Best practices for mitigating ransomware attacks using Google Cloud

Last reviewed 2023-08-03 UTC

Code that was created by a third party to infiltrate your systems to hijack, encrypt, and steal data is referred to as ransomware. To protect your enterprise resources and data from ransomware attacks, you must put multi-layered controls in place across your on-premises and cloud environments. This document describes some best practices to help your organization identify, prevent, detect, and respond to ransomware attacks.

This document is part of a series that is intended for security architects and administrators. It describes how Google Cloud can help your organization mitigate the effects of ransomware attacks.

The series has the following parts:

Identify your risks and assets

To determine your organization's exposure to ransomware attacks, you must develop your understanding of the risks to your systems, people, assets, data, and capabilities. To help you, Google Cloud provides the following capabilities:

Manage your assets with Cloud Asset Inventory

To help mitigate ransomware attacks, you need to know what your organization's assets are, their state, and their purpose, both in Google Cloud and in your on-premises or other cloud environments. For static assets, maintain a baseline of the last known good configuration in a separate location.

Use Cloud Asset Inventory to obtain a five-week history of your resources in Google Cloud. Set up monitoring feeds to receive notifications when particular changes to resources occur, or when there are policy deviations. To track changes so that you can watch for attacks that progress over a longer time period, export the feed. To create the export, you can use tools like Terraform. For this type of analysis, you can export the inventory to a BigQuery table or a Cloud Storage bucket.

Assess and manage your risks

Use an existing risk assessment framework to help you catalog your risks and determine how capable your organization is in detecting and counteracting a ransomware attack. These assessments check factors like whether you have malware protection controls, properly configured access controls, database protection, and backups.

For example, the Cloud Security Alliance (CSA) provides the Cloud Controls Matrix (CCM) to assist organizations in their cloud risk assessments. For CCM information specific to Google Cloud, see New CIS Benchmark for Google Cloud Computing Platform.

To identify potential application gaps and take actions to remediate them, you can use threat models such as OWASP Application Threat Modeling. For more information on how you can help mitigate the top 10 OWASP security risks with Google Cloud, see OWASP Top 10 mitigation options on Google Cloud.

After you catalog your risks, determine how to respond to them, and whether you want to accept, avoid, transfer, or mitigate the risks. The Risk Protection Program provides access to Risk Manager and cyber insurance. Use Risk Manager to scan your workloads on Google Cloud and implement the security recommendations that help reduce your ransomware-related risks.

Configure Sensitive Data Protection

Sensitive Data Protection lets you inspect data in your Google Cloud organization and data coming from external sources. Configure Sensitive Data Protection to classify and protect your confidential data using de-identification techniques. Classifying your data helps you to focus your monitoring and detection efforts on data that matters most to your organization.

Combine Sensitive Data Protection with other products such as the Security Command Center or with a third-party SIEM to help ensure appropriate monitoring and alerting on any unexpected changes to your data.

Manage risks to your supply chain

A key attack vector for ransomware attacks is vulnerabilities within the supply chain. The challenge to this attack vector is that most organizations have many vendors that they must track, each with their own list of vendors.

If you create and deploy applications, use frameworks such as the Supply-chain Levels for Software Architects (SLSA). These frameworks help define the requirements and best practices that your enterprise can use to protect your source code and build processes. Using SLSA, you can work through four security levels to improve the security of the software that you produce.

If you use open source packages in your applications, consider using security scorecards to auto-generate the security score of a particular open source package. Security scorecards are a low-cost, easy-to-use method to get an assessment before your developers integrate open source packages with your systems.

To learn about resources that you can use to help verify the security of Google Cloud, see Vendor security risk assessment.

Control access to your resources and data

As your organization moves workloads outside of your on-premises network, you must manage access to those workloads across all the environments that host your resources and data. Google Cloud supports several controls that help you set up appropriate access. The following sections highlight some of them.

Set up zero trust security with Chrome Enterprise Premium

As you move your workloads from your on-premises environment to the cloud, your network trust model changes. Zero trust security means that no one is trusted implicitly, whether they are inside or outside of your organization's network.

Unlike a VPN, zero trust security shifts access controls from the network perimeter to users and their devices. Zero trust security means that the user's identity and context is considered during authentication. This security control provides an important prevention tactic against ransomware attacks that are successful only after attackers breach your network.

Use Chrome Enterprise Premium to set up zero trust security in Google Cloud. Chrome Enterprise Premium provides threat and data protection and access controls. To learn how to set it up, see Getting started with Chrome Enterprise Premium.

