CISA offers ransomware response guidelines to organizations
In its new ransomware prevention and response guide, CISA 'strongly discourages paying a ransom,' citing the potential to embolden threat actors and fund illicit activity.
The Cybersecurity and Infrastructure Security Agency released a new resource guide on Wednesday detailing its tips for organizations defending against and responding to ransomware attacks.
The guide was published on CISA's Stop Ransomware website, which is built for individuals and organizations to understand what ransomware is and how to defend against it. The resource, titled "Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches," includes advice sourced from the U.S. cyber agency's significant experience with ransomware incidents.
It specifically mentions the Colonial Pipeline ransomware attack and the Kaseya supply chain attack.
Three sections make up the guide: preventing ransomware attacks, protecting sensitive and personal information, and responding to ransomware-caused data breaches.
In the ransomware prevention section, CISA recommended keeping offline, encrypted and regularly tested data backups. The recommendations also included creating an incident response plan, employing best practices for Microsoft's RDP, disabling or blocking Windows Server Message Block (SMB) and mitigating internet-facing vulnerabilities, among other recommendations. Ransomware actors have used both RDP and SMB protocols in the past for numerous, high-profile ransomware attacks.
To protect sensitive information, CISA advised organizations to take a complete inventory of where sensitive data is stored, encrypting said data and considering network segmentation to limit attackers' ability to move laterally.
While much of the advice in the former two sections is more well established, some of the more notable recommendations came via the section on responding to ransomware-caused data breaches. For example, CISA said that it "strongly discourages" paying the ransom, which has been the standard recommendation for U.S. law enforcement and intelligence agencies for some time.
"CISA strongly discourages paying a ransom to criminal actors," the guide reads. "Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or may fund illicit activities. Paying the ransom also does not guarantee that a victim's files will be recovered."
The section also includes a response checklist for what an organization should do to secure their networks and stop further data loss after they've detected a ransomware attack. CISA recommended isolating impacted devices immediately to contain the infection as much as possible or powering down infected systems that cannot be removed from the network or are on a network that cannot be shut down.
CISA recommended shutting down the infected network, if possible, in order to stop the damage from an attack. That said, Josiah Dykstra, technical fellow at the National Security Agency's cybersecurity collaboration center, advised against doing so at a Black Hat 2021 session earlier this month on action bias and how it can hamper incident response.
After limiting the spread of the damage, the guide said organizations should triage impacted systems for recovery and restoration, determine and document an initial understanding of the security event as a team, and engaging "your internal and external teams and stakeholders" to work together and recover from the attack.
If no mitigation immediately appears possible, the advice given is to take relevant memory captures, system images and logs to gain visibility of the attack and determine indications of compromise. Additionally, CISA said "do not destroy forensic evidence, and take care to preserve evidence that is highly volatile in nature -- or limited in retention -- to prevent loss or tampering."
Lastly, CISA advises reporting the attack to an appropriate federal agency and following notification requirements. This can include, for example, informing individuals with stolen personally identifiable information or businesses with data stored on the victim organization's servers.
The guide is the latest in a string of notable moves from CISA this year to improve the nation's cyber hygiene. Earlier this month, CISA director Jen Easterly announced a new joint public-private sector effort to lead the development of the U.S.'s cyberdefense plans.
Alexander Culafi is a writer, journalist and podcaster based in Boston.
4 emerging ransomware groups take center stage