Best practice
security controls

Protect Your Organisation

Key Points

There is no ‘silver bullet’ hardware or software that can be installed to eliminate the risk of ransomware and other forms of cyber extortion.

CISOs and security professionals should prioritise these seven areas of security control, which target the most common ways criminals currently access and exploit networks.

Seven priority security controls

These controls are based on CyberCX’s real-world operational experience and are designed to be:

We understand that security controls are generally neither easy nor cheap, but we believe these baseline standards are accessible to all organisations

These controls target the tradecraft we see cybercriminals repeatedly and successfully using to target Australian and New Zealand organisations today. Of course, this is a dynamic space. As the tools and tactics of cybercriminals evolve, the priority controls we recommend will evolve too.

To mitigate the risk of ransomware and data theft extortion, organisations should review their security capabilities to ensure they are addressing the following seven priority areas.

Plan ahead to recover
from a disruptive attack

Ensure the business can keep running.

Business Continuity Planning

The concept of Business Continuity Planning (BCP) has existed in the IT industry for decades, but has tended to focus on addressing system faults rather than a sentient attacker who will actively work against remediation efforts. In the current threat landscape, where cybercriminals are aggressively looking to damage systems and disrupt business operations, a holistic approach to BCP has never been more important.

Organisations should

  • Identify systems and data sources that are required to maintain critical business operations.
  • Develop plans so that business operations can continue if these systems become unavailable due to a destructive attack.
  • Develop plans for how to restore critical systems and data sources, including in what order of priority (it may help to think about both business needs and system dependence).
  • Maintain multiple backups of each system in multiple locations, including at least one offline.
  • Regularly test backups and continuity plans to ensure they would be effective if needed (considering both functionality
    and timeliness) and update as required.
  • Ensure backups are protected from unauthorised destruction, including verifying backups before they are moved to offline storage.

A key consideration when restoring systems from attack is the attacker’s ‘dwell time’ inside the network; that is, the period between initial compromise and subsequent attack phases. If an attacker deploys malware or other mechanisms which provide backdoor access to a network, these may remain in place for days or weeks before subsequent attack phases. If a system is backed-up during this period, the backup may itself contain the same active backdoor. This can be addressed by:

  • Conducting a thorough investigation to uncover the full scope of the attack.
  • Checking systems restored from recent backups, before putting those systems back into production.

Incident Response Planning

Don’t wait for a major incident to start developing your cyber incident response plan.

Organisations which invest some time and effort in preparing for a major incident manage real-life incidents better, with more successful outcomes. Having a predefined and approved incident response plan can minimise confusion and discoordination, especially in the critical early stages of a response. An effective incident response plan should identify:


  • The participants and key stakeholders involved in an incident. A RACI model, categorising stakeholders as Responsible, Accountable, Consulted, or Informed, can be helpful
  • The overall methodology that will be applied for responding
  • The high-level work streams that may be required

The most important element when establishing a cyber incident response plan is effective coordination and collaboration. A cyber incident can quickly escalate to become a major issue involving stakeholders across the organisation, up to senior management and board level.

Key participants during a
cyber incident

Operational IT teams

To manage the organisation’s systems and networks; they will be crucial for containment, response and restoration activities.

Investigations team

Led by digital forensics and incident response specialists, undertaking investigation and threat hunting activities to determine the facts of what occurred, and coordinate related phases including attacker engagement and assessment of stolen data.

Senior executives

To oversee, coordinate and support response activities, make operational decisions, re-allocate resources and direct engagement with external advisors and stakeholders.

Media and communications

To define and execute reactive and proactive external communications and stakeholder management.

The Board

To be called on for critical decisions such as whether to engage with attackers, how to negotiate and potential consideration for making ransom payments.

Cyber insurers

Should be advised early to provide a clear understanding of the organisation’s policy coverage and any reporting requirements.

Legal Counsel

To provide focussed advice on potential legal issues.

Key stakeholders are likely to include:

  • Customers/clients
  • Employees
  • Suppliers and/or contractors
  • Investors, shareholders and/or business partners
  • Government departments or agencies
  • Regulators or oversight bodies
  • Media

Stakeholder management & communications plans

An organisation that can minimise the impact of a cyber security incident on its stakeholders can significantly minimise the impact on itself.

In our experience, the most successful approach is to plan to provide timely and accurate updates on the progress of the investigation and restoration activities to all relevant stakeholders.

An effective stakeholder management and communications plan should

  • expected role, responsibilities and/or actions
  • what reporting is mandatory or otherwise necessary
  • the appropriate contact person, and
  • the cadence and method of communication

Technical incident playbooks

To complement the incident response plan, technical incident playbooks can be helpful for providing technical staff with guidelines on how to respond to specific incident scenarios. These playbooks should at least describe the actions required for initial identification, containment and triage investigation.

