In light of recent trends, you may be reviewing your cyber security awareness training and strengthening defenses so that in zero-trust terms, any user, any device, and any app over any network is protected against malware and ransomware. But the risk of an attack continues to loom. As the arms race continues, those with legacy approaches that leave networks open for employees could be prime targets for threat actors that use social engineering schemes to disperse malicious files. In 2022, we can expect worsening threats and breaches to occur.
In the unfortunate event of a ransomware attack, you need to be prepared and have a playbook. If you're leading or part of an IR team at game time, below are ten decisions you will need to make quickly and under duress, courtesy of Sudarshan Pisupati, Principal Security Research Engineer, Zscaler.
1. How do I put my IR plan into action?
When a breach occurs, unnecessary trouble begins because security teams treat outbreaks as a purely technical problem when ransomware incident response is actually a project management problem. Have a general game plan and put it into action to avoid decision paralysis, save time and money, protect your reputation, and get the business back on track.
2. Should I put the entire network on lockdown?
Containment is your first step. If your core infrastructure is hit, you may need to isolate either key parts of your server segments, your DMZ, or even entire data centers. This is primarily because investigations take time and it’s likely the ransomware is still spreading. You won’t know either way for at least the first few hours. Determine the number of encrypted systems and set a threshold. If the threshold is crossed, lock down the network.
3. What’s my Active Directory containment strategy?
You'll likely hear the phrase, “Active Directory Compromise” in the first few hours. If the AD server itself is encrypted, you may have no choice but to temporarily isolate it. If you're measuring encrypted systems in the hundreds, you are likely looking at enterprise-wide password resets, revocation of administrative rights, and the rapid enforcement of restrictive AD security measures. While you continue to investigate, discover, and disable compromised accounts, if you see a large-scale impact, you can bet on enterprise-wide action.
4. Investigation vs. recovery: What’s my priority and what are the timelines?
All ransomware outbreaks typically start with an investigation where the goal is to measure impact to the organization. You should be aware that investigations can take weeks or months. Start recovery processes like locating and testing backups, dry-run installations, and bringing up recovery systems in isolation and in parallel with all other activities. Don’t wait. Recovery is an inevitable step. The investigation should not block your recovery activities, but rather inform them.
5. Should I bring outside expertise and existing vendors to pitch in?
Yes, even if you have a fantastic in-house team. No one knows their product better than the vendors themselves.
6. How should I delegate technical decision-making authority?
Appoint one person to drive investigation activities and another to drive recovery activities. Both roles need a strong technical background and they need to be empowered to do what is right for the business. As a CXO, you hold veto power but defer to the experts. Between investigation and recovery, CXOs should focus their priorities on recovery.
7. When is the right time to notify the board, legal, and public relations?
If you hear the words, “domain compromise is confirmed,” it's the ideal time to notify the board. If your core infrastructure is down and people cannot connect to do their jobs, notify all units simultaneously because they'll notice. If you have downstream customers, work with legal immediately to begin notification processes (even if you don’t use it later).
8. Should I recommend paying the ransom?
This question is inevitable. All CXOs and legal teams need to get on a one-hour call to make this decision. Some deem that it is worth it since, they argue, it’s the only way to bring back irretrievable materially important business data. Others conclude that it violates local, state, and federal laws. You don’t pay a ransom as a principle whatever the consequence or threat. It would be wise to discuss this as a hypothetical at the next board meeting.
9. How do I get all stakeholders and vendors working together?
Enable all stakeholders to work together by creating a unified means for instant communications, such as a Slack channel, where all stakeholders are present. This facilitates everything from communication to information sharing. Establish a task tracker using project management tools like Asana and add all the stakeholders. There'll be at least 50 different tasks. The main thing to be aware of is that the situation demands everyone to work together and shares information freely without fear of repercussions, loss of business, and indulging in posturing. The responsibility of creating this environment rests solely with the CXOs.
10. How do I negotiate IR pricing?
Ransomware response can be expensive and valuable time can be saved by turning around contracts quickly so the business can be brought back online. Avoid sticker shock.
What to read next
Ransomware incident response is a technical problem right? Wrong. It's also a project management problem
What CXOs need to know about ransomware
With no end in sight for ransomware, experts zero in on solutions