Microsoft has shared three key steps organizations can take to ensure a ransomware attack doesn't cripple their entire network in an attempt to extract a multimillion-dollar ransom or leak sensitive corporate data on the internet.
Microsoft developed the three-step advice as part of its feedback to the National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST)'s recent call for expert approaches to preventing and recovering from ransomware and other destructive cyberattacks.
In brief, the three steps are "prepare, limit, and prevent", which includes: prepare your recovery plan to enable recovery without paying; limit the scope of damage by protecting privileged roles; and make it harder to get in by incrementally removing risks.
The steps work on the assumption that attackers will eventually breach a network. It's part of the so-called Zero Trust strategy that tech vendors and the US government is interested in.
"This may seem counterintuitive since most people want to simply prevent an attack and move on," writes Mark Simos, lead cybersecurity architect in Microsoft's cybersecurity solutions group.
"But the unfortunate truth is that we must assume breach and focus on reliably mitigating the most damage first. This prioritization is critical because of the high likelihood of a worst-case scenario with ransomware."
Microsoft's three-stage plan actually involves a lot of work, but it can be organized under the three parts.
Under prepare, organizations need to develop a detailed secure backup plan covering the who, what, why and how of it.
That also means defining how an organization would limit damage in the worst-case scenario. Restoring systems from backups is easier and cheaper than dealing with attackers and using their decryption tools, it notes. Paying up also doesn't guarantee recovery.
Microsoft also recommends backing up critical dependencies, including identity and access systems such as Microsoft Active Directory, protecting backups, and testing business continuity in a disaster recovery scenario.
On limiting the scope of damage, Microsoft encourages end-to-end session security as well as multi-factor authentication for admins; protecting and monitoring identity systems, mitigating lateral traversal (once an attack is inside a network), and rapid threat response.
Despite the zero trust 'assume breach' mentality, Microsoft of course recommends preventing attackers entering an environment and rapidly removing access before they can steal and encrypt data. Why? It raises the attacker's costs.
"This causes attackers to fail earlier and more often, undermining their profits. While prevention is the preferred outcome, it may not be possible to achieve 100% prevention and rapid response across a real-world organization with a complex multi-platform, multi-cloud estate and distributed IT responsibilities," Microsoft explains.
Finally, Microsoft says that countering the threat of ransomware and creating the ability to recover tech assets needs buy-in from top execs, such as those on the board, as well as key IT and security team members.
Microsoft is also trying to update what file encrypting ransomware attacks mean today compared to when they emerged in 2013. Nowadays, it doesn't just mean encrypting files on a single PC.
Today, there are well-developed markets behind ransomware, such as ransomware-as-a-service, marketplaces for buying login credentials, as well as specialized toolkits and affiliate business models to support groups who target organizations to steal admin credentials.
Large ransoms have existed for the several years, but the past few months has seen ransomware attackers become more ambitious, including the attacks on Colonial Pipeline and meat packer JBS, which netted the attackers $4.4m and $11m, respectively.
These attacks won't stop, either. The FBI last week warned the US food and agriculture sector about recent attacks by ransomware groups seeking to "disrupt operations, cause financial loss, and negatively impact the food supply chain."
The most common techniques to breach a network include phishing, Remote Desktop Protocol (RDP) vulnerabilities, and software flaws, the FBI warned, listing several non-public attacks on the sector.