FSISEC11: How are you protecting against ransomware?
Ransomware refers to a business model and a wide range of associated technologies that bad actors use to extort money. The bad actors use a range of tactics to gain unauthorized access to their victims data and systems, including exploiting unpatched vulnerabilities, taking advantage of weak or stolen credentials, and using social engineering. Access to the data and systems is restricted by the bad actors, and a ransom demand is made for the safe return of these digital assets.
FSISEC11-BP01 Prevent malware infiltration by securing compute resources
To detect malware that may be the source of a ransomware incident, enable malware protection in Amazon GuardDuty. This feature automatically initiates an agentless scan on the Amazon Elastic Block Store (EBS) volumes attached to the impacted EC2 instance or container workload to detect the presence of malware.
FSISEC11-BP02 Prevent threats from accessing your data stores
Scoping access to data based on the principal of minimum privileges helps prevent as well as limit the blast radius of an exploit. An effective data classification scheme, along with enforcement and monitoring based on that scheme can help prevent an bad actor from having accessing and encrypting your data.
Network isolation and segregation is another effective protection as compromised systems cannot reach deep into your network. Leverage the best practices recommended in the Infrastructure protection section to funnel access to data stores over a private network, from a limited number of hosts.
FSISEC11-BP03 Use frequent backups to recover from a threat
Because ransomware makes itself known quickly, incorporate short-lived anti-ransomware backups into your backup cycle. AWS take snapshots of data stores, so back up often and keep these around for only a few days to limit costs.
For more information on how to protect from Ransomware at AWS, see Ransomware Risk Management on AWS Using the NIST Cyber Security Framework (CSF).
Prescriptive guidance
-
Use Amazon S3 Object Lock
for object storage immutability and ransomware protection within cloud storage. -
Implement backup and restore processes to help you restore data to a point in time before data corruption, modification or destruction. AWS provides several solutions
for backups to integrate with your operational and security incident recovery procedures. -
Use AWS Backup
with AWS Organizations to centrally deploy data protection policies to configure, manage, and govern your backup activities across your AWS accounts and resources. -
Enable AWS Backup Vault Lock, which enforces WORM (write-once-read-many) setting for the backups you store and create in a backup vault.
-
-
Because many ransomware events arise from unintended disclosure of static IAM access keys, AWS recommends that you use IAM roles that provide short-term credentials, rather than using long-term IAM access keys. This includes using identity federation
for your developers who are accessing AWS, using IAM roles for system-to-system access, and using IAM Roles Anywhere for hybrid access. -
Enable Amazon S3 protection in Amazon GuardDuty. With Amazon S3 protection, GuardDuty monitors object-level API operations to identify potential security risks for data in your Amazon S3 buckets.
This includes findings related to anomalous API activity and unusual behavior related to your data in Amazon S3, and can help you identify a security event early on.
-
Enable Amazon GuardDuty Malware Protection across all AWS accounts in your organization, to help you detect the potential presence of malware by scanning the Amazon EBS volumes that are attached to the Amazon EC2 instances and container workloads.
Resources
Related documents:
Related videos:
