Ransomware Mitigation Strategies for Major Public Clouds

Posted by

The pandemic year 2020 gave a launching pad for ransomware attacks. U.S. Acting Deputy Attorney General John Carlin recently told the Wall Street Journal, “By any measure, 2020 was the worst year ever when it comes to ransomware and related extortion events.” During the height of the COVID-19 pandemic, for example, ransomware operators targeted hospitals and healthcare organizations with unrelenting attacks. Ransomware accounted for 54.95% of healthcare data breaches and cost the industry $20.8 billion in downtime in 2020 alone. Blockchain analysis shows that the total amount paid by ransomware victims increased by 311% this year to reach nearly $350 million worth of cryptocurrency. 2020’s ransomware increase was driven by a number of new strains taking in large sums from victims, as well as a few pre-existing strains drastically increasing earnings. For a detailed report, you can refer to Chainalysis 2021 Crypto Crime Report.

Ransomware is a formidable cyber threat nowadays. They are evolved from an opportunistic model to a human-operated model during Q1 of 2020. Detecting, preventing, and protecting the digital estates in major public clouds are becoming increasingly important for all types of organizations. In this article, we’ll take a look at different public cloud providers like AWS, Microsoft Azure, Google Cloud & Oracle Cloud, and their respective services which could help protect and recover cloud resources from ransomware.

Powerful yet proven protection (the 3 T’s: Tactics, Technique & operaTing procedures) against ransomware and many other threats requires multiple layers of defense.

Let’s generalize the terminologies and look at the top pillars of protecting ransomware attacks.

Assess

  • Discover, and analyze all your digital assets in one place for tasks like IT ops, security analytics, auditing, and governance
  • Create a Digital Assest Inventory with a matrix with the systems or processes which are most likely to be vulnerable for a ransomware attach
  • Revisit your backup, restore and recovery objectives (RTO/RPO) for critical assets. Make sure you’ve resillient backup & recovery strategy for minimal disruptive business operations
  • Revist BC/DR (business continuity/disaster recovery) plan and ensure that Mean Time to Recover (MTTR) meets your BC/DR goal. Do mock drills & simulations to ensure speedy recovery in an event of attack

Protect

  • Follow a strong protection mechanism for backups against deliberate erasure and encryption. Encourage the use of MFA, PIN, Immutable storages etc.
  • Ensure point-in-time and zero trust access to the critical/qualified business applications and resources thus by limiiting the blast radius of unauthorized access
  • Implement a security framework like The National Institute of Standards and Technology (NIST SP1800-25) CSF to establish a foundational level of security
  • Design built-in security & security-first cloud arhcitecture models for data and application

Detect & Respond –

  • Proactively spot and stop mallicious activity associated with ransomeware to prevent key business disruption
  • For hybrid or multi-cloud architecture, consider implemeting a CSPM (Cloud Security Posture Management)/CCM (Cloud Compliance Monitoring) solutions automatically and continuously check for misconfigurations that can lead to data breaches and leaks.
  • Based on organizational need few solutions/tools like SOAR (Security Orchestration, Automation and Response), XDR (Extended Detection and Response) & EDR (Endpoint Detection and Response) are worth to evaluate and prioritize based on the risk vs compexity of implementation

Recover

  • Limit the blast radius by isolating the compromised resources simultaneously ensuring the non-compromised critical assets are backed up and protected against erasure/encryption by ransomware attack
  • Analyze, investigate and identify the root cause of the threat by engaging own IT team or third-party forensic incident response experts
  • Limit the exposure of ransomware across environment by performing advanced threat hunting and determine any possibilities of any persistent threat actors
  • Document the lessons learnt and improve security hygiene by preparing a comprehensive approach for managing future cyber risks

Now, let’s take a look at the services from major public cloud providers like AWS, Azure, GCP & Oracle cloud to deliver cyber resiliency for customers.

 AWSAzureGCPOracle
IdentifyAWS Systems Manager AWS Trusted Advisor AWS Audit Manager
AWS Application Discovery Service Amazon Macie
Amazon CloudWatch
Azure Security Center
Azure Advisor
Cloud Asset Inventory Access Transparency Security Command Center
Cloud Data Loss Prevention
Cloud IDS  
Cloud Advisor
Oracle CASB
ProtectAWS Systems Manager Patch Manager
AWS Shield
AWS Web Application Firewall (WAF)
AWS Network Firewall
AWS Key Management Service (KMS)
AWS Secrets Manager
AWS CloudHSM Amazon Macie
Defender
Azure Active Directory (AD)
Azure Front Door
Azure DDoS Protection
Azure Firewall
Azure Policy
Web Application Firewall Azure Storage Service Encryption StorSimple Encrypted Hybrid Storage
Azure Client-Side Encryption
Azure Storage Account Keys
Azure Storage Shared Access Signatures
Azure Key Vault
Azure Dedicated HSM
Azure Information Protection
Azure confidential computing  
Cloud Key Management
Confidential Computing
Firewalls Secret Manager Google Cloud Armor
Security Command Center
Shielded VMs VPC Service Controls BeyondCorp Enterprise Policy Intelligence Resource Manager Titan Security Key reCAPTCHA Enterprise  
Web Application Firewall
OCI Vault
Security Zones
Data Safe
DetectAWS Security Hub Amazon GuardDuty Amazon Inspector
AWS Config
AWS CloudTrail
AWS IoT Device Defender
Amazon CloudWatch
AWS Systems Manager
Azure Storage Analytics
Azure Sentinel
Microsoft 365 Defender
Azure AD Identity Protection
Azure Firewall
Azure Network Watcher
Microsoft Defender for Cloud Apps Azure Monitor logs and metrics Azure Defender for IoT Azure AD reports and monitoring
Chronicle
Cloud Logging
Security Command Center
Web Risk  
Oracle Cloud Guard Threat Intelligence Services Oracle CASB Logging Analytics Oracle Application Performance Monitoring
Vulnerability Scanning Service
RespondAmazon DetectiveAzure Monitor logs and metrics Azure Security Center
Azure Sentinel
DART Team  
Security Command Center   
RecoverAWS Backup
AWS DataSync
AWS Elastic Disaster Recovery
Azure Backup
Azure Site Recovery
StorSimple
Actifio GO++ 
Service Alignment of Major Public Cloud to Mitigate Ransomware Attacks

So in a nutshell, all public clouds have good measures to protect against ransomware attacks. Again “Security & Compliance” is a shared responsibility, and customers are responsible for “Security in the Cloud“.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s