Quan trọng nhất vẫn là steps Before the attack.
Before the attack
- Back up and restore
- Update and patch: Keep operating systems, security software (AV / Endpoint Protection Software), applications and network hardware patched and up to date.
- Invest in robust people centric security solutions (#Me: e.g. SIEM, email security solutions...)
- Employee training and awareness... people should know what to do, what not to do, how to avoid ransomware and how to report it....
- Plan your response
During & After the attack
gồm các việc:
* Call law enforcement
* Disconnect from
the network
* If the ransomware has already made its way to a server, the security team should isolate it as quickly as possible and map out a response.
* Implement your
planned response (thực hiện theo Plan đã lập trong Before the attack)
* ... * Restore from backup
* Cleanup
* Review and reinforce > thực hiện 1 top-to-bottom security assessment.
* Post-mortem review > để xác định nguồn gốc, nguyên nhân lây nhiễm.
* Assess user awareness & Education and training
* Phishing simulation
* Reinforce your
technology defences (~ cải tiến công nghệ)
* VD: SIEM > SOC > SOAR
* Secure email GW: hệ thống là những tuyến phòng thủ đầu tiên; con người là tuyến cuối cùng nhưng phải mạnh mẽ nhất (Make your people a strong last line of defence)
* People should know what to do, what not to do, how to avoid ransomware and how to report it.
* If anyone receives a ransomware demand, they should know to immediately report it to the security team...
Plan your response
* "containment and recovery"
* "Critical questions such as: who needs to be informed, how to maintain
communications, and how much are you willing to pay (if you’re willing to
pay at all) are harder to answer in real time. This pressure creates potential
bottlenecks in decision-making and leads to costly delays. Should you decide
to pay the ransom, you’ll need to map out an appropriate process that includes
key executives, operational staff and legal counsel."
* Response team
* Maintain the Vision using a separated Log System
* Communication
* ...
(Nội dung và hình: tham khảo từ Proofpoint - The 2022 Ransomware Survival Guide)
