Ransomware protection playbook / Roger A. Grimes.

Format:

Book

Author/Creator:

Grimes, Roger A., author.

Language:

English

Subjects (All):

Business enterprises--Computer networks--Security measures.

Business enterprises.

Computer security.

Computer crimes--Prevention.

Computer crimes.

Malware (Computer software).

Computer fraud.

Physical Description:

1 online resource (xxxviii, 282 pages) : illustrations

Place of Publication:

Hoboken, New Jersey : Wiley, [2022]

Summary:

The list of ransomware victims is long, distinguished, and sophisticated. And it's growing longer every day. In Ransomware Protection Playbook, computer security veteran and expert penetration tester Roger A. Grimes delivers an actionable blueprint for organizations seeking a robust defense against one of the most insidious and destructive IT threats currently in the wild. You'll learn about concrete steps you can take now to protect yourself or your organization from ransomware attacks.

Contents:

Cover

Title Page

Copyright Page

About the Author

About the Technical Editor

Acknowledgments

Contents

Introduction

Who This Book Is For

What Is Covered in This Book?

How to Contact Wiley or the Author

Part I Introduction

Chapter 1 Introduction to Ransomware

How Bad Is the Problem?

Variability of Ransomware Data

True Costs of Ransomware

Types of Ransomware

Fake Ransomware

Immediate Action vs. Delayed

Automatic or Human-Directed

Single Device Impacts or More

Ransomware Root Exploit

File Encrypting vs. Boot Infecting

Good vs. Bad Encryption

Encryption vs. More Payloads

Ransomware as a Service

Typical Ransomware Process and Components

Infiltrate

After Initial Execution

Dial-Home

Auto-Update

Check for Location

Initial Automatic Payloads

Waiting

Hacker Checks C&amp

C

More Tools Used

Reconnaissance

Readying Encryption

Data Exfiltration

Encryption

Extortion Demand

Negotiations

Provide Decryption Keys

Ransomware Goes Conglomerate

Ransomware Industry Components

Summary

Chapter 2 Preventing Ransomware

Nineteen Minutes to Takeover

Good General Computer Defense Strategy

Understanding How Ransomware Attacks

The Nine Exploit Methods All Hackers and Malware Use

Top Root-Cause Exploit Methods of All Hackers and Malware

Top Root-Cause Exploit Methods of Ransomware

Preventing Ransomware

Primary Defenses

Everything Else

Use Application Control

Antivirus Prevention

Secure Configurations

Privileged Account Management

Security Boundary Segmentation

Data Protection

Block USB Keys

Implement a Foreign Russian Language

Beyond Self-Defense

Geopolitical Solutions

International Cooperation and Law Enforcement

Coordinated Technical Defense

Disrupt Money Supply.

Fix the Internet

Chapter 3 Cybersecurity Insurance

Cybersecurity Insurance Shakeout

Did Cybersecurity Insurance Make Ransomware Worse?

Cybersecurity Insurance Policies

What's Covered by Most Cybersecurity Policies

Recovery Costs

Ransom

Root-Cause Analysis

Business Interruption Costs

Customer/Stakeholder Notifications and Protection

Fines and Legal Investigations

Example Cyber Insurance Policy Structure

Costs Covered and Not Covered by Insurance

The Insurance Process

Getting Insurance

Cybersecurity Risk Determination

Underwriting and Approval

Incident Claim Process

Initial Technical Help

What to Watch Out For

Social Engineering Outs

Make Sure Your Policy Covers Ransomware

Employee's Mistake Involved

Work-from-Home Scenarios

War Exclusion Clauses

Future of Cybersecurity Insurance

Chapter 4 Legal Considerations

Bitcoin and Cryptocurrencies

Can You Be in Legal Jeopardy for Paying a Ransom?

Consult with a Lawyer

Try to Follow the Money

Get Law Enforcement Involved

Get an OFAC License to Pay the Ransom

Do Your Due Diligence

Is It an Official Data Breach?

Preserve Evidence

Legal Defense Summary

Part II Detection and Recovery

Chapter 5 Ransomware Response Plan

Why Do Response Planning?

When Should a Response Plan Be Made?

What Should a Response Plan Include?

