See the original publication found in On Balance Magazine.

At some point in 2015, cybercriminals had an aha moment. Instead of going through all of the trouble of breaking into a network, stealing data and then executing a complicated scheme to monetize that data, they found a shortcut - and it was already paved.

Data encryption was touted as a defense against attempts to steal data, and companies implemented encryption to keep their data safe. It did not take long for the bad guys to figure out a way to turn those defenses around: Encrypt the data and hold the key for ransom. Already armed with methods to trick users into running things they should not, attack methods were created that locked companies out of their own computers, data stores and applications.

Faced with the prospect of being without key systems and data for long periods of time, criminals offered a quick fix: Pay us to fix it. Insurance companies often encouraged payments, calculating that it was more economical to pay upfront than to pay for rebuilding systems, covering lost revenue and buying new equipment.

The result was predictable. Criminals saw big pockets behind the companies they were attacking. They widened their attacks and increased the ransom demands. More criminals got into the game, realizing how profitable this venture was becoming.

How to measure your readiness

The biggest question that companies are asking today is this: "Can we survive a ransomware attack?" To answer that, it is best to break the threat down to four questions:

1. Can we protect against the attack?
2. Can we detect the attack?
3. How do we respond to the attack?
4. If the attack is successful, how will we recover?

Protect

The components of protection should be familiar, as they are the basic hygiene items needed to stop any cybersecurity threat:

Rights management

• Privileged access or admin access to devices throughout the network should be limited, with specialized accounts set up for local administrator tasks. When many users have admin access to many machines, ransomware spreads like wildfire.
• Access to file shares across the network should be only as-needed. Ransomware will look to encrypt whatever files the user who launched it can see and change. If the infected user has limited rights on file shares, the damage that can be caused will be limited.

Patch management

Malware normally finds its way onto computers that are missing patches. Ransomware is no different; yet patching continues to be a shortcoming in many organizations' defenses. The keys to having an effective patch management program are to:

• Ensure ALL operating systems and platforms are covered by an automated patching system.
• Ensure ALL applications are covered by an automated patching system.
• Perform scans routinely on all systems in the environment to confirm the automated patching systems are functioning as intended.

Endpoint protection

Organizations need to have current and up-to-date technology defending endpoints. Anti-virus applications installed and forgotten five years ago do not meet this requirement. Make sure the endpoint protection system is actively monitored to ensure components are current and protections are not disabled.

Network segmentation

When commercial buildings, hotels and homes are built, codes have to be followed for a number of reasons, one of which is to ensure that fires have difficulty spreading from room to room and floor to floor. A computer network should be no different. Networked devices in one department should be able to see networked devices in another department only if there is a justified business requirement.

Detect

One of the most important aspects of limiting the damage of a ransomware attack is to know when it is happening. Following are the key steps to sharpening any company’s detection capabilities:

"How an organization responds to a ransomware attack directly affects the amount of system damage caused by the attack."

1. Have a correctly configured Security Information and Event Management (SIEM) tool.
   SIEM tools collect logs from a variety of sources. But a SIEM is like a musical instrument. It will be a dust collector unless someone knows how to play it. SIEMs prove their worth when they are configured to analyze the logs and produce alerts directed to the right people. Instead of having people who pore through logs looking for problems, a finely tuned SIEM is a force multiplier, sending the right information to the right people to allow them to troubleshoot and prevent problems before they escalate.
2. Conduct realistic tabletop exercises.
   Many organizations go through the exercise of bringing people into a room to talk about a possible scenario and find out what will be done. Very few organizations integrate actual actions, such as retrieving log information or confirming SIEM notices as part of the exercise. Put realism into these exercises by having simulated attacks during the tabletops to prove your detective measures are working.

Respond

How an organization responds to a ransomware attack directly affects the amount of system damage caused by the attack. That response also affects the damage to its reputation with customers and the morale of its employees. This is where a formal incident response plan (IRP) is essential. The basic components of the IRP should include:

• Defined members of an incident response team (IRT).
• Contact information for external resources (such as the media, law enforcement and third-party consultants).
• Templates for communicating with employees, customers and vendors.

Specific to ransomware, the IRP should have a playbook for procedures related to a ransomware attack. Such a playbook can be designed through a tabletop ransomware exercise. This playbook will be unique to the organization with steps specific to the IRT members. Steps should include:

• User actions when ransomware is suspected.
• Specific steps for isolating network segments or systems.
• Communication steps with members of the IRT.

Recover

Recovering from a ransomware attack normally involves one of three options.

1. Recover via backups.

To be viable, backup systems and images cannot be compromised by the ransomware. Attackers will often look to encrypt backup systems first so that a system restore is not possible. To protect the ability to recover systems and data, organizations should:

• Maintain protected gold images of systems to ensure restoration to a known trusted state.
• Keep copies of data backups that cannot be overwritten and are disconnected from the production network.

