Recently I spoke with Ryan Chapman of the SANS Institute, author of the upcoming SANS course FOR528: Ransomware for Incident Responders, on how to better prepare for ransomware. That preparation comes in two forms: planning how you would respond to a successful ransomware attack and overcoming barriers to hardening your network against them.Planning for a ransomware attackRansomware recovery should be nothing more than restoring a backup, but the reality is that you often have no idea what is needed to restore until faced with the restoration process. A SANS roundtable recently discussed whether to pay a ransom. In a perfect world we would not pay the attackers. Paying feeds the ransomware industry, but it\u2019s not that cut and dried. Recovery from backups take time. You may realize in the heat of the moment that you are missing the driver for a key machine, or a product key you thought was stored in a location is not there. The best practice is to perform restoration tests and follow planned processes, but with IT departments stretched thin, these best practices often slip out of focus.So, firms must decide whether to take the hard line and not pay or to pay the ransom and possibly get back in business faster. Chapman notes that decryption tools are often not coded well and decrypting a network might be just as slow as recovering it from a backup.Prioritize assets to bring back first after a ransomware attackRansomware victims often bring back just key assets and decide later what digital assets are no longer important. It\u2019s wise to identify ahead of time which digital assets are critical to ensure business continuity. Inventory critical assets and determine what processes you need to fully recover them without your normal recovery processes. Chapman advises to mentally prepare yourself that you won\u2019t get all your data back. You need to prioritize.Create fall-back plans if normal processes and tools are not availableToo often in Active Directory, we do not back up key systems; we replicate and deploy. Imagine a situation where replication is not an appropriate recovery method. It comes down to understanding what it will take to recover potentially the entire network. You will not have processes or personnel to tackle this. You may not have a healthy Active Directory in place to recover normally. You may not have scripts or Group Policy or any of the tools that you take for granted. You may not have your normal email system to communicate within your organization.Plan how to manage and supplement staffIdentify external consultants and resources to bring in to help in the process. Identify alternative communication methodologies that you may need to have in place that doesn\u2019t include personal email accounts. Plan how you will rest IT and security staff during the crisis so they make better decisions.Harden your Windows network against ransomwareOvercoming internal and external patching blocksMost of the organizations Chapman interacts with are more hurt by ransom attacks because they are blocked from patching quickly and from updating to supported and more secure platforms. He sees two types of blocks: internal and external.The internal block is often due to the firm\u2019s reliance on self-coded solutions that have been built over time and may not be externally code reviewed or understood well enough to know the impact when changes are made. Especially with deployments in large-scale environments, you don\u2019t know the impact of a new security setting or an Active Directory forest functionality level until the actual deployment occurs. Firms can test, but often it\u2019s not until the solution is rolled out across the network that more realistic impact is seen. Thus, there is a natural and unfortunate tendency for the status quo because ensuring that the business has continuity especially now during the pandemic is job one for many IT divisions.The external block arises when the firm\u2019s vendors will not certify a platform for a new security setting or platform and keeps you from deploying a setting that may provide you with more security. Often in medical settings, the equipment is purpose built and may not even be on an extended support platform. You face the decision to deploy a needed update that will help keep attackers at bay or breaking the support provided by the vendor. Often in that situation, there is no decision to make. You must keep the vendor support intact.What can you do to overcome these blocks? First, identify those key assets you need to recover quickly and ensure that you understand how to recover using alternative means. Fully test this process. Next, narrow down which software inside your organization is causing the blocks and why. If the vendor is the block to your deployment needs, review if you can add requirements and contractual adjustments and push your vendors to do better. If internal software deployments are causing the block, review if the paralysis is real. Has the firm had actual software failures due to rolling out new settings and software, or is the paralysis caused by a lack of resources in testing? Urge the various teams in the business to work together.Raise your Windows Server forest level to 2016Too many of us are still reliant on older server platforms that make it harder to roll out security solutions through Active Directory. We may have Server 2016 and Server 2019 servers in our network, but we\u2019re not taking advantage of the security features of that domain functional level. Too many of us are still on older forest and domain functional levels because we have older servers or applications and a lack of testing that keep us from rolling out these newer features. Or we have vendors that won\u2019t certify newer platforms and Active Directory features.Raising your forest level to 2016 provides many features that better protect the network such as privileged access management and automatic rolling of NTLM secrets on a user account. If your functional level is still 2008 R2, you don\u2019t have a UI for the Active Directory recycle bin, which makes it easier for recovery. It also doesn\u2019t allow you to get rid of an old security hole of unchanging passwords on your service accounts if you are still running 2008 R2 functional level.Raising your domain level means you can roll out features such as Windows Defender Credential Guard, which protects NTLM and Kerberos credentials in Active Directory from being harvested by attackers. You will need Windows 10 Enterprise licenses or the appropriate Microsoft 365 to roll out this feature to your workstations.The large cost in ransomware is the disruption to the business. We need to get protection and detection higher up on our priority lists along with transparency and sharing of information. We need to do better, because right now the attackers are better than we are.