This straightforward security checklist from Esteban Hernandez, senior security solutions architect at AWS, recommends topline mitigations
1. Use a security framework: Organisations migrating to the cloud should consider using a security framework, like the National Institute of Standards and Technology’s (NIST) Ransomware Risk Management. Following this framework allows organisations to verify that all areas of their security programme have defined controls, responsibilities, and mechanisms. Organised around five steps – identify, protect, detect, respond, and recover – the NIST framework can help improve the overall security, risk management, and resilience of an organisation.
2. Patch and harden systems: Known vulnerabilities in software that are yet to be updated with a security patch are commonly targeted by attackers to gain access to an organisation’s network. Identifying and patching vulnerabilities in software and hardware is critical to limiting exposure to ransomware attacks.
3. Eliminate long-lived credentials: Access keys and credentials, which are required to access and manipulate cloud resources, are commonly targeted by criminals. If access keys are not regularly changed and properly secured there is a risk they will be mistakenly exposed and leave resources open to attack. Try to eliminate long-term access keys and rotate keys on a regular basis.
4. Use multiple accounts: Organise your infrastructure so resources are segmented and isolated as much as possible. This will limit traffic and reduce the ability of ransomware to spread and infect more systems. Using multiple accounts to implement this strategy also provides additional controls and can reduce the impact of a ransomware event.
5. Use immutable infrastructure with no human access: Even if you can’t deploy a fully immutable infrastructure, any reduction in human access will help lower the risk that systems will be exposed due to human error or a malicious actor.
6. Implement centralised logging and monitoring: Security teams can monitor system logs to discover suspicious activities on their networks. If you don’t realise something is wrong until the ransom demand appears, then it is likely too late. Security information and event management (SIEM) systems can centralise events for analysis to detect unusual user activity, network events, and changes to the infrastructure streamlining response.
7. Create regular backups: Regular data backups will reduce the impact of a ransomware attack, as well as improve the ability to quickly recover from it. Some forms of ransomware actively look for backups and attempt to delete or encrypt them, so it’s vital that backups are properly protected. Organisations should also define a recovery strategy and test their restore procedures regularly to ensure the process is effective.
8. Prepare your incident response plan: Plan for an incident before it happens and run incident response simulations to test your organisation’s readiness. This will help develop effective policies and procedures to for responding to security incidents. This approach will provide confidence and guidance to your business during a real incident.
9. Perform self-assessments on workloads: Regularly evaluate workloads for risks and record improvements to ensure they follow security best practices and can identify potential vulnerabilities.
10. Automate security guardrails and response actions: Use automation to regularly check for insecure resource configurations and update them.