Hopefully, ransomware protection has been an essential part of your threat management for years now. But based on the recent widespread ransomware attacks, it’s clear that the risks are still underestimated, and the attackers are more successful than we’d like. On top of that, cloud environments like AWS have more attack vectors and vulnerabilities to take into account than conventional on-premise systems.
At Arpio, we recommend a three-pronged approach to preventing and managing ransomware attacks:
1. Prevent ransomware from getting into your environment.
The best way to handle ransomware attacks is not to get infected! On top of vigilance and discipline, here are our top must do’s based on what we have seen go wrong:
- Enable MFA for the root account and all user access, including when using access tokens from programmatic and command-line access. The extra step might be cumbersome at first, but it will improve the security of your environment. Using federated logins might lighten the burden as well!
- Maintain a program to apply security patches to EC2 instances in a timely manner. AWS Systems Manager Patch Manager can automate this for you. If you haven’t automated the process – make sure to schedule regular (at least weekly) reviews.
- Use managed services and serverless technologies to eliminate the need to patch at all. If you don’t run an EC2 instance, there’s no way for ransomware to exploit it.
- Use IAM roles instead of IAM users for programmatic access from your applications. This eliminates the need for access tokens, which can accidentally get leaked or maliciously get compromised.
- Grant least-privileged access to IAM roles and users so that privileges cannot be escalated in the event of a compromise. Do not allow access to services you do not use or that they do not need access to.
2. Prevent ransomware from spreading within your environment.
- Use distinct AWS accounts to operate distinct workloads. Each AWS account is a natural security domain so that if one account is compromised, others are not.
- Use security groups to control what network traffic is allowed to traverse your network to minimize the ability for ransomware to spread.
3. Ensure you can recover your environment if steps 1 and 2 fail
- Make sure to backup your data in a different security domain than your production environment. Backups stored inside your production AWS account will be identified and deleted or encrypted by the attacker as part of executing the attack.
- Make sure to retain a history of recent backups so that you can roll back to unencrypted data.
- Practice recovery regularly in a clean environment, so you’re confident in your ability to fully restore your service (and you know your recovery time!). This clean environment should be a different AWS account. If ransomware penetrates your production AWS account, it should be considered lost.
The last step (practice recovery) is the most undervalued / under prioritized activity that will show you how hard (or, hopefully, easy) it will be to recover from a successful attack. It will also give you ‘food for thought’ on changes in production, backups, and tools that will make it easier and faster to recover. When was your last fire drill?
We would love to hear your best practice for ransomware attack prevention. Please drop us a note!