Large organizations and middle-sized businesses dread the ransomware plague as it can paralyze day-to-day operations and expose confidential information to the public. Most organizations have taken some steps toward protecting their business through ransomware detection and protection, but is it enough? 

The Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) prepared a comprehensive guide for all business owners to help them arm their businesses against ransomware attacks. 

Threat actors are getting smarter and finding new tactics to penetrate network defenses as technology advances. Cobalt Strike, for example, is a tool that often comes up in ransomware attacks today, so Infocyte is investing in creating a safe environment for its clients. This article looks at how Infocyte’s preparation stacks against the CISA and MS-ISAC Ransomware Guide and why it’s good for your business.  

What is the CISA and MS-ISAC Ransomware Guide?

The CISA and MS-ISAC ransomware guide is a customer-centered resource that outlines the best practices to prevent Ransomware attacks on a business and also how to respond in the case of an attack. 

The guide contains two parts. Part 1 is the ransomware detection and prevention practices that highlight some things an organization can do to protect its business from ransomware attacks. Part 2 is the response checklist that guides an organization on the best response practices if they encounter a ransomware attack. 

This resource was released on 30th September 2020, and it’s now in distribution to all businesses that need to enhance their cybersecurity, boost their network defense, and significantly lower ransomware attack risks. 

Infocyte’s Ransomware Prevention Best Practices 

The Infocyte platform addresses protection through these malware prevention practices:

• Regular scanning for vulnerabilities on internet-facing devices and addressing any identified vulnerabilities to limit the surface of attack. 
• Patching and updating software and OS regularly to close out known vulnerabilities. These include browser plugins, web browsers, and document readers. 
• Enabling device security features and properly configuring the devices. Infocyte uses extensions to accomplish this. 
• Detecting poorly-secured remote services, which present threats and ensure that the organization employs the best practices for remote services. These include the use of Remote Desktop Protocol (RDP) and other remote desktop services. 
• Disabling or blocking Server Message Block (SMB) protocol as well as removing or disabling outdated versions of SMB, which attackers may use to propagate their malware. 
• Monitoring security posture and configurations across all 365 apps and alert if the configurations differ from the known best practices or change suddenly, indicating an attack attempt. 
• Using MS Defender as a primary antivirus and anti-malware software and ensuring that the software is always updated. With Infocyte’s forensic analysis, you can detect any latent threats resulting from existing malware infections and so you can fix them.  
• Following the best cyber hygiene practices as they handle your organization’s information. 
• Validating MFA for all services using Microsoft 365, particularly for webmail, virtual private networks, and accounts that access critical systems. 
• Monitoring and controlling access on the organization’s database by showing you the number of admins present, including local machine admins. 
• Leveraging Microsoft 365’s best practices to enable security settings in association with cloud environments. 
• Restricting usage of PowerShell to people accessing the network, including administrators, through Infocyte’s behavioral analytics. Always ensure PowerShell instances (most current version) have module, script block, and transcription logging enabled.
• Securing domain controllers (DCS) which are often the main target for the threat actors. 

Infocyte Ransomware Response Checklist after Detecting Ransomware

In the event that your organization is attacked, Infocyte easily helps to secure the affected systems and isolate them, clean up the infected systems, and safely reconnect your network. 

After ransomware detection, the next step is to identify the impacted systems and isolate them from the other systems so that the infection doesn’t continue to spread. 

Infocyte determines the affected subnets and then takes action. If several of them are hit, they are taken offline at the switch level so as to contain them. In the case where going offline temporarily is not an option, the affected devices are disconnected from the network (e.g., Ethernet) by unplugging it in a bid to contain the infection. 

Since the attackers are keen to notice any suspicion from your end, Infocyte employs out-of-band communication systems like phone calls for communication and then isolates the systems in a coordinated manner. This way, the attackers remain unaware of any activities from your organization’s end.

It also detects and identifies the accounts and systems involved in the breach so that your organization can reinforce security in that direction. Such accounts include email accounts as these are easy for attackers to infiltrate and gather information from it. 

Infocyte’s ability to extract files makes it easy for them to conduct in-depth analysis, e.g., phishing emails, storage media, and logs to help your organization understand the root cause of the attack. It also examines existing organizational security systems to highlight other systems involved in the attack. 

If your network had been compromised and the situation left unsolved, it could be the reason for a more serious infection as the attackers could use it as a loophole. Infocyte detects such existing malware that could compromise your network system. 

Its behavioral rules conduct extended analysis to identify outside-in and inside-out persistence mechanisms that could implant malware into the system as there are many vulnerabilities involved. 

After recovering the system from the attackers and getting rid of the malware, it’s important to be careful while reconnecting the systems as you can easily re-infect it. Infocyte ensures that your reconnection is safe and advises on proper post-incident activities that keep your system clean. 

Conclusion

Since ransomware attacks can severely impact your business, it’s important to have a solid Managed Detection and Response (MDR) provider at your service to ensure you are well-covered. Infocyte focuses on detection and response, such that your business is always safe from any potential threats. 

Are you thinking of using Infocyte for your organization’s security? Schedule a demo with our sales team.

The post Ransomware Detection: How Infocyte Uses the CISA Ransomware Guide appeared first on Infocyte.

*** This is a Security Bloggers Network syndicated blog from Blog – Infocyte authored by Kelly Giles. Read the original post at: https://www.infocyte.com/ransomware/2021/12/07/ransomware-detection/