Small Response vs. Large Response Threshold

Key People

Communications Plan

Public Relations Plan

Reliable Backup

Ransom Payment Planning

Cybersecurity Insurance Plan

What It Takes to Declare an Official Data Breach

Internal vs. External Consultants

Cryptocurrency Wallet

Response

Checklist

Definitions

Practice Makes Perfect

Chapter 6 Detecting Ransomware

Why Is Ransomware So Hard to Detect?.

Detection Methods

Security Awareness Training

AV/EDR Adjunct Detections

Detect New Processes

Anomalous Network Connections

New, Unexplained Things

Unexplained Stoppages

Aggressive Monitoring

Example Detection Solution

Chapter 7 Minimizing Damage

Basic Outline for Initial Ransomware Response

Stop the Spread

Power Down or Isolate Exploited Devices

Disconnecting the Network

Disconnect at the Network Access Points

Suppose You Can't Disconnect the Network

Initial Damage Assessment

What Is Impacted?

Ensure Your Backups Are Still Good

Check for Signs of Data and Credential Exfiltration

Check for Rogue Email Rules

What Do You Know About the Ransomware?

First Team Meeting

Determine Next Steps

Pay the Ransom or Not?

Recover or Rebuild?

Chapter 8 Early Responses

What Do You Know?

A Few Things to Remember

Encryption Is Likely Not Your Only Problem

Reputational Harm May Occur

Firings May Happen

It Could Get Worse

Major Decisions

Business Impact Analysis

Determine Business Interruption Workarounds

Did Data Exfiltration Happen?

Can You Decrypt the Data Without Paying?

Ransomware Is Buggy

Ransomware Decryption Websites

Ransomware Gang Publishes Decryption Keys

Sniff a Ransomware Key Off the Network?

Recovery Companies Who Lie About Decryption Key Use

If You Get the Decryption Keys

Save Encrypted Data Just in Case

Determine Whether the Ransom Should Be Paid

Not Paying the Ransom

Paying the Ransom

Recover or Rebuild Involved Systems?

Determine Dwell Time

Determine Root Cause

Point Fix or Time to Get Serious?

Early Actions

Preserve the Evidence

Remove the Malware

Change All Passwords

Chapter 9 Environment Recovery

Big Decisions

Recover vs. Rebuild

In What Order.

Restoring Network

Restore IT Security Services

Restore Virtual Machines and/or Cloud Services

Restore Backup Systems

Restore Clients, Servers, Applications, Services

Conduct Unit Testing

Rebuild Process Summary

Recovery Process Summary

Recovering a Windows Computer

Recovering/Restoring Microsoft Active Directory

Chapter 10 Next Steps

Paradigm Shifts

Implement a Data-Driven Defense

Focus on Root Causes

Rank Everything!

Get and Use Good Data

Heed Growing Threats More

Row the Same Direction

Focus on Social Engineering Mitigation

Track Processes and Network Traffic

Improve Overall Cybersecurity Hygiene

Use Multifactor Authentication

Use a Strong Password Policy

Secure Elevated Group Memberships

Improve Security Monitoring

Secure PowerShell

Secure Data

Secure Backups

Chapter 11 What Not to Do

Assume You Can't Be a Victim

Think That One Super-Tool Can Prevent an Attack

Assume Too Quickly Your Backup Is Good

Use Inexperienced Responders

Give Inadequate Considerations to Paying Ransom

Lie to Attackers

Insult the Gang by Suggesting Tiny Ransom

Pay the Whole Amount Right Away

Argue with the Ransomware Gang

Apply Decryption Keys to Your Only Copy

Not Care About Root Cause

Keep Your Ransomware Response Plan Online Only

Allow a Team Member to Go Rogue

Accept a Social Engineering Exclusion in Your Cyber-Insurance Policy

Chapter 12 Future of Ransomware

Future of Ransomware

Attacks Beyond Traditional Computers

IoT Ransoms

Mixed-PurposeHacking Gangs

Future of Ransomware Defense

Future Technical Defenses

Ransomware Countermeasure Apps and Features

AI Defense and Bots

Strategic Defenses

Focus on Mitigating Root Causes

Geopolitical Improvements

Systematic Improvements.

Use Cyber Insurance as a Tool

Improve Internet Security Overall

Parting Words

Index

EULA.

Notes:

Includes bibliographical references and index.

Description based on print version record.

Includes index.

ISBN:

9781119849131

1119849136

9781119850014

1119850010

OCLC:

1272998495