Does your organization have a solid plan for responding to ransomware incidents when they occur? Would you know what to do if you were the victim of a ransomware attack or a breach? These are questions security experts should be asking themselves to ensure they are prepared when an attack occurs.
Tego Advisory Services has substantial experience in cyber incident response and will attest that a successful recovery depends on an effective plan. Effective plans include a well-defined process to identify, contain, eradicate and recover from an attack. From our experience, the best plans thoughtfully integrate people, process and technology and should include:
Identification and Containment
- Pre-Incident Business Impact Assessment (BIA) identifying the priority of systems and data to be recovered first. The BIA is developed with input from multiple stakeholders to identify systems and data that are most important to continue operations and eventually return to “normal”.
- Processes for receiving and prioritizing alerts from the environment. Most environments receive alerts from multiple sources and those alerts are managed through different tools. It is important to develop a protocol for managing those alerts and systems so an organization can efficiently and accurately identify where the attack is happening.
- Identifying ports required for technology partner assistance and a protocol for blocking other external access.
- Communications plans for the response team by role and responsibility. Response team members and their roles look something like this:
- The Security Team is responsible for identifying and implementing response tools and changes to the security stack during the incident. After the incident, the Security Team is critical in reporting failures and implementing changes from the after-action review.
- IT is responsible for changes to systems and network design in response to the incident. They are typically also responsible for restoring and/or rebuilding systems as part of the recovery.
- Management is responsible for monitoring the incident and ensuring that the Response Team has all resources to continue the response. Management is also responsible for communicating the response activities to the BoD and other stakeholders. Management is also critical to the after-action review and revisions to the BIA.
- Legal is responsible for identifying reporting requirements in compliance with local laws and regulations. Typically, the Legal team will also support communications outside the organization and the insurance claim in interface with the carrier’s legal team.
- HR is responsible for managing the internal messaging and controlling communications about the incident. HR may also assist with adjustments to pay, benefits and time-off for Response Team participants.
- Insurance will ideally pay the claim assuming the organization was in compliance with the security requirements set forth in the policy. There is a significant sum of money tied to the claim and Insurance will typically appoint their own legal team to supervise/observe the response.
- Law Enforcement will include local, state and federal agencies. It is important to identify who to notify and the thresholds required for that notification.
- The Forensics Team will review all collected evidence to identify the source, timing and point of attack. They will also identify the vectors the attacker used and systems impacted. Findings from the forensics team comprise a major part of the after-action review.
- Ransom Negotiators will assess how badly your organization has been compromised, identifying potential resolution based on what is known about the threat actor and potential relief from the ransom.
- Other Members (depending on the organization). There may be Response Team members from other departments such as Quality Assurance, Regulatory and Operations. Their responsibilities may vary, but generally, these representatives help to ensure the organization returns to “normal”. Communications plans also include: the notification call tree for response team, forum for continuous communications (e.g. secure channel that you can ensure will be available post-compromise) and a system for tracking response activities.
- Plan for preserving evidence and engaging forensics to validate the attack and ransomware variant. This is a critical step often overlooked during the initial response. Ransom incidents require investigation to identify the source, point of origin, pathology of the attack, etc. The outcome of the investigation will drive: response activities, reporting to law enforcement, proper incident disclosure to customers and a successful insurance claim.
- Secure location of suitable size for storing incident artifacts (see Plan for preserving evidence above).
- Process for assessment of and negotiating with threat actors to assess data exfiltration and impact, not necessarily to pay the ransom. Ultimately, it was people and an organization that attacked you. If done correctly, this process will assist in: assessing how badly your organization has been compromised, identifying potential resolution based on what is known about the threat actor and potential relief from the ransom.
Eradication
- Protocol for quarantining and isolating symptomatic systems.
- IP blocking based on information gleaned from incident reporting and forensics.
- Universal password resets.
- Sandbox testing to “explode” (observe) the effects of the ransom payload.
- Identifying “patient zero” and time the payload was introduced and “exploded” in the environment.
- Establishing the protocol for reintegrating healthy systems to production.
Recovery
- Plan for recovering impacted systems prioritized in the BIA.
- Execution of recovery protocol.
- Rebuilding systems that can’t be restored… typical if the team cannot validate “patient zero” and/or the exact time of payload introduction.
- Decommissioning unneeded systems.
- Data Breach Notification when it is required by corporate charter and/or regulatory requirements.
- After action review.
- Training and testing changes implemented from the after-action review.
The above can be overwhelming and you may not know where to start. No worries, Tego can help! Contact us today for help building your disaster recovery and incident response plan.