Ransomware has become synonymous with cyberattacks in the last two years and is single-handedly driving conversations and investments in the cybersecurity domain. Organizations that weren’t taking cybersecurity seriously, now have their boards talking about ransomware threats and asking about mitigation strategies. Unfortunately, there is no single control known as anti-ransomware control and the approach needs controls at multiple layers in the organization, spanning across people, processes, and technology.
How are CISOs in India preparing against ransomware attacks? What are the gaps in preparedness that CISOs need to be cautious about?
According to Prateek Bhajanka, Senior Principal Analyst, Gartner, Inc., the preparedness level among the Indian CISOs is on the lower side as compared to their counterparts in matured markets. Backup and data restoration controls are being put at the center of an anti-ransomware strategy, which is less effective in light of “Human Operated Ransomware” attacks.
Indian organizations are emphasizing more on Prevention controls as opposed to reducing the attack surfaces and investing in detection controls. As the ransomware threat actors are leveraging legitimate applications/software, compromised/stolen credentials, and existing vulnerabilities to launch attacks are making it difficult to prevent such attacks.
Organizations should look at focusing on Detection and Response controls to identify malicious behavior exhibited by threat actors, while they are disabling security capabilities/doing lateral movement/data exfiltration to detect such incidents and respond on time.
Organizations should look at implementing frameworks such as the Continuous Adaptive Risk and Trust Assessment model (CARTA) to have a multi-layered approach to combating the threat of ransomware. Multi-layer ransomware attacks need multi-prong anti- ransomware approach.
Irrespective of the existing controls, an organization should always be prepared for an incident. Organizations often don’t have an Incident Response policy (IR) or procedure in place; even if in place, it is revised in the light of evolving threat landscape. In the root cause analysis of the recent high-profile ransomware attacks, it has been brought to notice that organizations had an IR policy or procure in place, but it was generic in nature and not specific to Ransomware attacks.
Bhajanka says organizations should implement an “if you can’t prevent it, prepare for it” approach and look at creating and simulating a Ransomware incident response procedure or playbook.
Prateek Bhajanka is a Senior Principal Analyst for the IT Leaders (ITL) constituency, focusing on Security and Risk Management for Gartner Research. His areas of research include Endpoint protection platforms/Endpoint detection and response (EPP/EDR), malware and ransomware prevention, etc. His key tasks encompass creating high-quality, actionable and consumable written research and give clients insights and advice on various security problems they face. Bhajanka also helps organizations save money on new contracts and renewals on endpoint protection platforms and endpoint detection and response.