I was asked recently by a software developer, "How will documentation prevent your ransomware? I had one of these exercises once; it was a waste of time, nobody knew what they were talking about."
Let me tell you.
The Importance of Experience
The first part we have to look at is the last part of the offending sentence: "nobody knew what they were talking about." Cybersecurity is not something that is “fake it until you make it” – it requires experience and knowledge, both of which are typically hard-fought and won in the trenches of the real world. Theoretical knowledge is always a factor but will never replace the pragmatic and focused experience of someone who has “been there, done that” during real outbreak/attack scenarios. For the purposes of this article, we’ll assume an 18-year career in cybersecurity sufficiently qualifies me to weigh in here.
The Role of Documentation
Now on to the (sometimes not) fun part – the documentation. A properly documented security plan/strategy will include many different layers, protocols, procedures, etc. It should be created by individuals or a vendor that has quantifiable experience in the industry and understands the nuances of cybersecurity.
Nuance matters.
The documentation will serve as a lighthouse to the internal team(s) and department(s). We won’t be going over an exhaustive list of documentation, but we’ll certainly be hitting the highlights.
Policies
First up are policies. Well-defined policies that are actually enforced and don’t just collect dust on a page somewhere are incredibly powerful. Policies help define what needs to be done to stay safe and manage risk. For instance, it’s common to have a policy that defines how the company environment will be monitored for threats and who is responsible for that task.
How Does a Documented Threat Monitoring Policy Help Prevent Ransomware?
If it’s not enforced, it doesn’t. If it is enforced, it will provide consistent visibility into the company environment and allow quick visibility into attack precursors and attacks themselves. If an attack is caught early enough (proper tools, proper monitoring, proper response), then it can be heavily mitigated and often outright stopped dead.
But you can’t stop something you can’t see. Which is why it’s important to emblazon your monitoring policy into the annals of time in your company/departmental policies (aka documentation).
Response Procedures
Just seeing something is not enough if you want to effectively and efficiently stop it. This is where the response policies and procedures come into play in your…documentation (I’m going to keep saying that word). Spelling out proper steps in response documentation can empower younger or less experienced personnel to assist and take part in actions that would otherwise be well outside of their knowledge base.
Scenario: Overnight Monitoring
Let’s look at this scenario: You have minimal staff overnight to monitor your environment…two people in the NOC/SOC, both junior level and still learning the ropes / gaining experience. It’s 2am, and the dashboards light up red for a single server – suspicious activity. The employees are unsure of exactly what that alert means or what exactly to do with it, which is not entirely uncommon.
At this point, the personnel have two options: refer to the documentation for proper handling or roll the dice and wait it out until someone more senior comes on shift (this happens a LOT). If documentation isn’t available, then guess what? The alert very well may sit there for hours until someone comes on shift (or is called and woken up) who can properly investigate/address it.
Now let’s say that the single server that popped an alert was a known attack precursor to (duh duh duuuuh) a ransomware infection. Time is of the essence to contain the attacked asset and mitigate the incoming attack. Quick reference documentation will give exact effective guidance on what to do, how to do it, and who to contact.
How Can a Documented Response Plan Help Prevent Ransomware?
If it’s not enforced, it doesn’t (I’m also going to keep saying that. Documentation is nothing without enforcement). If it is enforced and is part of the security culture, it can help your security team implement effective and early mitigation and prevention tactics that will stop the attack dead in its tracks. Even if the attack is not completely stopped, mitigating the potential spread through the entire network is a crucial strategy for any company. Losing one asset to recovery is better than losing thousands.
Fun fact (or not-so-fun fact): 60% of businesses that suffer a cyberattack are out of business within six months according to Verizon Business.
Cyber Hygiene
We haven’t talked about the dirty-little-secret of cybersecurity yet though! It’s cyber hygiene. In my experience, most attacks are successful due to seemingly small things that are forgotten or overlooked…the easy stuff that no one really pays attention to but really should. These things are “cyber hygiene” and contextually contain things such as:
Strong password policies
Security awareness training
Regular updating of devices
Regular updating of software
Secured wireless networks
Regular data backups
Encryption practices
I’ll spare you my rambling and not go through how each one of those practices can help secure you from ransomware. We’ll just leave it as…they do.
Document your organization's flavor of cyber hygiene and write it into the various security awareness training strategies you employ.
Conclusion: The Power of Documentation
Brass tacks: Is anything ever actually secure for real? No, not really. Everything is hackable given enough time, motivation, and sometimes money. But you CAN make you and your company such an incredibly difficult target for your adversaries that there is no payoff to them spending the time to attack you. Even in the face of a targeted manual attack, documentation can still save the day, not just from ransomware but from all sorts of threats, including your own employees.
Will documentation itself ever prevent ransomware? No.
Will documentation enable the strategies that WILL prevent it? Absolutely.
Effective cybersecurity requires a mature mindset and a holistic approach. The days of “Just put a firewall with IDS/IPS in; it’ll be fine” are long, long gone.
In the almost two decades I’ve been in the cybersecurity industry at all levels, I have never seen the presence of good actionable documentation HURT the security posture of a company. I have only ever seen it bolster, encourage, and guide companies to better security practices that are highly effective and highly efficient.
Documentation is your saving grace in a cyber-attack; don’t sleep on it.
Securely,
Patrick Wright
Co-Founder | CTO | CISO
Comments