If your workloads are located both on-premises and in Google Cloud, configure Identity-Aware Proxy (IAP). IAP lets you extend zero trust security to your applications in both locations. It provides authentication and authorization for users who access your applications and resources, using access control policies.

Configure least privilege

Least privilege ensures users and services only have the access that they require to perform their specific tasks. Least privilege slows down the ability of ransomware to spread throughout an organization because an attacker can't easily escalate their privileges.

To meet your organization's particular needs, use the fine-grained policies, roles, and permissions in Identity and Access Management (IAM). In addition, analyze your permissions regularly using role recommender and Policy Analyzer. Role recommender uses machine learning to analyze your settings and provide recommendations to help ensure your role settings adhere to the principle of least privilege. Policy Analyzer lets you see which accounts have access to your cloud resources.

For more information about least privilege, see Using IAM securely.

Configure multi-factor authentication with Titan Security Keys

Multi-factor authentication (MFA) ensures that users must provide a password and a biometric factor or a possessive factor (like a token) before they can access a resource. As passwords can be relatively easy to discover or steal, MFA helps to prevent ransomware attackers from being able to take over accounts.

Consider Titan Security Keys for MFA to help prevent account takeovers and phishing attacks. Titan Security Keys are tamper-resistant and can be used with any service that supports the Fast IDentity Online (FIDO) Alliance standards.

Enable MFA for your applications, Google Cloud administrators, SSH connections to your VMs (by using OS Login), and for anyone who requires privileged access to sensitive information.

Use Cloud Identity to configure MFA for your resources. For more information, see Enforce uniform MFA to company-owned resources.

Protect your service accounts

Service accounts are privileged identities that provide access to your Google Cloud resources, so attackers would consider them valuable. For best practices on protecting service accounts, see Best practices for working with service accounts.

Protect your critical data

The main goals of a ransomware attack are generally the following:

  • To make your critical data inaccessible until you pay the ransom.
  • To exfiltrate your data.

To protect your critical data from attacks, combine various security controls to control access to data, based on the data sensitivity. The following sections describe some best practices that you can use to help protect your data and help effectively mitigate ransomware attacks.

Configure data redundancy

Google Cloud has global-scale infrastructure that is designed to provide resiliency, scalability, and high availability. Cloud resilience helps Google Cloud to recover and adapt to various events. For more information, see Google Cloud infrastructure reliability guide.

In addition to the default resiliency capabilities in Google Cloud, configure redundancy (N+2) on the cloud storage option that you use to store your data. Redundancy helps mitigate the effects of a ransomware attack because it removes a single point of failure and provides backups of your primary systems in case they are compromised.

If you use Cloud Storage, you can enable Object Versioning or the Bucket Lock feature. The Bucket Lock feature lets you to configure a data retention policy for your Cloud Storage buckets.

For more information about data redundancy in Google Cloud, see the following:

Back up your databases and filestores

Backups let you keep copies of your data for recovery purposes so that you can create a replicated environment if a security incident occurs. Store backups in both the format that you need it, and in raw source form if possible. To avoid compromising your backup data, store these copies in separate, isolated zones away from your production zone. In addition, back up binaries and executable files separately from your data.

When planning for a replicated environment, ensure that you apply the same (or stronger) security controls in your mirror environment. Determine the time it takes you to recreate your environment and to recreate any new administrator accounts that you require.

For some examples of backups in Google Cloud, see the following:

In addition to these backup options, consider using Backup and DR Service to back up Google Cloud workloads. For more information, see solutions for backup and disaster recovery.

Protect and back up your data encryption keys

To help prevent attackers from getting access to your data encryption keys, rotate your keys regularly and monitor key-related activities. Implement a key backup strategy that considers the key location and whether the keys are Google-managed (software or HSM), or whether you supply the keys to Google. If you supply your own keys, configure backups and key rotation using the controls in your external key management system.

For more information, see Manage encryption keys with Cloud Key Management Service.

Protect your network and infrastructure

To protect your network, you must ensure that attackers can't easily traverse it to get access to your sensitive data. The following sections describe some of the items to consider as you plan and deploy your network.

Automate infrastructure provisioning

Automation is an important control against ransomware attackers, as automation provides your operations team with a known good state, fast rollback, and troubleshooting capabilities. Automation requires various tools such as Terraform, Jenkins, Cloud Build, and others.

