Key Takeaways for Ransomware Defense Strategy: 

  • Adopt a strategy of “assume breach” combined with “defense in depth”.
  • Diverse log sources facilitate efficient investigations and rapid identification of abnormalities.
  • Leverage your security partnerships to achieve greater transparency and collaboration.

What is Ransomware Defense?

Ransomware defense refers to the comprehensive measures put in place to prevent, detect, and respond to ransomware attacks. It involves a combination of people, processes, and technology aimed at mitigating threats posed by ransomware.

Ransomware defense efforts should always be spent on ransomware attack prevention. There is also significant value to gain strategically from ransomware detection and containment. Realistically, it’s impossible to prevent all attacks or intrusions, so ensure you focus on both prevention and detection to achieve full coverage.

How Do Attack Ransomware Groups Operate and How Do I Defend Against Them?

Today, ransomware attacks are more sophisticated and often executed by formal organizations with structured operations. Gone are the days when such attacks were carried out by lone individuals in remote locations. Ransomware groups operate like corporate entities and your defensive strategies can discourage them from attacking and protect you.

Increase Ransomware Actor’s Spend

Your goal with ransomware defense ultimately should be to increase their spend through your implementation of defensive strategies. The more security controls, logging, and automated solutions you have in place, the harder and more expensive it is for these ransomware enterprises to operate against you. At the end of the day ransomware groups must weigh the potential gain against the effort required to breach a company’s security barriers. If you are the slowest gazelle, or the least protected, then you have a high risk of falling prey to attacks.

Stay Up to Date with Your Ransomware Defense

Consider that ransomware actors invest in research and development the same way many enterprises do. They stay up to date with evasions. They stay up to date with novel techniques. They hire programmers to constantly improve and iterate on their own tooling. You should be doing the same and investing in innovation when it comes to your own defenses.

What Ransomware Defense Strategy Should My Organization Have?

A mitigation mindset is critical to defend against ransomware. Today, a ransomware defense strategy should be twofold: one, assuming breach, and two, adopting defense-in-depth strategies.

The Best Defense Against Ransomware Is to Assume Breach

Always assume a breach regardless of how well-protected you think you are. It’s crucial to not let your ego get in the way or make assumptions that you’re immune to an attack.

Ransomware Security Controls Alone Are Not Enough to Prevent an Attack

By implementing defensive strategies, like multifactor authentication (MFA), encryption of sensitive data, and regular backups, you can make it more difficult for attackers to cause damage. But breaches happen to even the most secure systems. No tool or measure is foolproof.

Understand Your Environmental Baseline

Understanding your environmental baselines lets you quickly identify abnormalities. The only way to do this is by collecting as many different disparate data sources as possible. For example, while you collect logged data from your EDR and you can see everything that is happening, you also can gather data from your email gateways and DNS information. The more you can measure, the more you can baseline.

Consider All Phases of An Infection and Invest Throughout Them

Don’t spend all of your budget on one security control like phishing prevention, and then spend nothing on backups. Pay for the phishing defenses, but don’t rely on them as your sole line of defense.

An example of investing time in other defenses and detection is using DNS queries. As you considering different areas of attack, some things that you would want to watch out for:

  • Is this the first time that a domain has been queried on the network ever?
  • Is this a rare domain to be querying?
  • Is this the first time we’ve seen a group of computers accessing this domain?

Adopt the assume breach mindset, and invest into all phases of the attack lifecycle.

Adopt Defense In Depth Strategies to Defend Against Ransomware

A defense in depth strategy is a security approach of establishing layered detection pipelines and security controls throughout your network. Realistically there is a cost associated with integrating multiple data sources, but strategies like defense in depth will increase effort required for the ransomware group. In their risk evaluation of cost vs gain, your organization won’t be worth it to infiltrate.

You can implement preventative security measures in each of the following layers:

First Layer: Security Controls

This layer includes your application-/protocol-aware firewalls like a Palo Alto, your EDR, and your email gateways. These are the tools and software you buy and deploy within your environment. They can be preventative access controls, like a firewall blocking an IP address and help you mitigate risks.

Second Layer: Detection Pipelines

The second layer involves using these tools, like an EDR, to help serve your detection pipelines which are the logical processes that you have in place to collect, process, analyze, and react to events that are happening inside your environment.

This isn’t just collecting logs. It’s the pipeline of collection to reaction as a whole. You should spend efforts focusing on the variety of your pipeline (and going back to that assumed breach and mindset) consider your own environment and the different mechanisms an attacker may be able to leverage in it. This will help you prioritize what’s important.

Third Layer: Security Design

Building on your security controls and your detection pipelines, those two layers incorporate the third layer of comprehensive security design. As new elements get added to your security architecture, always spend some time thinking and considering how it affects the security posture of your organization as a whole.

When adopting a new technology, consider the risks that are associated.

  • How does this affect your backup strategy?
  • How does this affect your detection pipelines?
  • What new action does this open for us?

