2021 Vol 105 No 4

34 JULY / AUGUST 2021 Preventing and Mitigating Ransomware Brian Petzold, CISSP vCISO Senior Advisor and VP Chief Technology Officer Bedel Security brian@bedelsecurity.com Bedel Security is an associate member of the Indiana Bankers Association. SECURITY / FRAUD Ransomware remains a top threat to banks today because of its ability to interrupt operations, exfiltrate customer information, and demand large ransom payouts to decrypt and keep victim data private. In addition to the risk of a bank being impacted by ransomware internally, recent attacks against some critical service providers show that institutions need to also be concerned about attacks against their third parties. The truth about ransomware is that there is no way to completely prevent an attack. While tools designed to detect and block ransomware attacks are important to have and are being improved each day, criminals are working just as hard to develop malware designed to circumvent those tools. This means that while it remains important to continue to invest in detection and prevention tools, it is just as important for banks and their service providers to put time and effort into their business continuity plans (BCPs) and recovery technologies. A ransomware attack can start within seconds of malware being introduced onto a bank network, which means the controls in place need to work efficiently. A bank seeking to minimize the likelihood and impact of a successful ransomware attack or to prevent one altogether needs to at minimum have these controls in place: • Employee training and testing: Many successful ransomware attacks start as email phishing campaigns or as a click on a malicious webpage link. While employee training and testing will never eliminate employees clicking on malicious links or files, it does significantly reduce the number of employees who will click. • Detection and response: Endpoint detection and response (EDR) and extended detection and response (XDR) technologies that utilize artificial intelligence to monitor the endpoints and computing environment of a bank are becoming critical to the detection and mitigation of ransomware attacks. These tools do not simply look for signatures of known malware, they baseline normal behaviors of systems and alert when the systems exhibit abnormal behaviors. The more advanced systems allow automated responses (such as isolating systems) when critical alerts are detected. • Vulnerability and patch management: To reduce the risk that a criminal will be able to introduce ransomware by taking advantage of a missing patch or an unmitigated vulnerability, banks should have formal programs in place to ensure the quick detection and remediation of any missing patches or vulnerabilities. • Air-gapped backups: Some of the more sophisticated ransomware attacks attempt to seek and destroy any backups that are discovered on a network to make it impossible to recover data without paying the ransom. The rule of thumb is that if attackers can see the backups from the production network (including through cloud services), they will try to destroy them. Disconnecting a copy of backups completely from the network is the optimal practice. • Restoration prioritization and testing: Organiza-

RkJQdWJsaXNoZXIy MTg3NDExNQ==