Deploy a secure Google Cloud environment using the enterprise foundations blueprint. If necessary, build on the security foundations blueprint with additional blueprints or design your own automation.

For more security guidance, see the Cloud Security Best Practices Center.

Segment your network

Network segments and perimeters help slow down the progress that an attacker can make in your environment.

To segment services and data and to help secure your perimeter, Google Cloud offers the following tools:

Customize network security controls to match your risks for different resources and data.

Protect your workloads

Google Cloud includes services that let you build, deploy, and manage code. Use these services to prevent drift and rapidly detect and patch issues such as misconfigurations and vulnerabilities. To protect your workloads, build a gated deployment process that prevents ransomware attackers from getting initial access through unpatched vulnerabilities and misconfigurations. The following sections describe some of the best practices that you can implement to help protect your workloads.

For example, to deploy workloads in GKE Enterprise, you do the following:

For more information about GKE Enterprise security, see Hardening your cluster's security.

Use a secure software development lifecycle

When developing your software development lifecycle (SDLC), use industry best practices such as DevSecOps. The DevOps Research and Assessment (DORA) research program describes many of the technical, process, measurement, and cultural capabilities of DevSecOps. DevSecOps can help mitigate ransomware attacks because it helps ensure that security considerations are included at each step of the development lifecycle and lets your organization rapidly deploy fixes.

For more information about using an SDLC with Google Kubernetes Engine (GKE), see Software supply chain security.

Use a secure continuous integration and continuous delivery pipeline

Continuous integration and continuous delivery (CI/CD) provides a mechanism for getting your latest functionality to your customers quickly. To prevent ransomware attacks against your pipeline, you must perform appropriate code analysis and monitor your pipeline for malicious attacks.

To protect your CI/CD pipeline on Google Cloud, use access controls, segregated duties, and cryptographic code verification as the code moves through the CI/CD pipeline. Use Cloud Build to track your build steps and Artifact Registry to complete vulnerability scanning on your container images. Use Binary Authorization to verify that your images meet your standards.

When you build your pipeline, ensure that you have backups for your application binaries and executable files. Back them up separately from your confidential data.

Protect your deployed applications

Attackers can try to access your network by finding Layer 7 vulnerabilities within your deployed applications. To help mitigate against these attacks, complete threat modeling activities to find potential threats. After you minimize your attack surface, configure Google Cloud Armor, which is a web-application firewall (WAF) that uses Layer 7 filtering and security policies.

WAF rules help you protect your applications against numerous OWASP Top 10 issues. For more information, see OWASP Top 10 mitigation options on Google Cloud.

For information about deploying Google Cloud Armor with a global external Application Load Balancer to protect your applications across multiple regions, see Getting to know Google Cloud Armor—defense at scale for internet-facing services. For information about using Google Cloud Armor with applications that run outside Google Cloud, see Integrating Google Cloud Armor with other Google products.

Patch vulnerabilities quickly

A key attack vector for ransomware is open-source software vulnerabilities. To mitigate the effects that ransomware might have, you must be able to rapidly deploy fixes across your fleet.

According to the shared responsibility model, you're responsible for any software vulnerabilities in your applications, while Google is responsible for maintaining the security of the underlying infrastructure.

To view vulnerabilities associated with the operating systems that your VMs are running and to manage the patching process, use OS patch management in Compute Engine. For GKE and GKE Enterprise, Google automatically patches vulnerabilities, though you have some control over GKE maintenance windows.

If you're using Cloud Build, automate builds whenever a developer commits a change to the code source repository. Ensure that your build configuration file includes appropriate verification checks, such as vulnerability scanning and integrity checks.

For information about patching Cloud SQL, see Maintenance on Cloud SQL instances.

Detect attacks

Your ability to detect attacks depends on your detection capabilities, your monitoring and alerting system, and the activities that prepare your operations teams to identify attacks when they occur. This section describes some best practices for detecting attacks.

Configure monitoring and alerts

Enable Security Command Center to get centralized visibility into any security concerns and risks within your Google Cloud environment. Customize the dashboard to ensure that the events that are most important to your organization are most visible.

Use Cloud Logging to manage and analyze the logs from your services in Google Cloud. For additional analysis, you can choose to integrate with Google Security Operations or export the logs to your organization's SIEM.

In addition, use Cloud Monitoring to measure the performance of your service and resources and set up alerts. For example, you can monitor for sudden changes to the number of VMs running in your environment, which might be a sign that malware is present in your environment.

Make all this information available to your security operations center in a centralized way.

