In August, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a joint alert about the emergence of BlackSuit ransomware, a new and highly dangerous strain of malware targeting organizations across various sectors.
This alert highlighted the significant threat posed by BlackSuit, emphasizing its potential to cause widespread disruption and data loss.
In response, CISA and the FBI proposed several critical mitigations to help organizations safeguard their systems and data against this evolving threat. These recommendations are designed to strengthen defenses, improve incident response capabilities, and reduce the risk of ransomware attacks.
The following list outlines the mitigations suggested by CISA in advisory AA23-061A and how StorageGuard can assist with implementing these mitigations for your organization’s storage and backup environment.
BlackSuit Ransomware: CISA Mitigation
1. Implement a recovery plan
StorageGuard verifies that secure snapshots and immutable backups are configured according to security guidelines and best practices including correct retention mode, secure time synchronization and various other important settings.
In addition, it also validates that primary storage systems, secondary storage systems and backup systems are hardened – so that recovery systems and copies cannot be compromised.
Our AvailabilityGuard extension product scans your IT estate to audit that all data is backed up regularly and retained on designated isolated backup storage systems for the required retention period.
2. Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with NIST standards for developing and managing password policies
StorageGuard audits the storage and backup account settings and validates that they are configured correctly with password complexity rules, lockout, reuse, expiration and other guidelines outlined by NIST and other industry standards.
Any identified misconfigurations or improvement opportunities are reported as findings that can be viewed with the StorageGuard UI, in scheduled reports (email), through REST API or can be forwarded to central management systems such as Kenna and ServiceNow.
3. Keep all operating systems, software, and firmware up to date
StorageGuard automates the auditing of mission-critical storage and backup systems, ensuring all components are up to date with the latest security patches and updates, and with the target version. It continuously monitors for vulnerabilities in storage OS, backup appliances, and related software, providing actionable insights to help organizations maintain a secure environment. Moreover, StorageGuard issues alerts when a storage or backup system is nearing end of support or end of security updates, allowing organizations to take the necessary steps before this becomes a risk.
4. Require multifactor authentication to administrator accounts
StorageGuard audits storage and backup platforms to verify that MFA is implemented and enforced across all critical systems, including local administrative users.
StorageGuard also audits additional capabilities with similar purposes, such as dual authorization (two-person role), account lockout and other settings. This helps prevent unauthorized access to sensitive data and infrastructure, ensuring that only legitimate users can make changes to storage and backup configurations.
5. Segment networks
StorageGuard assists in verifying separation of primary storage and backup environment both in terms of networking and user management. Furthermore, StorageGuard reviews network interface configurations to ensure that data, management, replication and backup traffic are not mixed.
6. Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool
StorageGuard verifies that features such as anomaly detection, user behavior analysis and other anti-ransomware capabilities have been enabled and configured according to the storage/backup vendor’s best practices.
7. Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool
StorageGuard verifies that features such as anomaly detection, user behavior analysis and other anti-ransomware capabilities have been enabled and configured according to the storage/backup vendor’s best practices.
8. Install, regularly update, and enable real time detection for antivirus
StorageGuard validates the configuration of Antivirus/ICAP servers, status, policies and settings, to ensure detection on file access or write as deemed necessary.
9. Implement Secure Logging Collection and Storage Practices [CPG 2.T]. Learn more on logging best practices by referencing CISA’s Logging Made Easy resources
StorageGuard verifies that storage and backup are configured according to best practices and your organization’s standards as it related to local logging, log retention, log levels, audit logging, CLI/API logging, log forwarding to syslog servers, secure log transfer, internal firewall logging, SMTP (email) server, email recipients, email alerts, SNMP and so on.
10. Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege
StorageGuard regularly verifies that only approved user accounts and groups have administrative privileges. StorageGuard also reviews and analyzes user and IP-based ACLs.
11. Disable unused ports
StorageGuard audits system settings to ensure that unused or unnecessary services, protocols, interfaces, and ports are turned off (persistently).
12. Implement and Enforce Email Security Policies
StorageGuard examines SMTP (Email) settings and verifies that STARTTLS has been configured as well as other email security measures.
13. Implement time-based access for accounts set at the admin level and higher
StorageGuard can verify that system integration has been configured with enterprise tools that provide time-based access, such as CyberArk.
14. Disable command-line and scripting activities and permissions
For organizations that seek to turn off command line (ssh) access and rely solely on UI and/or REST API, StorageGuard can verify that command line interface has been disabled.
15. Maintain offline backups of data, and regularly maintain backup and restoration
Our AvailabilityGuard extension product scans your IT environment to verify that all data is backed up regularly according to your RPO and retention goals and kept on designated backup storage systems (off-site).
16. Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.
StorageGuard reviews encryption and other settings to verify data at-rest encryption (SED, volume encryption, etc.), data in-transit encryption, backup immutability settings, retention mode, secure clock sync and many more.
17. Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
StorageGuard regularly validates that only approved user accounts, service accounts and groups are configured on the storage and backup system. Any deviation is reported as an action item.
This list provides a clear overview of how StorageGuard can help your organization implement the mitigations recommended by CISA, to enhance your security posture and protect against cyber threats.
The post How StorageGuard Can Assist With CISA’s Advised Mitigations For Newly Emerged BlackSuit Ransomware appeared first on Continuity™.
*** This is a Security Bloggers Network syndicated blog from Continuity™ authored by Doron Youngerwood. Read the original post at: https://www.continuitysoftware.com/blog/how-storageguard-can-assist-with-cisas-advised-mitigations-for-newly-emerged-blacksuit-ransomware/