2. Pay the ransom.

Some companies are forced into this solution. Some look to it as the path of least resistance. There are risks that come with this choice: Will the decryption key be effective? Criminals realized early on that it is more profitable in the long run to provide the key. That does not mean it will be useful. In the case of the recent Colonial Pipeline attack, a large payment was made only to find the decryption tool was too slow to be of use (Morse, 2021). Unfortunately, if you're attacked once, you may be attacked again. A recent report indicated that 80% of businesses that paid to recover from an attack experienced a subsequent ransomware attack (Yu, 2021).

3. Rebuild from scratch.

This is the most painful scenario, normally chosen when backups cannot be restored and/or the purchased decryption key is not working.

What next?

Hopefully, this guide helps you to understand and prepare for these attacks. The tactics of the criminals continue to escalate with the release of captured data and the use of personal attacks on corporate executives to compel payment. Our efforts to resist need to meet these threats.

• Reach out to SynerComm to protect yourself before an attack
• The website "No More Ransom!" contains resources to help victims retrieve their data without paying the criminals. Tools include working decryption keys for known ransomware variants
• In June 2021, the National Institute of Standards and Technology (NIST) released a draft of a framework to use in managing risks associated with ransomware

SynerComm Inc. is proud to announce it has been named a 2020 “Overall” Partner of the Year by Juniper Networks. Selected out of 1,000 plus Juniper Networks North America Partners, SynerComm has been recognized for exceptional innovation, problem‐solving and customer experience abilities.

“It’s an honor to be recognized by Juniper Networks as 2020 Overall North America Partner of the Year,” says Mark Sollazo, President & CEO, Co‐Founder SynerComm, Inc. “The growth we achieved is a testament to the strength of our partnership with Juniper and sharing common goals for our customers. We are pleased to be recognized for our exceptional innovation, problem‐solving and customer experience.”

Each year, Juniper recognizes partners who have demonstrated innovative solutions to drive new business, delivered exceptional attention to customer experience and have the outstanding ability to solve a multitude of business challenges.

“Juniper Networks is thrilled to recognize SynerComm as a 2020 Overall Partner of the Year for North America. To accomplish this, SynerComm embraced Juniper’s bold standards of superior business agility and ingenuity, and delivered excellent customer outcomes,” says Gordon Mackintosh, Vice President Global Channels & Virtual Sales. “This is a significant achievement, and we are proud of our partnership with SynerComm who continues to set the bar high in experience‐first networking.”

SynerComm leverages the Juniper Networks MIST AI‐driven platforms to drive customer outcomes and experiences. SynerComm focuses on enterprises and service providers multi‐cloud, security infrastructure and information assurance needs powered by SynerComm’s award‐winning Continuous Attack Surface Management CASM Engine™ recently named in the SC Magazine Best Vulnerability Management and Pentest Solution category.

About SynerComm

For years, SynerComm has been making large, global multi‐cloud/hybrid infrastructure design, procurement and deployments simpler and stress free with our ImplementIT staging, localization and logistics services. For more information, visit:

https://www.synercomm.com/implementit/

SynerComm CASM® Engine

https://www.synercomm.com/cybersecurity/continuous-attack-surface-management/

SynerComm IT Trendsetters Interview Series

The Journey to the AI-driven Enterprise with Bob Friday, Co-Founder of Mist Systems

Another M365 email outage... seriously just Google it... there are even multiple websites that monitor and tell you there is an outage but there is nothing you can do about it… or is there?

Whether it is email, Azure, Teams or? What can you do?

Better question yet… now, what are your employees doing while they wait? Well… are they using a personal email account to send business information? That is even scarier.
Does this all sound too familiar?

The good news is you CAN do something about it.

Here is where Mimecast has a brilliant solution. It keeps users email working during on-premise or cloud outages!! Like a back-up parachute, should the primary not open… you don't have to free fall, you can pull the secondary cord and simply glide to safety.

So, let's say the Microsoft M365 service goes down. First off, rather than having you guess if there is a disruption and possibly obtaining confusing information from Microsoft Admin Center, Mimecast provides outage/disruption detection.

Through the ‘heartbeat' approach Mimecast monitors for high latency and failed deliveries. If a problem is detected, based on thresholds, Mimecast will trigger an alert to admins via SMS or secondary email. From there the admin can kick off a continuity event which allows end-users to keep working through Outlook, webmail portal or mobile applications.

With Mimecast, your end-users will have no idea there is a problem. They can continue to send and receive email as if there was no failure. So, they just keep working. Once your primary email service comes back online. Mimecast will sync up with them, and the world keeps turning.

And, coolest part in my opinion, if Mimecast is also your security and archive solution, having am outage that requires a continuity assist from Mimecast doesn't alter your security and archive capabilities in the slightest. You are still just as protected and compliant. No need for your users to seek an alternate, Shadow IT solution.

