How to Advance Your Phishing Program to Address Ransomware

Ransomware attacks are certainly on the rise, and they are expected to continue to be a top threat for security teams. With phishing being a frequent attack vector leading to ransomware, it’s important employees are trained to recognize and report phishing emails, but a more extensive program is needed to address the threat of ransomware. This piece explains how a program that includes policy, technology, training, exercises and third-party validation can be an effective defense against both phishing and ransomware. 

5 Keys to an Advanced Phishing Program

Informational training alone is not enough to prepare the workforce to properly handle phishing attempts, so ethical phishing exercises that simulate actual phishing attacks help supplement training in most organizations. However, even those exercises are only a point-in-time indication of how an employee may respond to a particular type of phish. Cybersecurity and IT teams must fully understand the risks to the organization should any user fall victim to a phishing attack at any time. 

READ:  Understand the Differences Between Spear-Phishing and Phishing 

A successful cybersecurity program, complete with good policy, technology, training, exercises, and third-party validation is required. Even issue-specific topics such as ransomware require all these elements. 

1. Focus on Policy 

Two key policy areas in particular can help shore up your phishing and ransomware defenses: 

• Access control: Each organization should have an access control or equivalent policy that requires a password of a certain length and complexity. The policy should also require unique passwords and expressly prohibit employees from reusing passwords on multiple systems. 
• Asset management: This should provide guidance for receiving, inventorying, distributing, tracking and disposing of assets. Should a ransomware attack occur, this policy helps the team know which assets may be impacted. 

2. Add Technology 

Organizations should not depend on training or the human element (user) to defend against all phishing attacks. Instead, they should combine such training with technology, such as a secure email gateway that monitors emails (both being sent and received). 

This has many benefits, but when it comes to phishing, a secure email gateway can quickly identify and quarantine messages with malicious links or attachments, which helps stop the spread and significantly minimizes impact. 

3. Ensure Training Is Comprehensive 

Training is always going to be an important part of protecting an organization from phishing and ransomware attacks. The best training not only details how to identify a phish, but also provides explicit, detailed instructions on how to report a suspected phish and what to do if someone believes they have fallen victim. Many people do not know what to do once an attack has been successful. The delay between clicking on a phishing link, wondering what to do about it and finally reporting it leads to cybersecurity teams losing valuable time in being able to contain and remediate the attack. 

4. Conduct Regular Exercises 

Several types of exercises can help ensure an organization is prepared for a phishing or ransomware attack. These include: 

• Ethical phishing campaigns/tabletops: Simulated phishing campaigns are fantastic for helping organizations exercise employee training. However, such campaigns should start with a tabletop exercise by the cybersecurity and IT teams, where they walk through what would happen if an employee fell victim. This helps the teams prepare for a real incident and can be used as a way to craft a very realistic phishing campaign. 
• Internal penetration testing: During the phishing campaign, it is a good idea to do some internal penetration testing. If a user fails the test, pen testers can determine what is exposed and what lateral movements can be made. They can then develop a report on the consequences of the failed phishing test. 
• Backup/recovery tests: Another important exercise is testing backup and recovery processes for critical assets. Should a ransomware attack occur, the team should have detailed processes in place to ensure critical data can be reinstated with as little disruption as possible to the organization. Ransomware backups must also be properly protected (e.g., stored offline or out of band) so they are not exposed should a potential adversary gain access to the network. 

5. Validate via a Third Party 

In addition to internal phishing campaigns and penetration testing, organizations should have independent third-party partners run these same exercises externally. This is a great way to validate internal campaign results and identify gaps. External penetration testing can also be extended to conduct privileged access tests, where the pen tester is given a set of valid credentials and works to identify what lateral movements can be made. 

READ:  How to Create an Effective Anti-Phishing Program

Phishing Programs to Prevent Ransomware Attacks 

The details listed in each step above are by no means comprehensive, but they provide a starting point to show that phishing campaigns should be extended to more than running exercises and tracking click rates. To protect against and properly respond to ransomware attacks, organizations must have the necessary training, policy and technology in place and then fully understand what an adversary can do after a successful phish occurs. 

Other best practices for preventing and recovering from a ransomware attack include: 

• Reviewing port settings and moving to zero trust architectures: These steps help by reducing the attacker’s options for access and ability to move laterally. 
• Hardening endpoints: This helps reduce the threat surface. 
• Segmenting your network: This can even be done by placing roles that may be more prone to an attack (e.g., those that have lots of external interaction, like recruiting) on a separate virtual LAN. 
• Testing your backups: You can’t just trust your backups will work when you need them. You must actually test this through a formal recovery exercise.

Phishing Campaign Best Practices 

The number of phishing and ransomware attacks continues to rise, and companies cannot depend on ethical phishing campaigns alone to protect the organization. Phishing campaigns should be extended to include actions before, during and after the exercises. To better prepare your organization: 

• Cover multiple bases: Ensure your security program addresses policy, technology, training, exercises and validation by an external party. All these can be traced back to good phishing and ransomware readiness. 
• Establish asset management best practices: Asset management is a critical element of ransomware response and recovery. This includes knowing what assets you have, what state they are in, where backups are located and detailed processes for recovery. 
• Don’t stop with the phish: Cybersecurity and IT teams should also exercise what happens after the phish is successful. If credentials are exposed, what can be done with them? What lateral movements can be made? What data can be stolen or destroyed? This information can also be used in follow-up training with users to demonstrate the negative impacts of clicking on a phish. 

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.