[BreachExchange] How to Minimize Ransomware's Trail of Destruction and Its Associated Costs

Terrell Byrd terrell.byrd at riskbasedsecurity.com
Tue Nov 9 14:02:54 EST 2021


https://www.darkreading.com/attacks-breaches/how-to-minimize-ransomware-s-trail-of-destruction-and-its-associated-costs


Facing a ransomware attack head on is a terrifying experience, whether
you're a small startup or a multinational corporation. But once the rush to
secure and get systems up and running has passed, your organization must
then face the mess left in its wake. As experienced security leaders, we
know that it's never a question of if your organization will be attacked,
but when. And with threat actors pivoting to ransomware as an easy payout,
odds are better than ever that your organization will eventually experience
a ransomware attack. If ransomware is unpreventable, then how can
organizations minimize its impact and lessen the blow?

Measuring the cost of a breach is a difficult task and there is no uniform,
one-size-fits-all framework. However, recovering quickly comes down to one
important facet: a well-built cyber-incident response plan. Baked within
this plan should lie previously decided-upon activities that need to be
tracked, such as burn rates (both short and long term), and licensing
costs, as well as a project manager to track vendor statements of work,
track time, and to generally keep things organized. Having someone who
measures these seemingly minute details provides a far more accurate
picture of the total cost of an attack, which is often much larger than
companies realize.

It's also necessary to view costs through the lens of short-term expenses
(ransomware payment, cyber-insurance costs, legal fees, and consultancies)
and long-term costs (reputational/press, sales, and training). For example,
we use a tool that contains standardized tasks, dependencies, owners, and a
host of other metrics that a security team can start logging against.
Regardless of the specific tool you use, the important thing is to sit down
and lay out exactly what you need to track in a way that's collaborative
across all teams.

One of the biggest mistakes an organization can make is to blindly throw
technology at the problem instead of properly investing in building a
security team. Organizations often spend hundreds of thousands of dollars
on endpoint detection and response (EDR) solutions while neglecting
monitoring and investment in high-quality security leadership and human
talent. This is a great approach if you're looking to throw money into a
black hole.

Some other costly mistakes include:

Ignoring the Basics
Some of the simplest mistakes can be the most expensive. According to IBM
research, a breach life cycle under 200 days costs $1 million less than a
life cycle over 200 days, so even small tweaks to reduce the time can save
a lot of money. A general rule of thumb: If you don't have the top five
best practices down from CIS's Top 20 list, such as log management and
retention, focus on those before moving on. Frustratingly, breaches most
often happen due to vulnerability management failures (e.g., missing
patches). Vulnerability management is deceptively difficult but
catastrophic when ignored.

Not Having Clear Lines of Responsibility, Accountability, and Reporting
Do you know exactly who is overseeing technology operations? And does the
top security leader have a direct line of communication to that person?
CIOs and other IT decision-makers will almost always choose to prioritize
initiatives for business operations over security, so ensure you have a
good ambassador that can clearly communicate security priorities to top
leaders. This way, your team isn't left in the dark during important
leadership conversations.

Ignoring Alerts
If you have a tool that generates alerts, make sure to follow up on those.
As obvious as it sounds, ignoring these alerts is usually the start of
serious issues.

Once you have your plan mapped out with a clearly defined measurement
framework, you can now begin to strategically invest time and resources
into building it out with tactics. So, what should you invest in? Here are
a few specific areas of investment, outside of your defined incident
response plan and security staff, that you should prioritize.

Start with network segmentation. With laptops, smartphones, and IoT
devices, among others, organizations today have a plethora of attack
vectors. But organizations can save millions by ensuring an attacker is
only able to compromise one device, rather than moving laterally without
obstruction through an environment.

Make sure to perform tabletop exercises as part of the security maturity
process. These are critical to ensure that your team members know what to
do as well as how to do it (and when) so they're not scrambling when the
fire alarms sound.

Take backups of critical data (including your IT golden images) and store
them offline. If you can't get to full offline backups, at least ensure
that backups can't be accessed with domain administrator credentials.
Ransomware threat actors will go after your backups — don't make it easy
for them. Once you get your backup program up and running, ensure backups
are updated on at least a monthly basis. Having backups will not only
facilitate faster restoration to regular operations, but they also provide
visibility into what went wrong several months back — often critical for
root cause analysis.

Throughout my time in the industry, it's a clear trend that organizations
facing downtime for multiple days also happened to lack these key
processes, tools, and plans.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20211109/47217640/attachment.html>


More information about the BreachExchange mailing list