The New CISA/ MS-ISAC Ransomware Guide

8th October 2020


CISA and MS-ISAC (Multi-State Information Sharing & Analysis Center) recently released a Ransomware Guide which includes best practices for ransomware prevention and a checklist for ransomware response. Some organizations might decide not to address key security weaknesses because they believe that the cost for doing so may exceed the estimated cost of a ransomware attack, making it more convenient and strategically beneficial to pay the ransom. However, the option to pay up may soon be off the table. Krebs on Security shared on October 1, 2020, “Companies victimized by ransomware and firms that facilitate negotiations with the ransomware extortionists could face steep fines from the U.S. federal government…”(source) Ransomware is on the rise so it is more important than ever to adopt industry best practices to ensure your business capabilities aren’t compromised by greedy attackers.


Part 1 of the CISA guide addresses best practices for ransomware prevention. The most important is to be prepared. This includes maintaining backups and having a rehearsed incident response plan. The next recommended practice includes remediating vulnerabilities that can put your publicly accessible assets at risk. The guide recommends strong network hygiene — patching servers, blocking unnecessary ports, hardening your network. CISA goes on to identify phishing, identifying behaviors leveraged to deliver malware, third-party/vendor access as threat vectors to be aware of(source).


Part 2 of the guide includes an easy-to-read checklist enumerating the steps teams should take when responding to these attacks. Many businesses, particularly those fitting into the smaller or medium-sized category have substantial limitations when it comes to the visibility of their connected environment that can greatly impact their ability to adopt the CISA guidance. Fortunately, that is where CyGlass can help(source).


CyGlass is a Network Defense as a Service (NDaaS) provider designed especially for small and medium-sized businesses, providing asset discovery, protection policy management, and threat detection and response(source). CyGlass leverages cutting edge AI/ML algorithms to make sure you have all the key information to protect your network at your fingertips so you can focus your efforts on building your core business functions. Let’s dig into how an organization receiving an alert from CyGlass can easily react to a ransomware attack to contain the damage and keep critical systems running.


The first step in the process is to determine which systems and subnets were impacted so they can be isolated. Once an attacker is in your environment, even before deploying the ransomware, he or she will start moving around your network. CyGlass uses advanced proprietary AI algorithms to build a baseline for your organization, highlights deviations from that baseline, and identifies behaviors that indicate that attackers may be preparing to deploy malware in your network. If suspicious activity is occurring on one of your assets, CyGlass will send you an alert like this one:

This image shows a summary of the activity observed to generate the alert, but there is much more information your analyst can gather from the platform. CyGlass ingests NetFlow data which can be parsed in dozens of ways so you can get all the information you need to help you decide whether this new behavior is something that requires immediate action. The image below shows traffic related to this alert, clearly showing a substantial increase in outbound traffic between the printer and several other devices.

This network and communication data can help you understand where these unusual communications are occurring so your incident response team can perform the isolation activities CISA recommends.
Step two involves powering down devices if they cannot be isolated, but this can compromise critical data for subsequent forensic analysis. As such, turning boxes off should only occur as a last resort.

In step three, we begin triaging systems after they are isolated. A critical enabler to this process is having an updated asset inventory and appropriately classified data. CyGlass supports device identification and discovery, in addition to tagging so you can identify where your critical or regulated information resides. Once CyGlass is on your network, it can even suggest how new assets can be classified once they are detected. The image below shows how the platform presents newly added assets:

Once your new asset is added, keeping an eye on it is simple. Below you will see an image from the platform showing key assets with a device type, and threat score for each while some also are tagged to indicate the data contained.

As you can see, CyGlass supports a variety of functions in CISA/MS-ISAC’s recent guidance for ransomware protection and detection. This article focused on demonstrating the way CyGlass monitors your network and inventories network assets enabling you to understand your organization’s threatscape and enable strong incident response practices. To learn more about what CyGlass can do to protect your network from crippling ransomware, please contact us for a demo.