Ransomware Prevention / Detection / Response Resources

KPawlak — Tue, 22 Jun 2021 16:20:54 GMT

There are many articles, guides, and resources available across various Palo Alto Networks properties to guide users on how to best protect their organizations from ransomware. After spending some time to find many of them, I thought I would share with everyone.

High level from what I could find there were a few high level recommendations from resources like Unit 42:

1. Block network-borne ransomware (NGFW + Security subscriptions)

Someone made a great write up on the knowledge base about best practices for general ransomware prevention. Unit42 as well seems to publish research on specific attackers like (ex: Darkside) which give more specific guidance. If you read the first link, you'll see there are several action items to take and I've tried to link documentation and best practice pages as best I can for these:

Decrypt traffic where possible for visibility (Best Practices)

Attackers can move around infra to change source IPs, harder to change tools - often need to see into the body of traffic to detect effectively

Use file blocking profiles to block unneeded, malicious payload types

For file types allowed, follow Wildfire Best Practices

Enable DNS Security on firewalls

80% of malware uses it in some way -> C2, Exfil
Sinkhole traffic to tag and then reduce access of infected hosts

Leverage vulnerability protection profiles

Overall best practices
Specific to Exploit Kits and Phishing
Attach (at a minimum) to all internet traffic policies

Optimally E-W as well where possible to prevent lateral spread

Leverage EDLs to block known bad IPs and domains
Keep up to date on all content packages

2. Prevent Ransomware on endpoint with Cortex XDR

Cortex Endpoint Protection Modules

Anti-ransomware
Local (static) Analysis + Wildfire (dynamic and sandboxing)

Windows, Mac, and Linux look to be supported by 1 or both of above
Make sure these modules are enabled

3. Leverage SOAR to quickly respond & automate hunting for threats

SOAR platforms and playbooks are great to document and automate responses. Cortex XSOAR has a lot of OOTB content and playbooks for certain scenarios which can be great references (even if you can't get a SOAR tool in your arsenal today). Ransomware is one of these. Full documentation here.

4. Contain and recover with experts on hand

In addition to products, Palo Alto Networks is doing a lot of work in consulting, services, etc these days to be a full partner to customers and not just a tech vendor. Below are some links to a bunch of the services available - one of which is a Ransomware Readiness to look at current state of an org and map a path to be ready to fight off ransomware attacks.

Proactive

Proactive Assessments - "who can help me understand my risk/posture"
3rd Party risk assessments (partners and acquisitions): "How do I know my business partner / potential acquisition has a clean house?"
Ransomware Readiness: "If I suffer a ransomware attack, how can I make sure it won't impact my operations & I won't be forced to pay?"
Breach Readiness: "Do I have my response procedures planned, documented, and ready to go if we suffer a breach so that we can mitigate damage?"
Threat Intel and Briefings "who can keep me up to date on current trends in the threat landscape so I know what to be looking for?"

Reactive

Find out if you have been compromised: "How do I know if recent attack XXXX affects/affected me?"
Investigate Advanced Persistent Threats in your environment: "How do I confirm if a sneaky threat actor is or is not already lurking in my business waiting for the right moment?"
Incident Response Retainers - 'If I get breached who will help me"
Remediate Business Email Compromise: "How do I quickly respond to this specific type of attack?"

Finally, an excellent general resource (as linked in the comments below) is the Unit42 Incident Response and Data Breach Report, which goes into great detail about major trends and action plans to mitigate (including but not limited to Ransomware).

Re: Ransomware Prevention / Detection / Response Resources

LAYER_8 — Tue, 22 Jun 2021 16:12:36 GMT

Adding to this thread with the incident response firm, CrypSis, and their 2020 incident report found here.

Many great tidbits of information in here, from their largest observed entry vectors, threat actor groups, most targeted services, etc.. Beyond the Palo platform, there's lots of general networking best practice guidelines in the report.

Re: Ransomware Prevention / Detection / Response Resources

KPawlak — Tue, 22 Jun 2021 16:17:34 GMT

great share @LAYER_8 - I'm going to edit the original post to include this. thanks

topic Re: Ransomware Prevention / Detection / Response Resources in General Topics

Ransomware Prevention / Detection / Response Resources

Re: Ransomware Prevention / Detection / Response Resources

Re: Ransomware Prevention / Detection / Response Resources