Public-sector institutions are attractive targets for ransomware operators. In fact, our latest M-Trends report revealed that government, defense, healthcare and education are among the top targeted industries. This is because of the disruptive and destructive impact that these targeted ransomware incidents can have on critical operations.
Attackers understand the value of the personally identifiable information and research-based intellectual property these organizations collect and store. Take for instance the upcoming local, state and national elections. Among the pressing concerns are:
- Citizen data relative to voting—e.g., residence, age, and in some cases photo ID—that is stored on critical infrastructure
- Actual votes, and how that data is captured, transmitted and stored
If this information was to be held ransom, it would put into question the integrity of critical infrastructure, as well as the voting results themselves.
From big cities to small towns, no government is immune to ransomware. However, when organizations can detect and remediate the initial compromise quickly, it is possible to avoid the significant damage and cost of a ransomware infection. The following serves as a quick checklist guide of the proactive, protective measures organizations should think about when it comes to protecting against ransomware.
Email, Endpoint and Network Protection
According to our Mandiant data, 90% of ransomware cases involve the unintentional insider who clicks a link. This can be prevented with adequate email security solutions that are also complemented with an endpoint detection response capabiltity to catch any items that may not have been prevented by the email security solution. Of the 10% of remaining causes of ransomware cases, most were the result of an unpatched public-facing server that was exploited and had minimal detection. In these cases, a network security appliance combined with regular patching has proved excellent for prevention.
Security Tool Configuration: Invest in the Basics
Unfortunately, misconfiguration or reliance on default settings leads to problems. For example, Mandiant recently reported that a government security team discovered their network firewall only blocked 24% of executed attacks. The government agency optimized firewall controls and increased blocking capacity to 74%.
Multi-Factor Authentication is Table Stakes
We still see use of single factor to access critical systems, which enables actors to easily gain access using stolen credentials. Especially as the remote workforce expands, it’s important to use strong authentication tools with true multi-factor that include something you know (e.g., username and strong password) with something you have (e.g., token or PIV), and/or something you are (e.g., biometrics).
Visibility is Crucial
Most organizations today have complex networks that include a mixed infrastructure of on-premises and cloud resources. Security teams need visibility (e.g., asset management) across these environments with integrated threat intelligence and ongoing monitoring of devices and connections. Key for ransomware is the visibility into the real-time detection of when a user accesses backups. For example, our research shows that median dwell time for organizations that self-detected incidents was 30 days. Although that’s an improvement from last year, a month is still significant time for bad actors to explore and gain footholds into networks undetected. Public-sector institutions should seek 24-hour security operations center coverage or use managed services to ensure the integrity and monitoring of systems.
Segment Critical Data
Our threat research tells us that hackers perform considerable reconnaissance to understand environments. To counter this, ensure a plan is in place to protect the “crown jewels,” the most sensitive information that could be leaked to the public during a ransomware event. This approach includes: establishing a principle of least privilege when provisioning accounts; ensuring differences between administrator and normal user account access roles; and distinguishing login permissions between administrators and controllers.
Have a Response Playbook
This is a mature, practiced plan that prepares all teams—IT, communications, executives, legal, human resources, etc.—for incident response. The goal is to avoid rushed decisions when a ransomware attack occurs. To that end, coach teams to slow down and ask questions such as:
- Do we know the infection vector and if an attacker is active?
- Do the attackers have real data?
- Does this attack have the potential escalate? For example, do the infiltrators have data from the city’s legal department and can the attack spread throughout city offices?
- How quickly can we recover? Do we have an offline backup that we have tested? Is there any oversight into who accesses backups, when, and how?
- Do we have cyber risk insurance and if so, what does it cover?
The Bottom Line
Ransomware will continue to become more sophisticated. Government agencies, healthcare organizations and educational institutions are at heightened risk for these incidents given the nature of the valuable data they hold.
There isn’t a one-and-done approach. Rather, there are multiple factors and questions to consider. We recommend starting by asking: Is my organization secure? If you don’t have a binary answer to that, it’s time to make changes.
For More Information
To learn more, check out our recent ransomware session with GovTech. Jon Ford and our principal analyst, Luke McNamara, joined Dan Lohrman, Senior Fellow, Center for Digital Government, and we covered many different aspects of ransomware and strategies to defend and respond.
For even more guidance, read our report on ransomware protection and containment strategies. Also, head over to our website to learn more about Mandiant’s Ransomware Defense Assessment, which evaluates an organization’s ability to detect, contain and remediate ransomware within an environment—before it produces costly harm.