[BreachExchange] Top tips for CISOs and CIOs: How to Fight a Ransomware Attack

[Destry Winant]

https://www.cbronline.com/in-depth/how-to-fight-a-ransomware-attack

For the CIO or CISO, falling victim to a ransomware attack has become
almost inevitable, but that doesn’t mean it needs to be a catastrophe.

Ransomware happens because the basic security measures are ignored and
there is a failure on the organization part with improper preparation.
By avoiding these common mistakes, it’s possible to make the nightmare
a little more bearable.

By far the most common mistake we see is a failure to have the basic
security measures in place, or what I refer to as “baseline security
failures”.  Baseline security failures means not having the minimum
security controls in place that protect the low hanging fruit.

Threat actors are trying to get into your organisation; it’s
happening. No amount of sheer denial is going to prevent that from
happening. Are you a CEO who thinks your organisation is too small to
be a target? Do you think your industry is immune from hackers? Are
you hoping a simple, legacy AV tool is going to keep you safe? Think
again.

How to Fight a Ransomware Attack

You need to be prepared in two ways. First, from a preventative
standpoint, which means ensuring basic security controls are in place
and configured properly. This will typically involve robust endpoint
protection like an EDR that uses machine learning. Traditional
precautions like signature based AV, multi-factor authentication,
network segregation, locking down RDP ports that are exposed to the
internet or applying the latest OS and applications are essential but
will not be enough to cover you fully.

 The second way to be prepared as an organisation is to assume that
the worst-case scenario will happen; the attacker will get past your
defenses and gain access to the network. In this worst-case scenario,
being prepared to recover from ransomware is vital and that starts
with having regular offline backups. That way if you do fall victim to
ransomware you’re reducing the overall impact on the business by
ensuring that you will not be down for an undetermined amount of time.

Write an Incident Response Plan

For more mature organisations, who may already have these things in
place, being prepared may be as simple as having an Incident Response
plan. One that addresses the who and what at a minimum.

The “who” in your plan should define your key stakeholders who need to
be involved when an incident is declared. This is usually your IT
staff, like the System or Network Administrator or someone who is
intimately familiar with your IT infrastructure.

Ideally your security team should be appointed as  “first responders”
in the event of an incident. This part of your plan should also
include executive level or c-suite employees like a CISO or CIO, as
well as general counsel. Have a list of who needs to be contacted and
in what order, and have internal and external communication plans
ready to roll out.

The “what” defines the steps that need to be taken and may also
include a list of tools or technology that you will need to respond.
Hopefully, you won’t need to ever use the plans. Hopefully, you’ll be
one of the lucky ones. But in the event that an incident happens,
you’ll want all of these ready to go.

Of course, having a brilliant offline backup strategy in place is the
best way to prepare yourself for worst-case. Organisations with sound
backups can and do survive a ransomware attack relatively unscathed.
They will only lose an hour or so of data, leaving them space to focus
on the containment and restoration of operations. This best-case
scenario, however, is unfortunately more often the exception rather
than the rule.

There are large organisations out there with well-resourced IT and
security teams, who assume they have everything, yet they’re still in
a constant battle with threat actors. Threat actors who long ago
learnt to go after and destroy backups as a first step in their
attack.

As my good friend Morgan Wright, security advisor at SentinelOne,
often says, “no battle plan survives contact with the enemy.”
Sometimes, no matter how well prepared, the threat actors will find a
way in. More and more, we’re seeing that these groups are meticulously
well organised and are able to invest the proceeds of their crimes
into further research and development, always staying one step ahead.

Common mistakes

As soon as an incident is detected, the clock starts. The first 48 to
72 hours are a good indicator in helping determine if the nightmare is
going to be short-lived, or a recurring horror that drags on for
weeks, if not months. We recently concluded a case with a large
multi-national company that suffered a ransomware attack, where the
containment and investigation took nearly 3 months to complete. The
reason being was the client assumed the technology and security
controls they had in place were all they needed, and the initial steps
they took entailed wiping 90% of the systems that were impacted before
we were even engaged.

In parallel, the client also started rebuilding their infrastructure
in the cloud which hindered response efforts as it failed to address
the first key step when responding to any incident; the containment
and preservation of the impacted environment. Without understanding
the underlying problems that led to the ransomware and then performing
a root cause analysis to fix what needs fixing, you’re just setting
yourself up for another disaster.

For organisations that have never been through a ransomware event,
wiping everything right away might seem like the best course of
action. However, there is a strict protocol that needs to be followed
and that protocol includes conducting forensic investigation to
identify the full extent of the infiltration.

I can’t stress enough how important it is to have well-trained hands
at the keyboard, responding to the attack in these first few hours.
Very quickly you’re going to want to get 100% visibility over your
endpoint environment and network infrastructure, even the parts you
thought were immutable. You need to leverage the technology you
already have in place, or work with a firm who can bring the tools and
technology to deploy. This is what we refer to as gaining full
visibility, so you can begin to identify the full scope of impact and
contain the incident.

Another common mistake I see in some organisations, even when they
have relatively robust incident response planning and the right
technology in place, is neglecting the communications aspect of the
incident. It is vital to keep internal stakeholders up to speed on the
incident and, crucially, to make sure they’re aware of what
information can be disclosed, and to whom. Working on a large-scale
incident very recently, we got a few weeks into the investigation when
details began to appear in the media. Information being leaked like
this can be almost as detrimental as the attack itself, especially
when it’s completely inaccurate.

The Ransom

One part of a ransomware attack the we don’t talk about as much is the
ransom itself. Paying a ransom is always a last resort and that’s the
first thing we tell clients who come to us after being hit with
ransomware. Our goal is to work with the client to evaluate every
option available to them for restoring operations. What I refer to as
“Ransom Impact Analysis” entails my team working with the client to
assess the impacted data, their backups, cost-benefit analysis of
rebuilding versus paying a ransom.

What we’re trying to do is help our client assess if the impacted data
is critical to the survival of the business. Sometimes, despite all
best efforts, the only solution to getting an organisation back on its
feet is to pay the ransom, but this is a last resort. Unlike heist
movies, this doesn’t mean gym bags full of cash in abandoned car
parks. This means a careful and rational negotiation with the threat
actor.

>From time to time, we engage with clients  who have already contacted
the threat actors and started negotiating themselves. This rarely ends
well. As the victim of the attack, you’re going to be stressed,
emotional and desperate. If you go into a negotiation before you have
a full picture, you have no leverage and can end up paying more for
decryption keys, or even paying for keys to systems you really don’t
need back.  You even risk the threat actor going dark and losing any
chance at recovery altogether.

My overarching piece of advice for the CIO in the unenviable position
of a security incident, is to keep calm. Be as prepared as possible.
Take advice from experts and act on that advice, and remember, don’t
have nightmares.