New York’s Department of Financial Services (DFS) recently published a letter with their guidance on how regulated entities should work to prevent and mitigate ransomware attacks. The letter includes nine controls that regulated entities are expected to implement. The letter is important for both regulated financial companies and the MSSPs that provide services to them. In order to work with regulated entities, MSSPs will have to show how they can help their clients follow DFS’ recommendations.
Fighting ransomware requires technology that codify effective processes like those recommended by DFS, quickly make sense of information from disparate security tools, and coordinate the appropriate response. The only technology that can do that is SOAR. Let’s be clear, SOAR is no magic bullet against ransomware, but for MSSPs and SOCs protecting financial companies, it is a critical piece of the “defense in depth” required to minimize risk. D3 NextGen SOAR is particularly well suited to help regulated entities implement DFS’ controls, as we will cover in more detail later on.
You don’t often hear “good news” in discussion of ransomware, but the guidance letter says, “the good news is that most ransomware attacks can be prevented.” This is because ransomware attackers consistently repeat the same techniques. In the 74 recent attacks studied by the DFS, attackers accessed the target’s network via phishing, exploiting unpatched vulnerabilities, or exploiting remote desktop protocols. The attackers would then escalate their privileges—often by stealing and cracking encrypted passwords—in order to deploy their ransomware.
The guidance letter notes that the techniques repeatedly used by ransomware attackers have known countermeasures that can help protect their targets. D3 NextGen SOAR helps financial services companies prioritize important techniques, identify when they are detected in your environment, and automatically trigger the right response. Based on the indicators and behaviors found in event data, can trigger ransomware specific playbooks to interrupt the predictable sequence of these attacks. These capabilities enable MSSPs to show their clients that they have playbooks and processes in place to address the most common scenarios for ransomware attacks.
The letter includes nine specific controls that regulated companies are expected to implement whenever possible. The first seven focus on preventing ransomware and the final two cover preparing for a ransomware incident. Here are the nine controls, with a brief explanation of how D3 can help regulated companies implement and maintain them.
The guidance stresses the importance of using both training and technological solutions to protect against phishing emails. In order to help companies avoid phishing attacks, D3 ingests reports of potential phishing attempts, groups them together based on IOCs, and presents analysts with a complete view of the phishing campaign for easy management. D3’s phishing incident response playbooks correlate the IOCs against threat intelligence to determine the level of risk and orchestrate remediation actions across endpoints and other systems.
The guidance says companies should have a documented program for managing vulnerabilities, including automatic security patches and updates. By coordinating through D3, companies can systematize and automate their vulnerability management. D3 integrates with vulnerability management tools to trigger vulnerability scans, ingest the reports, and parse the results. D3 can then orchestrate response tasks to quickly remediate vulnerabilities. Vulnerability scans and generating tickets for security patching can be automated in D3 to run on a set schedule.
The guidance underlines the effectiveness of using MFA for user accounts to prevent hackers from accessing the network and escalating privileges. In addition to using MFA for D3 logins, D3 can also run playbooks to identify systems and accounts that are not using MFA and assign tasks to update them.
The guidance tells regulated entities to disable remote desktop protocol access whenever possible, and when it is absolutely necessary, to restrict it to whitelisted sources. D3 integrates with firewalls to make it easy to change rules like restricting RDP access or updating whitelists.
Password management and Access restriction is key to containing not only Ransomware but any malicious threat actors. D3 has a multitude of integrations with password managers in order to easily manage your users and best assist you with taking action in situations where credentials are stolen or used with malicious intent.
The guidance recommends users be given the least access possible to perform their jobs, and that companies carefully protect, audit, and minimize the use of privileged accounts. D3 helps companies quickly respond to potentially compromised user accounts. D3 users can set up prioritization rules to revoke access automatically—or with one-click analyst approval—when a privileged account is involved in a security event. All contextual data related to the compromise is aggregated in one place for quick analysis. D3 also has strict, role-based access controls for users within the system itself.
The guidance says companies must have methods to monitor systems and respond to suspicious activity. The suggested methods include EDR and SIEM. D3 integrates with every type of monitoring and detection tools, including EDR and SIEM. D3 uses the data provided by EDR tools to correlate across the security stack and quickly uncover attacks. D3’s SIEM integrations give analysts full contextual information and response tools when investigating SIEM events.
In the first control that covers preparing for an incident (the first seven covered preventing an incident) the guidance dictates that regulated entities should maintain multiple backups, at least one set of which should be segregated from the network. Companies should periodically test that they are able to restore systems using the backups. While this type of task is largely outside the scope of SOAR, D3 can support this control by creating a scheduled task that automatically notifies the responsible parties when it is time to test the backups.
In the second incident preparation control, the guidance says that companies should have incident response plans that specifically address ransomware. D3 houses complete libraries of end-to-end IR plans that encompass detection through remediation, and even extend beyond the security team to departments like IT Ops, Privacy, and Forensics. Out of the box playbooks are designed for numerous incident types. Playbooks can be easily customized and updated to change processes, people involved, integrated tools, threat intelligence sources, and more.
The guidance letter calls ransomware a crisis that “threatens every financial services company and their customers,” which isn’t hyperbole. Security professionals working in-house or providing managed services need the best tools possible to combat this crisis. As you’ve seen, D3 NextGen SOAR can be a cornerstone of your anti-ransomware efforts.
The value of D3 goes far beyond helping implement the nine controls DFS recommends. For example, DFS also reminds regulated entities in the guidance letter that they will need to report ransomware attacks within 72 hours to maintain compliance with 23 NYCRR 500. D3 makes this type of reporting much easier by eliminating data silos and even has reporting templates and bulk upload features customized to common compliance requirements.
If you’re ready to see for yourself how D3 NextGen SOAR can help you in the fight against ransomware attacks and other advanced threats, schedule a demo today.