goes beyond your internal ability to handle it?
有限的事件响应程序可能和不存在的程序一样糟糕. 对于没有或有限的事件响应程序的组织, 你应该, 至少, 接触, establish and maintain relationships with two or more incident response providers that can respond quickly to incidents in your geographic area(s). 这样,如果发生勒索软件之类的事件,你就有人可以打电话给你了. Even if you have an incident response program, 你应该还有外界的帮助,你可以拨打紧急电话, time-sensitive situation beyond your control, which is often the case with ransomware.
您的业务可以在没有IT资源的情况下运行数天或数周吗?
这是我们在侵略性勒索软件攻击中看到的真实情况, 是否所有或几乎所有由IT提供的资源都不可用, for days and in some cases, 甚至更久. 针对这种情况的规划应该是灾难恢复计划的一部分, but as we discussed earlier when it comes to things like Incident Response and 灾难恢复, many organizations do not have a robust plan, 或者任何计划, because resources are already strained.
An organization-wide ransomware attack is like a tornado that effects computer systems and hits every location you have.
Can you operate without your IT systems (电子邮件, ERP, 数据库, 自定义应用程序, 电话系统, 等.)? 要多久?? 制定计划.
How effective is your 杀毒软件?
许多攻击者通过针对普通用户的网络钓鱼邮件进入, 哪些是经常被组织忽视的低价值目标. 这些低价值的目标是攻击者的一个很好的切入点. In fact, most of our clients who get ransomware infections do have 杀毒软件 in place. 可悲的是, 杀毒软件, particularly traditional 杀毒软件, is an easy obstacle for attackers to overcome. 这是一个应该考虑更新安全控制的领域.
A properly tested and tuned endpoint detection and response (EDR) solution can provide greater levels of attack protection and significantly more detection and logging capabilities than traditional antivirus. EDR solutions are not perfect. 尽管在端点保护方面有很大的改进, 配置不当的EDR解决方案可能不如传统的防病毒有效. Whatever you use, test its effectiveness. bet9游戏平台 often performs endpoint security effectiveness testing as part of a well-rounded penetration test, 其中包括测试防病毒和/或EDR解决方案.
If your whole network is compromised, including your backups, 为了解密这些数据,你愿意冒多大的风险?
我们一般不会就是否应该考虑支付赎金提供指导. 联邦调查局和其他机构通常建议不要支付赎金, because it encourages the attackers to continue their work and there is no guarantee you will actually be able to decrypt the data, 即使你付钱. If an organization has no backups, 或者备份已被攻击者加密, 一些组织会认为支付赎金是值得的. 这个问题现在值得向高级管理层或董事会提出.
如果你付了赎金并且能够解密你的数据, take heed: Paying the ransom does not ensure that an attacker has actually left your network, 而且这并没有解决导致这次成功攻击的任何安全问题. And so those weaknesses could be exploited again by the same attacker or a new attacker. Do not stop your incident response efforts at the point where your data is recovered. Ensure that the attackers are out, 分析发生了什么,并解决导致攻击成功的问题.
Do you regularly evaluate the performance of your security controls by simulating attacks?
Cyber-security audits are great, 但是不要向您展示如果攻击者获得对您的网络的访问权限会发生什么. 渗透测试, purple team exercises and red team assessments are methods to put your network to the test and to see how it actually fares against an attack. Organizations that perform these assessments regularly and remediate the findings are the most mature organizations we work with from a cybersecurity standpoint and the most resistant to successful attacks.
如果你必须这样做,你会如何重建你的整个网络?
This is a scary thought, but while some compromises are limited, others are so extensive in nature that a full rebuild of a network has been necessary. I can’t think of any organization that has the internal capability to rapidly rebuild every system on their network. Often, it requires outside help. Who will provide that help? 许多事件响应提供程序将帮助识别和阻止攻击, but do not provide on-the-ground IT level support that is required to rebuild a network. bet9游戏平台’ cybersecurity team has full experience assisting clients: in figuring out what the bad guys are doing, 把他们赶出去, determining what they accessed or compromised, 并在需要时协助您的组织进行系统恢复.
These are questions that should be considered by any organization before an incident hits. Being prepared could save a business millions of dollars—and prevent other losses that are harder to measure, 比如名誉受损以及对客户和董事会的影响. 施耐德唐斯风险咨询bet9平台游戏和网络安全团队 是否具有帮助解决本文中提出的所有问题的经验. 请随时与我们的团队联系,讨论您的安全咨询需求.