Defending against ransomware with automation

Jon Andrews at Gurucul looks at holiday cyber attacks and argues that automation is a powerful and cost effective way of maintaining security while staff levels are low

Cyber security threats are growing at an alarming rate, with threat-actors leveraging new tactics and vulnerabilities on a regular basis. With improved security practices and protection, cyber criminals are beginning to automate their processes, which decreases the time from their initial access to achieving their final objective.

Defenders need to automate their incident response processes to improve detection and response time. This becomes even more urgent during any holiday season, as attackers take advantage of vulnerable systems that aren’t being monitored due to a reduced workforce.

More frequently, threat-actors have come to realise that businesses tend to leave their guard down over holiday periods and weekends, and don’t let this opportunity go amiss.

In the past, government bodies have issued warnings ahead of significant holidays, to alert organisations to the increased threat of cyber attacks. We have seen some of the largest ransomware attacks over US public holidays: last year’s Labor Day weekend saw an attack on JBS Food, Mother’s Day weekend saw the ransomware on Colonial Pipeline, and on the Fourth of July weekend REvil launched its attack on Kaseya.

Incidents such as these highlight the importance of preparedness in any situation, particularly when employees are less alert and taking some time off – something which cyber criminals, unfortunately, don’t do.

Importance of incident response

A 2021 survey found that 37% of UK respondents did not have specific contingencies in place to ensure a fast and efficient response to a ransomware attack.

On top of this, 71% of respondents admitted to having been drunk while responding to a ransomware attack on a weekend or over the holidays; this is a factor that is not likely to be considered in most incident response plans, but one that will probably affect the ultimate outcome.

When it comes to cyber incidents, organisations must be prepared for the worst case scenario and have a good strategy in place to reduce and mitigate any damage as much as possible.

It should come as no surprise that cyber criminals don’t respect holidays. In fact, their activity has a tendency to increase when most offices are shut or operating at lower capacity. As such, it is vital for security leaders and c-suite executives to devise robust plans for incident response, to not leave their offices vulnerable while they are away.

There are a number of basic steps organisations should take before clocking off for the holidays:

• Identifying key staff: Organisations should have a list of key IT security staff that are able to handle a surge in their work after suffering an attack
• Implementing MFA: Multi-factor authentication must be enabled for both access and administrative accounts to reduce credential stealing or unauthorised access
• Ensuring RDP: Remote desktop protocols should be secured and monitored at all times
• Strong passwords: IT staff should remind their colleagues about strong password practices and rules and emphasise the danger of password re-use
• Awareness: All employees should be reminded of the dangers of phishing and how to spot suspicious emails/links. Human error can cause a great deal of harm; strengthening awareness is a large step toward a stronger cyber security culture

How can automation help?

As a result of increasingly automated cyber attacks, organisations must also automate their responses in order to keep up with the threat landscape, and stay ahead of the attackers.

The goal of automation is to improve the speed at which organisations can implement incident response and security in the wake of an incident. In addition, it can reduce the workload of security admins while also reducing time wasting when reacting to incidents.

In using algorithms and best practices to identify security incidents, organisations are able to improve their incident detection and response and identify and respond to threats, even with less staff. The fact is that it enhances the overall efficiency of the cyber security plan and takes a lot of pressure off security teams, while ultimately, reducing overhead.

SIEM, for instance, is a great security automation tool that can collect, aggregate and analyse security data around the clock, making sure organisations stay protected even when on holiday. It can help detect any abnormal activity and provide contextual information about any incidents that may be occurring, while eliminating the need for IT staff to manually collect and aggregate this data.

As such, even if staff are off-the-clock, SIEM can continuously monitor systems and reduce the chances of attack.

Organisations have to be particularly vigilant around holiday periods, as cyber criminals won’t take any time off.  It is vital to not leave systems and valuable assets vulnerable when staff may not be around to keep a close eye on things.  

Automation can help companies continue to monitor their networks and alert to any potential incidents, even if their workforce is slightly reduced due to a holiday or long weekend.

By investing in a good automation security tool, organisations can drastically reduce their overhead by optimising spending while reducing resulting costs of suffering an incident.

Because cyber criminals will strike when organisations are at their most vulnerable, it is crucial they prepare adequately to not get caught with their pants down.

Jon Andrews is VP EMEA at Gurucul

Main image courtesy of iStockPhoto.com

This article was originally published on teiss.co.uk