When it comes to ransomware attacks, IT operations plays a big role alongside security experts. They identify, prevent and -- if all else fails -- mitigate the effects of ransomware.
A strong IT operations team is a weapon in security's arsenal, along with widespread security awareness across all employees -- in and out of IT. The IT team can prevent ransomware with regular patching and software updates, reduce the effect of an attack with good and frequent backups, lead the recovery to get systems up and running, and analyze logs to gain insights on the attack.
Keep software and systems up to date
One of the best ways to fight ransomware is prevention. IT teams must keep software and firmware up to date and install patches to prevent vulnerabilities. The IT operations team should work with security on system updates. Security teams can advocate for updates and keep track of vendor bulletins, while IT operations implements changes and tracks systems history.
Because these teams are separate groups in many companies, communication and coordination can be difficult. The security team should scan for new threats and issues and alert IT operations to required updates and their priority level. Ensure that IT operations manages patching activities. They should analyze all changes to IT systems to estimate the scope of downtime and any other effects from these updates, such as broken dependencies from new software versions.
Get to know ransomware
Ransomware is one of the many kinds of malware that infect corporate endpoint computers and servers. Ransomware takes control of data -- typically by encrypting files -- until the company pays the attackers to release it. Ransomware does not destroy data, as other types of attacks do. Also unique to ransomware, attackers alert their victim to the attack. High-profile ransomware attacks include 2017's WannaCry and Bad Rabbit outbreaks.
Workers can spread ransomware by opening email attachments or other infected downloads. It also can infiltrate a business through infected software, falsified OS messages and other means. Data center servers hosting mission-critical applications are lucrative targets for a ransomware attacker.
Maintain backups and testing plans
The better your organizations backups are, the less power ransomware attackers have. Backups should have much higher priority in IT than they often receive. Weak backup policies give ransomware the power to devastate an organization: With limited or no ability to restore systems, the business must engage with the ransomware attacker. While backups cannot prevent a ransomware attack, they can restore the data held hostage with minimal -- or no -- disruption or money lost.
IT operations teams should commit backups at an appropriate frequency for business workloads and data. Additionally, they should have a system restore plan in place and test it frequently. Testing doesn't need to run through the full disaster recovery playbook. Instead, test the backup repository weekly with restores from a random sampling of servers. This routine operation helps ensure that backups are valid and available.
Additionally, coordinate backups with updates and patches. IT operations and security teams should review which endpoints and systems have updates available and set smart backup schedules.
Lead the response
In the event of a successful ransomware attack, the company is in a race to understand the ransomware's area and depth of effect -- as well as its data recovery options.
Because ransomware is an attack, security teams assume they should handle the incident response communication and coordination. However, the IT operations team possesses the knowledge and access to keep systems online or bring them back to working order. Many enterprise applications are distributed across multiple environments, which complicates efforts to map an attack and its recovery. For ransomware attacks, IT operations should lead the response and bring in security for support.
After ransomware recovery, the security and IT operations teams should work together to understand what happened -- and how -- during the attack. IT operations should collect evidence in the form of logs and other monitoring information from affected systems.
Look for log data that shows how the system got infected in the first place. Then, determine what changes will prevent future ransomware success. Recovered systems are just the start -- a ransomware response must leave the IT environment safer than it was before.
Because ransomware threatens the business's data deliberately, many believe the fight against it is solely the security team's responsibility. But the best defense against ransomware is solid IT admin work. IT operations team members are subject matter experts on applications, infrastructure and support. Pair the security team's tools to identify, track and neutralize threats with the IT operations teams' maintenance expertise for strong ransomware prevention and recovery.