Best practices for mitigating ransomware attacks using Google Cloud

Last reviewed 2023-08-03 UTC

Code that was created by a third party to infiltrate your systems to hijack, encrypt, and steal data is referred to as ransomware. To protect your enterprise resources and data from ransomware attacks, you must put multi-layered controls in place across your on-premises and cloud environments. This document describes some best practices to help your organization identify, prevent, detect, and respond to ransomware attacks.

This document is part of a series that is intended for security architects and administrators. It describes how Google Cloud can help your organization mitigate the effects of ransomware attacks.

The series has the following parts:

Identify your risks and assets

To determine your organization's exposure to ransomware attacks, you must develop your understanding of the risks to your systems, people, assets, data, and capabilities. To help you, Google Cloud provides the following capabilities:

Manage your assets with Cloud Asset Inventory

To help mitigate ransomware attacks, you need to know what your organization's assets are, their state, and their purpose, both in Google Cloud and in your on-premises or other cloud environments. For static assets, maintain a baseline of the last known good configuration in a separate location.

Use Cloud Asset Inventory to obtain a five-week history of your resources in Google Cloud. Set up monitoring feeds to receive notifications when particular changes to resources occur, or when there are policy deviations. To track changes so that you can watch for attacks that progress over a longer time period, export the feed. To create the export, you can use tools like Terraform. For this type of analysis, you can export the inventory to a BigQuery table or a Cloud Storage bucket.

Assess and manage your risks

Use an existing risk assessment framework to help you catalog your risks and determine how capable your organization is in detecting and counteracting a ransomware attack. These assessments check factors like whether you have malware protection controls, properly configured access controls, database protection, and backups.

For example, the Cloud Security Alliance (CSA) provides the Cloud Controls Matrix (CCM) to assist organizations in their cloud risk assessments. For CCM information specific to Google Cloud, see New CIS Benchmark for Google Cloud Computing Platform.

To identify potential application gaps and take actions to remediate them, you can use threat models such as OWASP Application Threat Modeling. For more information on how you can help mitigate the top 10 OWASP security risks with Google Cloud, see OWASP Top 10 mitigation options on Google Cloud.

After you catalog your risks, determine how to respond to them, and whether you want to accept, avoid, transfer, or mitigate the risks. The Risk Protection Program provides access to Risk Manager and cyber insurance. Use Risk Manager to scan your workloads on Google Cloud and implement the security recommendations that help reduce your ransomware-related risks.

Configure Sensitive Data Protection

Sensitive Data Protection lets you inspect data in your Google Cloud organization and data coming from external sources. Configure Sensitive Data Protection to classify and protect your confidential data using de-identification techniques. Classifying your data helps you to focus your monitoring and detection efforts on data that matters most to your organization.

Combine Sensitive Data Protection with other products such as the Security Command Center or with a third-party SIEM to help ensure appropriate monitoring and alerting on any unexpected changes to your data.

Manage risks to your supply chain

A key attack vector for ransomware attacks is vulnerabilities within the supply chain. The challenge to this attack vector is that most organizations have many vendors that they must track, each with their own list of vendors.

If you create and deploy applications, use frameworks such as the Supply-chain Levels for Software Architects (SLSA). These frameworks help define the requirements and best practices that your enterprise can use to protect your source code and build processes. Using SLSA, you can work through four security levels to improve the security of the software that you produce.

If you use open source packages in your applications, consider using security scorecards to auto-generate the security score of a particular open source package. Security scorecards are a low-cost, easy-to-use method to get an assessment before your developers integrate open source packages with your systems.

To learn about resources that you can use to help verify the security of Google Cloud, see Vendor security risk assessment.

Control access to your resources and data

As your organization moves workloads outside of your on-premises network, you must manage access to those workloads across all the environments that host your resources and data. Google Cloud supports several controls that help you set up appropriate access. The following sections highlight some of them.

Set up zero trust security with BeyondCorp Enterprise

As you move your workloads from your on-premises environment to the cloud, your network trust model changes. Zero trust security means that no one is trusted implicitly, whether they are inside or outside of your organization's network.

Unlike a VPN, zero trust security shifts access controls from the network perimeter to users and their devices. Zero trust security means that the user's identity and context is considered during authentication. This security control provides an important prevention tactic against ransomware attacks that are successful only after attackers breach your network.

