InfoSec Insider

Beyond the Basics: Tips for Building Advanced Ransomware Resiliency

Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify, offers advice on least privilege, automation, application control and more.

The rate at which ransomware attacks occur is rapidly increasing. Not only have we witnessed the rise in the frequency of these attacks, but have also seen them evolve into more sophisticated, successful and damaging events.

The potential monetary gain from a ransomware attack is now so lucrative that many ransomware developers have established affiliate programs for their tools and expertise, offering ransomware-as-a-service (RaaS). Ransomware demands also continue to skyrocket as more than 80 percent of victim organizations admit to paying ransom demands.

While public utilities, healthcare organizations and financial institutions are some of the most frequent targets of ransomware attacks, there is no single company that is safe from becoming the next victim of a ransomware attack. Therefore, all organizations must be prepared and on high alert.

Infosec Insiders Newsletter

So how can organizations become more resilient and avoid becoming the next ransomware victim? First, let’s review basic best practices.

Last year, the Cybersecurity and Infrastructure Security Agency (CISA) along with the Multi-State Information Sharing and Analysis Center (MS-ISAC) collaborated to create the Ransomware Guide, which outlines recommendations for malware prevention and response. Some of their security best practice recommendations include:

  • Back up all critical information to reduce the impact of potential data loss
  • Keep systems and software updated (as outdated programs are more susceptible to attacks)
  • Limit internet facing remote desktop protocol (RDP) access
  • Implement application control
  • Create and implement a security-awareness program

While these are all great practices to follow and implement to improve overall security posture, these steps alone will not single-handedly protect an organization from a ransomware attack. In addition to the baseline recommendations by CISA and MS-ISAC, organizations can build a stronger security posture in the following ways.

6 Steps to Building Advanced Cyber-Resiliency

1. Look Beyond Legacy Security

To combat ransomware, organizations must look beyond their traditional, network-based cybersecurity solutions and adopt both a new toolset and mindset. Legacy solutions, such as conventional signature-based antivirus programs and encryption tools, are unable to detect or prevent ransomware activity. Modern ransomware security strategies should encompass a mixture of network segmentation, threat detection and privileged credential protections that work together to prevent pivoting and lateral moves across an organization’s network.

2. Implement Least-Privileged Access

Organizations must create and implement least-privilege environments, where users only receive the access and permissions to critical systems and data that they need to fulfill their work duties, and only for the amount of time needed to complete the task. Moving away from persistent privileges to just-in-time privileges or on-demand privileges will make it more difficult for attackers to move around the network.

It is also important that organizations understand that an employee’s level of access continues to naturally evolve and grow as a result of digital transformation initiatives, such as the introduction of new cloud and software-as-a-service (SaaS) applications. Today, it should be assumed that all users are privileged users, who have access to shared files, documents and confidential data. Organizations should implement controls that can monitor and manage these user privileges while simultaneously ensuring that their least-privilege controls are working.

3. Make Security a Top Priority in the Organization Culture

The CISA and MS-ISAC recommend that organizations create cybersecurity awareness initiatives that help build and enhance cyber-hygiene among employees. This may include launching campaigns that cover topics such as phishing attacks and password best practices. However, to be truly successful at protecting against ransomware and other types of cyberattacks, security needs to be embedded within every part of an organization.

One way to achieve this is by establishing a cybersecurity ambassador for every department within an organization who can help assist with enforcing department-specific security policies, detecting threats and responding to incidents. Whether it be accounting or human resources, every department has different security and compliance factors to adhere to. Delegating an IT person who understands the unique needs of each department can help maximize an organization’s security.

4. Full Application Control

While there is often a large emphasis placed on creating an “allow list” of trusted software applications, organizations should also consider creating a “deny list” which can block known malicious applications and software. Those applications which are unknown can be quarantined in a sandbox or a restricted list for further review prior to approval. With full application control, you can elevate access on a just-enough, just-in-time basis.

5. Continually Monitor and Evolve Security Strategy

Every week, there are new software systems, compliance initiatives or security threats that are introduced. As a result, an organization’s security strategy should continually evolve as well. By regularly evaluating how effective existing security controls and incident-response capabilities are, organizations can work to quickly mitigate and remediate any potential threats or gaps in their security postures. Organizations who only occasionally review and assess their security programs are the most susceptible to threats.

7. Be Cautious with Automation

Many organizations are now relying on automation capabilities for their security. While automation can help free up internal resources, most organizations should proceed with caution. Automation often leads to predictability where attackers can monitor when scans are carried out or when patches are applied – then strike a company when they are at their weakest point. Instead, establish a mindset to update and assess systems on an ad-hoc basis. Continually change the frequency and timing of security activities, such as discovery, penetration tests and password rotation.

There is no one size fits all, step-by-step guide to protecting against ransomware attacks. However, by diligently evaluating your IT infrastructure to identify where security gaps exist and implementing the above best practices, organizations can significantly improve their resiliency against such attacks.

Joseph Carson is chief security scientist and advisory CISO at ThycoticCentrify.

Enjoy additional insights from Threatpost’s Infosec Insiders community by visiting our microsite.


Want to win back control of the flimsy passwords standing between your network and the next cyberattack? Join Darren James, head of internal IT at Specops, and Roger Grimes, data-driven defense evangelist at KnowBe4, to find out how during a free, LIVE Threatpost event, “Password Reset: Claiming Control of Credentials to Stop Attacks,” on Wed., Nov. 17 at 2 p.m. ET. Sponsored by Specops.

Register NOW for the LIVE event and submit questions ahead of time to Threatpost’s Becky Bracken at

Suggested articles