Connect with our team of offensive security, AI security and pen testing experts at Black Hat Europe 2023. Learn More

Connect with our team of offensive security, AI security and pen testing experts at Black Hat Europe 2023. Learn More

Managed Detection & Response

Eradicate cyberthreats with world-class intel and expertise

Managed Security Services

Expand your team’s capabilities and strengthen your security posture

Consulting & Professional Services

Tap into our global team of tenured cybersecurity specialists

Penetration Testing

Subscription- or project-based testing, delivered by global experts

Database Security

Get ahead of database risk, protect data and exceed compliance requirements

Email Security & Management

Catch email threats others miss with layered security & maximum control

Co-Managed SOC (SIEM)

Eliminate alert fatigue, focus your SecOps team, stop threats fast, and reduce cyber risk

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
The Trustwave Approach
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Platform
SpiderLabs Fusion Center
Security Operations Centers
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

CISO's Corner: The Top 3 Ransomware Preparedness Tips Most Organizations Are Missing

Today more than ever, companies are on high alert for ransomware attacks. Even as companies seek to protect themselves, however, they may not realize how the very nature of ransomware attacks has shifted. No longer simply a freeze on your data assets through encryption methods, ransomware attacks now often steal the data they have under ransom, creating an entirely new set of security considerations when an environment has been compromised.

We spoke with David Bishop, CISO at Trustwave and Darren Van Booven, Lead Principal Consultant at Trustwave and former CISO of the U.S. House of Representatives, to discuss ransomware preparedness and what organizations might be missing from their cyber resilience strategy.

There seems to be a misconception that if you have system backups or endpoint protection, you're covered for a ransomware attack. Can you talk about the need for a holistic approach and the coordination necessary for effective ransomware preparedness?

Darren: Of course. When asked the question, "How do you think you are doing from a ransomware preparedness perspective?", most organizations I speak to will say they've got it covered. But when asked a few deeper questions about what they're doing to prevent some of the exploitation techniques that we see in incidents within their environment, they either don't know the answer, or they start realizing that, no, they're actually not prepared. 

David: And I think part of the reason they're ill-prepared is that ransomware attacks today are a lot more than just ransomware. Besides installing on an endpoint and encrypting files, attackers are actively exploiting the environment to steal data so that they can further extract ransom under the threat of releasing the information to the public. Or, they'll take additional measures to corrupt, destroy or render inaccessible any backup infrastructure that you have. Nowadays, you have to be prepared on multiple fronts. It's not just securing your endpoints but ensuring you have data loss protection as well as solid backup infrastructure. Unfortunately, a lot of companies are just not doing this holistically. 

It sounds like this has become more of a hybrid exploit/ransomware scenario, where decryption techniques don't cut it. Can you speak more about the risks associated with this newer generation of ransomware?

David: Years back, we used to see adversaries drop ransomware on us, and it would worm and run and completely encrypt an environment, halting everything. Then cybersecurity experts got really good at decrypting, making those attacks less effective. Beginning to exfiltrate data turned ransomware into a more typical exploit situation, where they have more leverage to force payment with stolen data. That's extortion. 

Darren: Many people still don't understand the full extent of ransomware today: attackers are no longer just dropping encryption software into a system and letting it run across some flat or barely segmented environment. Now, it's a calculated strategy that includes some different adversarial playbooks that we've seen in the past, combined with more traditional ransomware.

Knowing the evolution of ransomware attacks, what are the top 3 things you'd recommend organizations do to prepare and protect themselves?

Darren: The first thing is foundational: Make sure you've maximized your overall approach to reducing the risk of email-originated threats because a lot of the ransomware that makes it into an organization is still coming through that vector. People still click on links in suspicious emails — it's human nature — so a base level of security awareness training should be part of planning there. 

Also, have some kind of advanced EDR tool installed on the endpoint in the event that a malicious link has been clicked (it's bound to happen). Make sure systems are up to date and patched, and an EDR tool is on every device. We've responded to a lot of incidents where even environments that have had an EDR solution rollout have still gotten compromised because they didn't install the EDR tool everywhere. Without a full implementation, machines without EDR were being impacted. But, as mentioned before, a focus on endpoint protection, patching and email-originated threat detection is only part of the picture. 

David: With all that in mind, my final recommendation would be this: For robust ransomware protection today, you need to look at your overall security strategy — and a big part of that is segmentation. If you assume for a moment that a ransomware attack is going to happen to you at some point, what have you done to minimize the impact of this type of breach in your environment? Have you identified where your critical data sets are that you depend on each day for operations or administration? Have you segmented your operational components from administrative components to prevent the spread of malware while making sensitive data more difficult to identify? Have you considered different access controls or permissions? A lot of companies don't have data segmentation in place, even in industries where connected systems and OT/IoT are at high risk for a breach. You need to understand all of the ways that your system could be penetrated in order to understand risk more broadly.

Any final thoughts to share? 

Darren: It's really important to remember that segmentation applies to backups, as well. Making sure that your backups are viable and accessible in a timely fashion, should a ransomware attack require it, often means the difference between paying a ransom and not — just to get back to business at the speed work happens today. 

David: Your segmentation strategy should have a recovery component to it so that your backup environments reflect the operational segments you put so much work into in the first place. If these focus areas have any gaps, the risk that ransomware will escalate into an issue for your business is much higher than if you have all of these protections in place.

Are you currently affected by ransomware? Contact us now and learn how we can help.

Latest Trustwave Blogs

Trustwave’s Observations on the Recent Cyberattack on Aliquippa Water Treatment Plant

The attack last week on the Municipal Water Authority in Aliquippa, Penn., that gave threat actors access to a portion of the facility’s pumping equipment has spurred the Cybersecurity &...

Read More

How Trustwave Can Assist Tribal Governments Applying for $18 Million in DHS Cybersecurity Grants

Tribal governments are among the most underserved organizations in the US when it comes to cybersecurity preparation, with threat actors striking multiple tribes with a variety of cyberattacks.

Read More

Trustwave Backs New CISA, NCSC Artificial Intelligence Development Guidelines

The U.S. Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom's National Cyber Security Centre (NCSC) today jointly released...

Read More