An effective attack simulation exercise provides all the learning experience of a real-life incident but without the destruction. And it’s cheaper than paying a ransom.

Conduct attack simulation exercises

An effective attack simulation exercise provides all the learning experience of a real-life incident but without the destruction. And it’s cheaper than paying a ransom.

  • what would occur during a major incident, and working through key decisions that may need to be made, such as whether to engage with an attacker or make a ransom payment.
  • Detailed technical ‘table-top’ exercises, which involve exploring a scenario of how a major incident could unfold on the network. Each step of the attack chain would then be assessed to determine what capabilities exist to prevent, detect and respond. This valuable exercise provides deep insight into the preparedness of the organisation and a clear roadmap for making improvements.

Technical incident playbooks

To complement the incident response plan, technical incident playbooks can be helpful for providing technical staff with guidelines on how to respond to specific incident scenarios. These playbooks should at least describe the actions required for initial identification, containment and triage investigation.

Defuse phishing emails

Scan at email gateways and “patch your people”

Phishing emails continue to be the most common and effective attack vector we see.

To defend against phishing emails, Organisations should:

  • Security controls on email platforms should block most phishing emails from reaching users.
  • Organisations can always do more to proactively educate staff to identify and report phishing emails that make it through automated filtering. One effective approach is to use a phishing simulation service that educates staff on the purpose, characteristics, and risks of phishing emails.
  • Assessing the malicious capabilities of any phishing email. For example, do they simply redirect users to fake login pages, or do they attempt to load malware onto user endpoints?
  • Identifying which other users also received the same emails to scope the potential breadth of impact.
  • Investigating whether users were lured by the phishing emails or not. This should involve asking the users, verifying evidence sources, such as proxy and DNS logs, as well as internet histories on user computers. Forensic analysis of user computers may also be necessary to determine whether malware detonated.

Identify and address software vulnerabilities

 

Especially at the network perimeter

The attacker should not be the first person to find your vulnerabilities.

New vulnerabilities are often identified in common technology platforms such as mail servers, firewalls, content management systems or online management portals. The risks posed by these vulnerabilities quickly escalates when researchers or threat actors develop and publish exploits online.

  • Regularly scan their network perimeters for systems with known vulnerabilities
  • Quickly remediate any vulnerabilities which are identified
  • Ensure they receive all vendor security advisories for products they use
  • Install vendor security patches in a timely manner
  • Implement mitigating controls where patches cannot be applied
  • Monitor systems for suspicious activities.

Ideally, for vulnerabilities on external-facing systems, organisations should patch (or mitigate) within 24 hours of any ‘proof of concept’ exploit being released online.

The risks posed by these vulnerabilities quickly escalates when researchers or threat actors develop and publish exploits online.

Patching can result in operational downtime. But this must be weighed up against the operational downtime and significant other costs of a successful attack.

Too often, CyberCX responds to incidents after organisations delayed patching or scheduled a patch too late. Our advice is to adopt a risk-based, intelligence-led approach to patching.

  • Known to be under active exploitation or scanning by threat actors
  • In outdated versions of software that no longer receive regular maintenance.

The accelerating race to patch

Cybercriminals are constantly in a race to exploit newly discovered vulnerabilities before defenders have a chance to respond. We often observe cybercriminals developing working exploits prior to patch issuance or within days of its public disclosure, leaving organisations with very short timeframes to patch their systems.

The first victim of the Accellion File Transfer Appliance extortion attacks was compromised less than 24 hours after the patch was released. In addition, some threat actors have the skills to find new vulnerabilities (zero-days) before the relevant software vendor can discover them and issue an update.

Fortify access points

Especially email and remote access

Organisations should:

  • Identify all known access points, including those used by staff, contractors, customers, and any third parties.
  • Scan the network perimeter to identify any other unknown access points.
  • Implement IP address filtering where possible. This should include blocking incoming connections from geographic regions that should not be connecting. For systems requiring higher security, source IP addresses should be locked down as far as possible.
  • Employ effective multi-factor authentication (MFA) on all access points, and train users to recognise and report unsolicited MFA notifications.
  • Monitor all access activity and investigate suspicious events. Any connection attempts that fail due to security controls such as geolocation filtering or MFA should be reviewed and investigated, with further blocking steps taken as necessary.

Prevent malware from executing inside your network

Use anti-malware software and actively monitor your endpoints

The attacker should not be the first person to find your vulnerabilities.

Anti-malware technologies can still be effective at preventing or restricting ransomware execution. All systems should have anti-malware technologies installed,configured to actively block malicious activities, and updated with the latest attack signatures.

It’s best practice to use an endpoint monitoring and response (EDR) system. Compared with traditional anti-virus software, EDR systems include more advanced capabilities, such as collecting detailed endpoint telemetry, and allow for varying degrees of investigation and response to malicious activities.