Examples of Assume-Breach and Defense-in-Depth Ransomware Strategies

Defensive strategies are proven to help mitigate the threat of ransomware. They have the primary goal of imposing costs onto your threat actors. In these areas of defense, we’ll talk about how assuming breach and defense in depth apply. 


The most common vector seen used in in ransomware is phishing. Yes, phishing attacks are pervasive and have only increased in recent years, but don’t put all your eggs in one basket. Assume breach (your current phishing security practices will not capture all phishing attacks) and defend in depth (try to achieve a state where you can trace the entirety of the interaction).

Here is how you can apply this defense against ransomware: 

  • Use an email gateway to see when an email comes in, see the attachments, and where it came from. 
  • Detect whether the user opened it or not. If so, did they click and what: 
    • Email logging – who sent and received the email?
    • Traffic logging – did the user visit the link ?
    • Execution logging – did something run after the user clicked?
    • Authentication logging – were the user’s credentials compromised ?

The goal is to increase the difficulty for the attacker. And you can do that by restricting what they can do. 

  • MFA – Preventing user’s credentials from being useful by enforcing strong MFA practices.
  • Zero Trust – Make MFA tokens useless to an attacker by moving towards a zero-trust architecture, such as requiring client certificates for authentication.
    • Even if an attacker obtains credentials, they can’t login without a client certificate.
    • Even if an attacker captures MFA, they can’t leverage credentials without additional work. 

The applications of these security measures give you an additional opportunity to detect the attack and put you in a much better state of preparedness. 


Authentication logs are an excellent source of data for implementing a defense in depth strategy. These logs can help you establish baselines for detecting abnormal activities. As you collect authentication events over time, you gain insight into what is normal behavior for a user and an admin. Continuously collecting artifacts increases the level of difficulty for an attacker trying to blend in. 

You should be able to answer questions like: 

  • Location – Where are my users logging in from normally?  
  • Time – What time periods do they normally log in? (Time zones, normal work hours, etc.)  
  • Regularity – Has a user authenticated to a service before?
    • An example would be authentication information on a platform like Okta with multiple applications.
      • Has the user ever logged into the app after it was provisioned?
      • Is this suddenly the first time that they are logging in? That may or may not be suspicious, depending on if it is happening outside normal operating hours.
  • Endpoint fingerprints – Can you tell what fingerprint they are using to login into an endpoint? 
    • If the user agent has historically reported as using a MacBook for authentication and then suddenly you see a successful authentication with Python requests, that should immediately raise an alarm.  

It is a lot easier to whitelist these kinds of user agents than it is to blacklist known ones.  

  • Administrative behavior – Do your normal users ever open the command line?
    • If a salesperson suddenly opens PowerShell on their computer, that would be highly suspicious. 

Recovering from Ransomware 

Ransomware actors spend a lot of time focusing on minimizing your ability to recover from a ransomware deployment.  

As soon as they get access they are going to focus on certain things: 

  • Backup services – Making sure your backup services are rendered inoperable. 
  • Communication channels – Affecting your ability to communicate and organize within your team. 
    • Example: Slack. They use administrative credentials to log in to Slack and take it down. Does your team have a way to collaborate and coordinate outside of that in a channel or method that isn’t tied to your infrastructure?
  • Security servers – They will go after security related servers to help mitigate your expulsion attempts.  

Concentrate on maximizing your ability to recover from these sorts of scenarios with: 

  • Cold storage system – Not only using a hot backup every three days, have a weekly backup that is disconnected from the network and cold to ensure that you can rapidly recover.
  • Failover systems – These are designed but separated authentication lines so no one person has all the keys to the kingdom. 
    • Try to segment authentication to raise the difficulty for an attacker to operate.  

Move Beyond Traditional MDR into Collaborative Response

With the layers of security measures, it makes sense that you move beyond traditional MDR into partnering collaboratively with your security providers.

It can be difficult to manage the multitude of these events, sources and detections that are coming in at scale. You can forward everything to your SIEM, but you might be missing out on the response portion. You can forward logs, but there’s extra things that you can do to leverage additional APIs.

APIs for security tooling can be difficult to deal with and maintain. In a perfect world, integrating these API needs a dedicated dev team to focus on integrating with all these sources. Ideally, if you are partnered with someone that does a little bit more than traditional MDR work, you’d rely on their vendor integration so you would not have to manage or develop it. A perfect example of that is leveraging Office 365 APIs.

The detailed access activity that you can forward through the logs is great, but by leveraging the API’s, you can start to do things like search for abnormal content within the emails inside of your organization. That’s something that can only be done relying more on collaboration on integration with your partners.

You may want to drive an investigation. You may want to collaborate on an investigation or even just observe it. You need a partner with flexibility and transparency. Simply getting a reach out at the end of an investigation typically isn’t sufficient. That’s what your typical MDR vendors or providers will likely end up doing. Ensure you spend significant efforts reviewing your partnerships and leverage a partner that truly delivers value.