Ransomware Defence
Our Ransomware Defence Assessment (RDA) is a blended approach of both paper audit checks and hands-on manual testing, aiming to assess a business’s current administrative and technical controls, the teams and processes in place to detect attacks and the plans to restore business activities.
The assessment is divided into the following four sections:
- Audit Checks
- Infrastructure Tests
- Attack Simulation
- Reporting
These sections examine different aspects of the business in relation to the risk of a ransomware attack and the approach is aligned with a ‘defence in depth’ strategy, focusing on controls preventing the initial access attempts through to the activities that occur if an attack is successful.
Benefits
These are the key benefits of undertaking a Ransomware Defence Assessment:
- Includes a ransomware focused workshop with a Senior Consultant, discussing how the configuration of your infrastructure compares with industry best-practice recommendations
- Simulates the most probable internal and external attacks used to deliver ransomware payloads in a safe and controlled manner
- Tests the effectiveness of any SIEM solution in detecting malicious behaviour on the infrastructure typical of an imminent ransomware attack
- Includes an assessment of the configuration of the key technical controls in place to mitigate the risk of ransomware attacks, such as mail filters, anti-virus, and network segmentation
- A concise report containing both technical and non-technical recommendations for how the risk of a ransomware attack on your infrastructure could be reduced
Methodology
Audit Checks
The ‘Audit Checks’ aim to ensure that the most appropriate policies and procedures are in place along with suitable technical controls to mitigate the risk of ransomware, and to restore business activities quickly and efficiently should a successful attack take place. This test takes the form of a workshop event, involving a Senior Consultant and your Cyber Incident Response Team (CIRP).
The checks are divided into the three main stages of a ransomware attack. The purpose of the workshop is to clearly define the threat of ransomware to the client’s business, and how the current controls compare with industry best-practice. The result of the workshop will be a set of bespoke short-term and long-term recommendations.
Stage 1 >
The first stage covers the various techniques used to gain a foothold on the infrastructure. This could be a phishing attack, a vulnerable public service, or poorly secured third-party integration and covers off below control areas:
- Phishing
- Mail Server Configuration
- Remote Access Solution
- External Infrastructure and Web Applications
- 3rd Party Management / 3rd Party Integrations
- Awareness Training
Stage 2 >
The second stage focuses on the controls in place to mitigate the risk of an attacker escalating privileges, moving laterally through the network, and accessing key internal assets covering below:
- Patching
- Anti-Virus
- Internal Infrastructure
- Active Directory
- Password Policy
Stage 3 >
The third stage checks are those that are likely to be critical if a breach occurs. These are the procedures followed to contain a breach and recover business activities namely:
- Backups
- Incident Response
- DR Plans
Infrastructure Tests
The infrastructure includes a wide range of hosts and services, all with unique security configurations, and each providing a key technical control. The ‘Infrastructure Testing’ aims to provide assurance that the current configurations across these hosts and services are effective and appropriate. Such tests include confirming that mail filters block the most recently used malicious attachments, that data backups are appropriately secured, that compromised user accounts cannot easily access sensitive information, and that remote access solutions are configured with the most secure authentication controls.
The following infrastructure tests are performed:
- Mail Server Security Configuration
- Third-Party Integration Configuration
- External Services
- Data Backup Security Controls
- Workstation Privilege Escalation
- Active Directory Security Configuration
- Remote Access Configuration Review
- Segmentation Testing
- Anti-Virus Effectiveness
- Cloud Configuration Review (Optional)
Attack Simulation
The ‘Attack Simulation’ tests aim to confirm the effectiveness of the defences in place to detect attacks, but also the responsiveness of the associated teams. The tests simulate ransomware activity in a controlled and non-disruptive way, allowing all stages of incident response to be played out, identifying any opportunities for improvement.
The following attack simulation tests are performed:
- Mail Filter Effectiveness
- SIEM Effectiveness
Reporting
Once the above stages are completed, we will produce a concise report containing both technical and non-technical recommendations for how the risk of a ransomware attack on your infrastructure could be reduced.
The report will cover the following areas:
- Management Summary
- Severity Ordered Issues
- Technical and Non-Technical Content
- Proof of Concept Images and Output
- Detailed Remediation Advice