Use BeyondCorp Enterprise to set up zero trust security in Google Cloud. BeyondCorp Enterprise provides threat and data protection and access controls. To learn how to set it up, see Getting started with BeyondCorp Enterprise.

If your workloads are located both on-premises and in Google Cloud, configure Identity-Aware Proxy (IAP). IAP lets you extend zero trust security to your applications in both locations. It provides authentication and authorization for users who access your applications and resources, using access control policies.

Configure least privilege

Least privilege ensures users and services only have the access that they require to perform their specific tasks. Least privilege slows down the ability of ransomware to spread throughout an organization because an attacker can't easily escalate their privileges.

To meet your organization's particular needs, use the fine-grained policies, roles, and permissions in Identity and Access Management (IAM). In addition, analyze your permissions regularly using role recommender and Policy Analyzer. Role recommender uses machine learning to analyze your settings and provide recommendations to help ensure your role settings adhere to the principle of least privilege. Policy Analyzer lets you see which accounts have access to your cloud resources.

For more information about least privilege, see Using IAM securely.

Configure multi-factor authentication with Titan Security Keys

Multi-factor authentication (MFA) ensures that users must provide a password and a biometric factor or a possessive factor (like a token) before they can access a resource. As passwords can be relatively easy to discover or steal, MFA helps to prevent ransomware attackers from being able to take over accounts.

Consider Titan Security Keys for MFA to help prevent account takeovers and phishing attacks. Titan Security Keys are tamper-resistant and can be used with any service that supports the Fast IDentity Online (FIDO) Alliance standards.

Enable MFA for your applications, Google Cloud administrators, SSH connections to your VMs (by using OS Login), and for anyone who requires privileged access to sensitive information.

Use Cloud Identity to configure MFA for your resources. For more information, see Enforce uniform MFA to company-owned resources.

Protect your service accounts

Service accounts are privileged identities that provide access to your Google Cloud resources, so attackers would consider them valuable. For best practices on protecting service accounts, see Best practices for working with service accounts.

Protect your critical data

The main goals of a ransomware attack are generally the following:

  • To make your critical data inaccessible until you pay the ransom.
  • To exfiltrate your data.

To protect your critical data from attacks, combine various security controls to control access to data, based on the data sensitivity. The following sections describe some best practices that you can use to help protect your data and help effectively mitigate ransomware attacks.

Configure data redundancy

Google Cloud has global-scale infrastructure that is designed to provide resiliency, scalability, and high availability. Cloud resilience helps Google Cloud to recover and adapt to various events. For more information, see Google Cloud infrastructure reliability guide.

In addition to the default resiliency capabilities in Google Cloud, configure redundancy (N+2) on the cloud storage option that you use to store your data. Redundancy helps mitigate the effects of a ransomware attack because it removes a single point of failure and provides backups of your primary systems in case they are compromised.

If you use Cloud Storage, you can enable Object Versioning or the Bucket Lock feature. The Bucket Lock feature lets you to configure a data retention policy for your Cloud Storage buckets.

For more information about data redundancy in Google Cloud, see the following:

Back up your databases and filestores

Backups let you keep copies of your data for disaster recovery purposes so that you can create a replicated environment. Store backups in both the format that you need it, and in raw source form if possible. To avoid compromising your backup data, store these copies in separate, isolated zones away from your production zone. In addition, back up binaries and executable files separately from your data.

When planning for a replicated environment, ensure that you apply the same (or stronger) security controls in your mirror environment. Determine the time it takes you to recreate your environment and to recreate any new administrator accounts that you require.

For some examples of backups in Google Cloud, see the following:

In addition to these backup options, consider using Backup and DR Service to back up your on-premises data to Google Cloud. Backup and DR lets you set up a disaster recovery environment in Google Cloud for both your VMs and your databases. For more information, see solutions for backup and disaster recovery.

Protect and back up your data encryption keys

To help prevent attackers from getting access to your data encryption keys, rotate your keys regularly and monitor key-related activities. Implement a key backup strategy that considers the key location and whether the keys are Google-managed (software or HSM), or whether you supply the keys to Google. If you supply your own keys, configure backups and key rotation using the controls in your external key management system.

