Ransomware Detection: How Infocyte Uses the CISA Ransomware Guide
This post was last updated on December 9th, 2021 at 11:14 am
Large organizations and middle-sized businesses dread the ransomware plague as it can paralyze day-to-day operations and expose confidential information to the public. Most organizations have taken some steps toward protecting their business through ransomware detection and protection, but is it enough?
The Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) prepared a comprehensive guide for all business owners to help them arm their businesses against ransomware attacks.
Threat actors are getting smarter and finding new tactics to penetrate network defenses as technology advances. Cobalt Strike, for example, is a tool that often comes up in ransomware attacks today, so Infocyte is investing in creating a safe environment for its clients. This article looks at how Infocyte’s preparation stacks against the CISA and MS-ISAC Ransomware Guide and why it’s good for your business.
What is the CISA and MS-ISAC Ransomware Guide?
The CISA and MS-ISAC ransomware guide is a customer-centered resource that outlines the best practices to prevent Ransomware attacks on a business and also how to respond in the case of an attack.
The guide contains two parts. Part 1 is the ransomware detection and prevention practices that highlight some things an organization can do to protect its business from ransomware attacks. Part 2 is the response checklist that guides an organization on the best response practices if they encounter a ransomware attack.
This resource was released on 30th September 2020, and it’s now in distribution to all businesses that need to enhance their cybersecurity, boost their network defense, and significantly lower ransomware attack risks.
Infocyte’s Ransomware Prevention Best Practices
The Infocyte platform addresses protection through these malware prevention practices:
- With Infocyte’s MDR Service including behavorial monitoring and forensic analysis, you can detect any threats based on the MITRE ATT&CK framework inlcuding….
- Regular scanning for vulnerabilities on internet-facing devices and addressing any identified vulnerabilities to limit the attack surface.
- Patching and updating software and OS regularly to close out known vulnerabilities. These include browser plugins, web browsers, and document readers.
- Enabling device security features and properly configuring the devices. Infocyte uses extensions to enforce these policies and accomplish this.
- Detecting and monitoring poorly-secured or high-risk remote services, which present threats and ensure that the organization employs the best practices for remote services. These include the use of Remote Desktop Protocol (RDP) and other remote desktop services.
- Disabling or blocking Server Message Block (SMB) protocol as well as removing or disabling outdated versions of SMB, which attackers may use to propagate their malware.
- Using Windows native MS Defender as the primary antivirus and anti-malware software and ensuring that the software is always updated.
- Infocyte’s MS 365 Compliance module enforces and monitors cyber hygiene practices (defined by CIS and CISA) and alerts if the configuration changes suddenly, indicating unusual behavior and a likely an attack attempt.
- Microsft 365 controls your identities through Azure, secure mail, storage and other critical business services. Without proper controls and montoring, the risks for Account Takeover (ATO) and Business Email Compromise (BEC) are significant
- Validating MFA is enabled and alert when it is disabled for all services using Microsoft 365, particularly for webmail, virtual private networks, and accounts that access critical systems.
- Monitoring and controlling access on the organization’s database by showing you the number of admins present, including local machine admins.
- Leveraging Microsoft 365’s best practices to enable security settings in association with cloud environments.
- Restricting usage of PowerShell to people accessing the network, including administrators, through Infocyte’s behavioral analytics. Always ensure PowerShell instances (most current version) have module, script block, and transcription logging enabled.
- Securing domain controllers (DCs) which are often the main target for the threat actors.
Infocyte Ransomware Response Checklist after Detecting Ransomware
In the event that your organization is attacked, Infocyte easily helps to secure the affected systems and isolate them, clean up the infected systems, and safely reconnect your network.
Infocyte’s behavioral monitoring and MDR service will catch early signs of adversaries deploying Ransomware before it is able to execute and detonate. Infocyte will then identify the impacted systems and user accounts and take immediate action to expel the adversary before they can deploy and detonate the Ransomware.
Since the attackers are keen to notice any suspicion from your end, Infocyte employs out-of-band communication (like secure in app chat, phone or video calls) for communication and then takes the required actions in a coordinated manner. This way, the attackers remain unaware of any response activities from your organization’s end until their access is gone.
It also detects and identifies the accounts and systems involved in the attack so that your organization can reinforce security in that direction. Such accounts include email accounts as these are easy for attackers to infiltrate and gather information from it.
Infocyte’s ability to extract files makes it easy for them to conduct in-depth analysis, e.g., phishing emails, storage media, and logs to help your organization understand the root cause of the attack. It also examines existing organizational security systems to highlight other systems involved in the attack.
If your network had been compromised and the situation left unsolved, it could be the reason for a more serious infection as the attackers could use it as a loophole. Infocyte detects such existing malware that could compromise your network system.
Its behavioral rules conduct extended analysis to identify outside-in and inside-out persistence mechanisms that could implant malware into the system as there are many vulnerabilities involved.
After recovering the system from the attackers and getting rid of the malware, it’s important to be careful while reconnecting the systems as you can easily re-infect it. Infocyte ensures that your reconnection is safe and advises on proper post-incident activities that keep your system clean.
Since ransomware attacks can severely impact your business, it’s important to have a solid Managed Detection and Response (MDR) provider at your service to ensure you are well-covered. Infocyte focuses on detection and response, such that your business is always safe from any potential threats.
Are you thinking of using Infocyte for your organization’s security? Schedule a demo with our sales team.