J. Peter Bruzzese - “Conversational Microsoft 365 Cyber Resilience”

Join the many SynerComm customers who have added M365 Resiliency to their Enterprise Email environment. For a deeper discussion, follow along below.

Warning: This blog contains purposeful marketing and gratuitous plugs for SynerComm’s CASM™ Subscription services. Seriously though, the following article will present the need for better external visibility and vulnerability management.

Whether you are vulnerability scanning to meet compliance requirements or doing it as part of good security practices, there is a universal need. At the time of this article, there are essentially three equally capable and qualified scanning solutions. They include products from Tenable, Rapid7 and Qualys. My point is that each of these scanning solutions, if configured correctly, should produce accurate and similar results. Therefore, as long as your scanning provider is using one of these three solutions, they should be able to detect vulnerabilities. SynerComm starts with a top scanner and then addresses all the gaps that your MSSP is missing. 

Vulnerability scanning and analysis is a critical process within all information security programs. Scanners should find missing patches, dangerous configurations, default passwords, and hundreds of other weaknesses. Their technology is based on probing systems over networks and trying to determine if the system exhibits specific vulnerabilities. While the process itself isn’t complicated, many organizations choose to outsource it to a managed service provider. If you need a provider or already have one, it’s time to upgrade to Continuous Attack Surface Management (CASM™). 

Ditch your Vulnerability Scanning MSSP

Vulnerability scanning MSSPs served their role well for many years but failed to keep up. They failed to keep with cloud migrations, failed to keep up with the rate of IT changes, and failed to provide tools that simplify and enable security for their subscribers. 

VS-MSSPs Lack Discovery of New Assets

• SynerComm’s CASM Engine™ was designed by our pentesters to scour the internet looking for new systems and exposures. You can’t count on scan targets to be configured correctly all of the time, and most if not all VS-MSSPs fail to discover new systems. CASM® increases coverage and maintains an accurate asset inventory with automatic discovery.  

VS-MSSPs are Plagued with False Positives and Fail to Accurately Describe Risk 

• CASM® virtually eliminates false positives through our Findings-Based Reporting. False positives are inherent to non-privileged scanning, especially when targets are located behind firewalls and threat prevention controls. Our analysts validate all vulnerabilities before publishing a finding to ensure you’re only notified when it matters.  
• Raw vulnerability scan results are always available to review and download, but findings are reserved for vulnerabilities that create real risk to your business. SynerComm’s pentesters ensure that a vulnerability is exploitable and could cause harm to your organization before reporting it. Say goodbye to “nuisance vulnerabilities” being tracked like real findings. 

VS-MSSPs Lack Security Expertise

• The value of most vulnerability scanning MSSPs begins and ends with their automation. SynerComm’s CASM® subscriptions evolved from the need for more accurate scanning and reporting plus the requirement of continuous discovery. We’ve scripted and improved everything that can be automated, but still have a team of pentesters analyzing vulnerabilities. 
• Unlike VS-MSSPs, SynerComm has a whole suite of assurance and validation services for clients also needing penetration testing and other assessments. Most CASM® subscriptions are paired with Continuous Penetration Testing to provide complete coverage against both known and unknown threats. 

The benefits of Continuous Attack Surface Management include:

• Accurate external asset inventory
  • Automatic discovery of new Internet-connected assets, no need to continually update scan configurations 
  • Continuous monitoring for changes in services and vulnerabilities 
  • Cloud savvy with integrations into AWS, Azure and more 
• No false positives 
• Findings based on actual business risks 
• Dashboard access to view your entire external attack surface including:
  • Raw vulnerability scan results and reports 
  • DNS, Whois, GeoIP for all discovered assets
    • Screenshots of web services (easier identification) 
    • Service and OS fingerprinting 
  • Domain and subdomain enumeration 
  • Breaches affecting employee email accounts 
• API integration into 3^rd party alerting and ticketing systems 

If you’ve ever wondered what your systems and exposures look like to a cyber-criminal, just ask a pentester. SynerComm’s CASM® Engine was originally designed to provide accurate and timely reconnaissance information to our penetration testers. Access to this data and our ‘Findings-Based Reporting’ is available to all CASM® and Continuous Penetration Test subscribers. 

Learn more about our Continuous Attack Surface Management and our industry-leading Continuous Penetration Test subscriptions. 

	VS-MSSPs	SynerComm CASM®
Scheduled Scanning of Known Assets	✔️	✔️
Ad-Hoc (Manual) Scanning	✔️	✔️
24/7 Online Dashboard Reporting	✔️	✔️
Discovery of New Assets		✔️
Elimination of False-Positives		✔️
Validated Findings		✔️
Risk-Based Customizable Alerts		✔️
Access to Penetration Testers		✔️