Build detection capabilities

Build detection capabilities in Google Cloud that correspond with your risks and workload needs. These capabilities provide you with more insight into advanced threats, and help you better monitor your compliance requirements.

If you have Security Command Center Premium tier, use Event Threat Detection and Google SecOps. Event Threat Detection searches your logs for potential security attacks and logs its findings in the Security Command Center. Event Threat Detection lets you monitor both Google Cloud and Google Workspace at the same time. It checks for malware based on known bad domains and known bad IP addresses. For more information, see Using Event Threat Detection.

Use Google SecOps to store and analyze your security data in one place. Google SecOps helps enhance the process of handling threats in Google Cloud by adding investigative abilities into Security Command Center Premium. You can use Google SecOps to create detection rules, set up indicators of compromise matching, and perform threat hunting activities. Google SecOps has the following features:

  • When you map logs, Google SecOps enriches them and links them together into timelines, so that you can see the entire span of an attack.
  • Google SecOps constantly re-evaluates log activity against threat intelligence gathered by the Google Cloud Threat Intelligence for Google Security Operations team. When the intelligence changes, Google SecOps automatically reapplies it against all historical activity.
  • You can write your own YARA rules to improve your threat detection capabilities.

Optionally, you can use a Google Cloud partner to further augment your detection capabilities.

Plan for a ransomware attack

To prepare for a ransomware attack, complete business continuity and disaster recovery plans, create a ransomware incident response playbook, and perform tabletop exercises.

For your incident response playbook, consider the functionality available for each service. For example, if you're using GKE with Binary Authorization, you can add breakglass processes.

Ensure that your incident response playbook helps you quickly contain infected resources and accounts and move to healthy secondary sources and backups. If you use a backup service like Backup and DR, regularly practice your restore procedures from Google Cloud to your on-premises environment.

Build a cyber-resiliency program and a backup strategy that prepares you to restore core systems or assets affected by a ransomware incident. Cyber resiliency is critical for supporting recovery timelines and lessening the effects of an attack so you can get back to operating your business.

Depending on the scope of an attack and the regulations that apply to your organization, you might need to report the attack to the appropriate authorities. Ensure that contact information is accurately captured in your incident response playbook.

Respond to and recover from attacks

When an attack occurs, you need to follow your incident response plan. Your response likely goes through four phases, which are:

  • Incident identification
  • Incident coordination and investigation
  • Incident resolution
  • Incident closure

Best practices related to incident response are further described in the following sections.

For information on how Google manages incidents, see Data incident response process.

Activate your incident response plan

When you detect a ransomware attack, activate your plan. After you confirm that the incident isn't a false positive and that it affects your Google Cloud services, open a P1 Google Support ticket. Google Support responds as documented in the Google Cloud: Technical Support Services Guidelines.

If your organization has a Google technical account manager (TAM) or other Google representative, contact them as well.

Coordinate your incident investigation

After you activate your plan, gather the team within your organization that needs to be involved in your incident coordination and resolution processes. Ensure that these tools and processes are in place to investigate and resolve the incident.

Continue to monitor your Google Support ticket and work with your Google representative. Respond to any requests for further information. Keep detailed notes on your activities.

Resolve the incident

After you complete your investigation, follow your incident response plan to remove the ransomware and restore your environment to a healthy state. Depending on the severity of the attack and the security controls that you have enabled, your plan can include activities such as the following:

  • Quarantining infected systems.
  • Restoring from healthy backups.
  • Restoring your infrastructure to a previously known good state using your CI/CD pipeline.
  • Verifying that the vulnerability was removed.
  • Patching all systems that might be vulnerable to a similar attack.
  • Implementing the controls that you require to avoid a similar attack.

As you progress through the resolution stage, continue to monitor your Google Support ticket. Google Support takes appropriate actions within Google Cloud to contain, eradicate, and (if possible) recover your environment.

Continue to keep detailed notes on your activities.

Close the incident

You can close the incident after your environment is restored to a healthy state and you have verified that the ransomware has been eradicated from your environment.

Inform Google Support when your incident is resolved and your environment is restored. If one is scheduled, participate in a joint retrospective with your Google representative.

Ensure that you capture any lessons learned from the incident, and set in place the controls that you require to avoid a similar attack. Depending on the nature of the attack, you could consider the following actions:

  • Writing detection rules and alerts that would automatically trigger should the attack occur again.
  • Updating your incident response playbook to include any lessons learned.
  • Improving your security posture based on your retrospective findings.

What's next