Not a day seems to go by without a report of another ransomware attack. Businesses and schools, police forces and hospitals, meat packers and pipelines have all been victimized. The attacks have been a major source of disruption and economic damage and represent a substantial threat to governments, businesses, and individuals worldwide.
Even though most businesses surveyed say ransomware is a top security priority — with a huge amount of time and energy being devoted to preventing attacks — the rate of new attacks is not going down. That's due in part to bad actors' asymmetrical advantage and substantial financial incentive to mount additional attacks.
The continued rise is also because attack vectors are constantly changing, making defense much harder. No single tool can defend against phishing, hijacked websites, infected supply chains, and profit sharing with disgruntled employees — and the attacker can change tactics faster than new defensive tools can be deployed.
So how do we win a losing game of whack-a-mole? We must focus more on what we will do when an attack comes rather than just trying to prevent it from happening. By planning for the worst, you can make "the worst" much less bad.
Preparing for attacks can be divided into three buckets: training, technology, and risk management.
Build a Plan
A great example of the benefits of preparedness is in aviation. Aviation prioritizes safety and being ready for "when" emergencies happen. That has paid off. The ratio of accidents-per-million flights decreased from 6.35 in 1970 to 0.51 in 2019. This was achieved through a combination of training, technology, and risk management, vastly reducing mishaps and improving safety trends. Pilots of commercial and military aircraft don't just have checklists to make sure their systems are working. They have plans for what they will do when things are not working, and they practice those plans. Whether it's pulling a light aircraft out of a spin, autorotating a helicopter when the engine fails, or handling an engine fire on a passenger airplane, pilots plan, prepare, and practice. Organizations can learn from aviation in preparing for ransomware attacks, as well as trying to prevent them.
If you don't have a well-practiced plan in place for how to respond to ransomware (or any other cyberattack), then you won't know who needs to do what when the inevitable happens. Training and practicing are why the Red Bull Formula 1 team can change all four tires on a race car in 1.82 seconds. That's less time than it takes to read that last sentence aloud. While we may not be able to recover from a ransomware attack in 1.82 seconds, having a plan and making sure everyone in your organization knows their part can greatly reduce your time offline. Not only is it incredibly hard to know how effective and efficient your plan is without trying it, but there will be nuances and subtleties to each step. You don't want to learn by time-consuming trial and error when disaster strikes — whether that's a cyberattack or a jet engine flameout.
Add Resilience to Your Plan
Having a practiced plan is great, but if that plan is "We will manually re-image every machine our employees have at home and we won't let anyone reconnect until it's done," then it's not going to cut it in practice. That's why tooling and technology will play a critical role in recovery.
You need tools to allow remote actions on your endpoints, at scale, so that you can remove the attacks and restore applications and data. The most important attribute of those tools, however, is that they are resilient. Not necessarily resistant, but resilient. Resilience is about the ability to bound back up when knocked down.
When dealing with many sorts of cyberattacks, the most reliable and effective way to remove malware is to reinstall the operating system and start from scratch. Genuinely persistent and resilient tools that automatically reinstall themselves from a PC's BIOS, even after the entire disk has been wiped or replaced, are game changers. If you have installed tools like this in advance, you can install, restore, and/or reactivate anti-malware tools when you're faced with a crippling attack. If that fails, you can apply the "scorched-earth" approach: Wipe everything and retain remote control of the machine so you can restore users' applications and data.
Mitigate Risk Through Recovery
The final part of the equation is risk management. Whole books have been written about cybersecurity risk management but the critical aspect is, yet again, you must do it in advance. By planning for an attack, you are forced to think about how you minimize risks to your organization when — not if — one of your machines is breached.
This premise is what makes the zero-trust architecture so successful. We don't implicitly trust machines, services, or networks because we expect that eventually any one of them may be compromised. Instead, we focus on minimizing the chances that an infection on one machine will cause a problem on another.
Don't be the next victim. Identify and understand key risks. Make strategic decisions to minimize risks. Train your team. Prepare for success.