For more information, see Manage encryption keys with Cloud Key Management Service.

Protect your network and infrastructure

To protect your network, you must ensure that attackers can't easily traverse it to get access to your sensitive data. The following sections describe some of the items to consider as you plan and deploy your network.

Automate infrastructure provisioning

Automation is an important control against ransomware attackers, as automation provides your operations team with a known good state, fast rollback, and troubleshooting capabilities. Automation requires various tools such as Terraform, Jenkins, Cloud Build, and others.

Deploy a secure Google Cloud environment using the enterprise foundations blueprint. If necessary, build on the security foundations blueprint with additional blueprints or design your own automation.

For more information about automation, see Use a CI/CD pipeline for data-processing workflows. For more security guidance, see the Cloud Security Best Practices Center.

Segment your network

Network segments and perimeters help slow down the progress that an attacker can make in your environment.

To segment services and data and to help secure your perimeter, Google Cloud offers the following tools:

Customize network security controls to match your risks for different resources and data.

Protect your workloads

Google Cloud includes services that let you build, deploy, and manage code. Use these services to prevent drift and rapidly detect and patch issues such as misconfigurations and vulnerabilities. To protect your workloads, build a gated deployment process that prevents ransomware attackers from getting initial access through unpatched vulnerabilities and misconfigurations. The following sections describe some of the best practices that you can implement to help protect your workloads.

For example, to deploy workloads in GKE Enterprise, you do the following:

For more information about GKE Enterprise security, see Hardening your cluster's security.

Use a secure software development lifecycle

When developing your software development lifecycle (SDLC), use industry best practices such as DevSecOps. The DevOps Research and Assessment (DORA) research program describes many of the technical, process, measurement, and cultural capabilities of DevSecOps. DevSecOps can help mitigate ransomware attacks because it helps ensure that security considerations are included at each step of the development lifecycle and lets your organization rapidly deploy fixes.

For more information about using an SDLC with Google Kubernetes Engine (GKE), see Software Delivery Shield overview.

Use a secure continuous integration and continuous delivery pipeline

Continuous integration and continuous delivery (CI/CD) provides a mechanism for getting your latest functionality to your customers quickly. To prevent ransomware attacks against your pipeline, you must perform appropriate code analysis and monitor your pipeline for malicious attacks.

To protect your CI/CD pipeline on Google Cloud, use access controls, segregated duties, and cryptographic code verification as the code moves through the CI/CD pipeline. Use Cloud Build to track your build steps and Artifact Registry to complete vulnerability scanning on your container images. Use Binary Authorization to verify that your images meet your standards.

When you build your pipeline, ensure that you have backups for your application binaries and executable files. Back them up separately from your confidential data.

Protect your deployed applications

Attackers can try to access your network by finding Layer 7 vulnerabilities within your deployed applications. To help mitigate against these attacks, complete threat modeling activities to find potential threats. After you minimize your attack surface, configure Google Cloud Armor, which is a web-application firewall (WAF) that uses Layer 7 filtering and security policies.

WAF rules help you protect your applications against numerous OWASP Top 10 issues. For more information, see OWASP Top 10 mitigation options on Google Cloud.

For information about deploying Google Cloud Armor with a global external Application Load Balancer to protect your applications across multiple regions, see Getting to know Google Cloud Armor—defense at scale for internet-facing services. For information about using Google Cloud Armor with applications that run outside Google Cloud, see Integrating Google Cloud Armor with other Google products.

Patch vulnerabilities quickly

A key attack vector for ransomware is open-source software vulnerabilities. To mitigate the effects that ransomware might have, you must be able to rapidly deploy fixes across your fleet.

According to the shared responsibility model, you're responsible for any software vulnerabilities in your applications, while Google is responsible for maintaining the security of the underlying infrastructure.

To view vulnerabilities associated with the operating systems that your VMs are running and to manage the patching process, use OS patch management in Compute Engine. For GKE and GKE Enterprise, Google automatically patches vulnerabilities, though you have some control over GKE maintenance windows.

If you're using Cloud Build, automate builds whenever a developer commits a change to the code source repository. Ensure that your build configuration file includes appropriate verification checks such as vulnerability scanning and integrity checks.

For information about patching Cloud SQL, see