Potential Cloud-Native Ransomware Attack
This alert occurs when Lacework detects a potential ransomware attack on your cloud-native infrastructure.
Why this Alert is Important
A ransom attack on cloud-native infrastructure could result in costly damages to businesses due to lost productivity, delays in fulfilling customer requests, operational technology outages, and production line shutdown.
Investigation
Preventing a ransom attack is tricky, as attackers often try to target unsuspecting employees, usually via some form of phishing technique.
To investigate and respond to ransomware incidents, you need to collect and store relevant forensic data. Start an analysis to identify the digital assets that, if compromised, would have a significant negative impact on your business. Next, find the pathways and digital assets a cyber attacker will likely compromise to access those assets. You can do this by simulating a critical incident and verifying that you are collecting the correct data based on your analysis.
Resolution
Organizations can take the following steps to mitigate the exposure of their cloud native applications to ransomware:
Deploy Minimum Privilege – Implement an authorization approach that only enables the bare minimum of entitlements required for identities to execute their business function, thus reducing the risk of ransomware infecting applications.
Reduce Potential Risks – Utilize best practices to avoid/remove common malfunctions that ransomware can use to corrupt identities and run malware.
Collect and Store Relevant Forensic Data - Implement logging and monitoring technologies to identify sensitive behaviors that can lead to early discovery and reaction in the event of a ransomware attack.
Delete Prevention – To prevent malicious deletions, leverage current out-of-the-box features and settings available for cloud-native applications.