However, just like any security capability, these systems are not ‘set-and-forget’ tools. They should be monitored closely to maintain high visibility of both normal and unusual endpoint activities, and all suspicious events should be investigated in a timely manner.

Even better: Internal network segmentation or microsegmentation

There’s always more that organisations can and should do to prevent and prepare for cyber incidents. For organisations seeking further depth of security, a next-level best practice approach is to separate production, non-production and operational technology (OT) networks and implement strong inter-network traffic filtering to prevent the detonation of ransomware (and other malware) in one network segment from affecting other segments.

Clean up your organisation’s data

Don’t make it easy for attackers to steal your crown jewels

With the increase in data theft extortion attacks, organisations should take steps to minimise the availability of confidential data on systems, especially in easy-to-reach locations such as shared network drives and user mailboxes.

Organisations should:

  • Identify all known access points, including those used by staff, contractors, customers, and any third parties.
  • Scan the network perimeter to identify any other unknown access points.
  • Implement IP address filtering where possible. This should include blocking incoming connections from geographic regions that should not be connecting. For systems requiring higher security, source IP addresses should be locked down as far as possible.
  • Employ effective multi-factor authentication (MFA) on all access points, and train users to recognise and report unsolicited MFA notifications.

Organisations should pay particular attention to personal information they hold and use. Beyond technical controls, this might also require organisations to carefully review what information they collect in the first place.

Organisations should:

  • Understand what personal information is, and identify where it is stored, both inside their networks and in any third-party environments they use, such as online software platforms
  • Only collect personal information needed to carry out their business
  • Ensure personal information is only used in ways for which they have a legal basis (for example, with consent)
  • Permanently destroy or deidentify personal information when the legal basis for holding it has expired.

Manage privileged access

And closely monitor its use

A key objective for most attackers is to obtain access to privileged accounts to effectively carry out their attacks.

Most activities across a network occur within the context of a user account. A key objective for most attackers is to obtain access to privileged accounts to effectively carry out their attacks. Organisations can counter this by both closely managing access to privileged accounts and monitoring their use.

Attacks against privileged accounts are synonymous with attacks against authentication systems, the most notable being Active Directory (AD); the security heart of a Windows network.

  • Allocate separate privileged accounts to users and not allow them to be shared
  • Provision privileged accounts with the minimum level of permissions required
  • Ensure that privileged accounts are not used for everyday activities, such as web surfing or viewing emails, and are only used strictly when required
  • Prohibit privileged accounts from directly accessing the network remotely
  • Ensure that all privileged accounts require strong authentication and MFA to access
  • Closely monitor the use of privileged accounts and identify suspicious usage, such as from unusual external sources, at odd times of day, or with unusual frequency
  • Alert and investigate suspicious use of privileged accounts
  • Harden systems which provide authentication and account security, especially Active Directory
  • Review access controls on a regular basis and remove unnecessary privileges.

The Security Operations Centre – your security force-multiplier

You may notice that several of our recommendations include monitoring of network and user activities. One of the most effective approaches to quickly identify attackers attempting to breach a network – or having already done so – is having high visibility of logs from key systems, then developing alerts for suspicious activities. This also helps to build an understanding of what ‘normal’ activity looks like, allowing for suspicious activity to be more confidently identified and responded to.

This visibility can be achieved in several ways. In the simplest form, organisations can implement a Security Information and Event Management system (SIEM) to aggregate and correlate logs from different systems, including servers, network devices, authentication systems and other key platforms.

A more advanced capability is the Security Operations Centre (SOC), which is often an outsourced service where log correlation is combined with advanced detection and response capabilities, threat intelligence which adapts to new and developing cyber threats, and incident response expertise, which is engaged when serious detections arise.

Threat Actor Profile

Conti:

The Cybercrime Powerhouse

Conti’s creators belong to one of the world’s most prolific cybercrime gangs, with a history of operations dating back to at least 2009.

The group is structured as a major organised crime syndicate, much like a legitimate business corporation. Middle management executives are responsible for different departments, one of them being ransomware operations. Department managers are empowered to make business decisions related to their specific area of operations. This allows the group to scale business rapidly, developing new tools and updating existing ones with new features and capabilities.

Since 2009, the group has built a complex set of custom criminal tooling, including multiple other ransomware strains such as Ryuk and BazarLoader, as well as the prolific banking trojan Trickbot, often used in conjunction with ransomware to steal user credentials and obtain initial access to victim networks.

A diversified toolset gives Conti’s creators the capability to exploit different cybercriminal vectors and reinforce their attacks, making them one of the most capable and resilient groups in the cybercrime ecosystem.

Like a corporation: Conti’s criminal structure

Arm your business

Download Full Guide

To download the Full Guide of this guide, please enter your details below.

Next up

Engaging with an attacker

Explore Online

Download Part 1

Download Part 2

Download Part 3

Download All