CISA Releases Updated #StopRansomware Guide

Introduction

On May 23, 2023, the Cybersecurity & Infrastructure Security Agency (CISA) published the newest version of the #StopRansomware Guide to serve as a resource for organizations to help prevent and recover from ransomware. As ransomware continues to plague the digital world, large and small businesses need to take steps to protect the valuable data entrusted to them. CISA collaborated with MS-ISAC, NSA, and the FBI to build the #StopRansomware Guide. Divided into two parts, it contains updated best practices to protect against common attack vectors and guidance on responding and recovering from a ransomware incident.

Part 1

The first part of the #StopRansomware Guide is titled "Part 1: Ransomware and Data Extortion Preparation, Prevention, and Mitigation Best Practices." It contains best practices enterprises should adopt to reduce the opportunity for a successful ransomware attack and limit the potential impact. The 'Preparing for Ransomware and Data Extortion Incidents' section covers data backup processes, cyber incident response plan creation and testing, and implementing a Zero Trust Architecture, as is referenced in CISA's Zero Trust Maturity Model Version 2. 

Related: ThreatLocker Blog: Understanding the Zero Trust Maturity Model V 2.0 

The ThreatLocker Endpoint Security Platform helps support the recommendations in this section. To help protect backup data, ThreatLocker Storage Control enables granular policies to be set covering data storage locations, getting as specific as allowing only permitted backup software to access backup files. Storage Control can also enforce removable media encryption to support this practice further. Network Control can support zero trust architecture. All inbound traffic can be blocked on every ThreatLocker-protected device, and policies are constructed to permit just-in-time port-level access for authorized connections. Unauthorized devices will not have visibility of the open port, even from within the same local area network.  

The following section in the #StopRansomware Guide is the “Preventing and Mitigating Ransomware and Data Extortion Incidents” area. Here, the guide is segmented according to the initial access vector used by ransomware and data extortionists. The six access vectors listed are:

• Internet-Facing Vulnerabilities and Misconfigurations
• Compromised Credentials
• Phishing
• Precursor Malware Infection
• Advanced Forms of Social Engineering
• Third Parties and Managed Service Providers

Specific practices are outlined concerning each of the initial access vectors to mitigate the risks associated with them. 

ThreatLocker addresses many of the mitigations outlined here. ThreatLocker Configuration Manager provides group-policy-like security controls managed from the ThreatLocker portal, whether endpoints are domain joined or not. Create and enforce password policies, lockout policies, manage local administrator passwords, and disable downloaded Office macros. ThreatLocker Allowlisting uses a default deny. Any application, script, or library not on the allow list will be unable to execute, protecting against malware. ThreatLocker is a privileged access management (PAM) solution. Reduce or remove local admin accounts and permit the elevation of specific applications that require elevation without providing admin credentials. Combined with Ringfencing™, it can prevent application hopping, placing boundaries around the elevated applications, and reducing the potential for abuse. Meanwhile, all file and network activity will be logged in the Unified Audit. 

The third section of the #StopRansomware Guide is entitled "General Best Practices and Hardening Guidance." CISA lists some cybersecurity practices that will increase the strength and security of an organization's cybersecurity posture. Maintaining a comprehensive asset management approach, applying the least privilege principle, enabling security settings in cloud environments, mitigating malicious use of RMM and remote access software, segmenting your network, restricting the use of PowerShell, and securing your domain controller, are included among the best practices listed. 

The ThreatLocker Endpoint Protection Platform addresses many of these best practices. ThreatLocker Allowlisting creates a comprehensive list of all applications in your environment. Allowlisting blocks all unauthorized applications by default, including RMM tools. Policies can be configured so that only specific users have the ability to run specific applications, including PowerShell and any applications that require elevation. Use Network Control to close remote access ports on all servers and endpoints and to protect your domain controller by permitting only a specific subset of admins access to it. 

Part 2

The second part of the #StopRansomware Guide is called "Part 2: Ransomware and Data Extortion Response Checklist." Here, the steps you should take if you fall victim to a successful ransomware event are detailed. The steps are:

• Detection and Analysis
• Reporting and Notification
• Containment and Eradication
• Recovery and Post-Incident Activity

The guide instructs you to be sure to complete the first three steps in that exact sequence.  

The ThreatLocker Endpoint Protection Platform can assist with these steps. ThreatLocker Ops is a monitoring and detection tool. Using the telemetry data collected across all the ThreatLocker products, policies can be configured to alert and respond to IOCs according to your organization's threat appetite. ThreatLocker policies can be turned on or off, and machines can be shut down or isolated from the network as specified by you. Along with alerting and responding, the ThreatLocker Unified Audit provides a highly detailed, near-real-time log of file and network activity in the environment. The logs chronicle the logged-in user, file names, if the action was elevated, what process it was created by, and what process it was called by. The source and destination IP address and port are also logged for network activity. With many filtering options, quickly drill down into the event being investigated. Track malicious files back to their origin in your environment, and search for every endpoint on which the file has been found.  

Conclusion

As part of the ongoing efforts of CISA to shed light on today’s cyber threats, the newest #StopRansomware Guide outlines the controls that organizations should implement to protect themselves and the data they've been entrusted with. As the threat landscape continues to change and bad actors continue to succeed in their efforts to extort and ransom data, cyber defenders must continually reevaluate their security strategy and adapt. The ThreatLocker Endpoint Protection Platform starts with Allowlisting, Ringfencing™, and Network Control to provide well-rounded protection against known and unknown threats. Adding Storage Control, Elevation, and ThreatLocker Ops increases the overall strength of your security posture while decreasing your attack surface and the associated risk.  

The ThreatLocker Endpoint Protection Platform aligns closely with many of CISA's #StopRansomware Guide recommendations. To see how ThreatLocker can help your organization stay a step ahead of threat actors and protect against ransomware, schedule a live, one-on-one demonstration today.

‍