It was not too long ago when ransomware attacks were at the bottom of everyone’s radar. Today, cyberattacks — specifically ransomware attacks — dominate headlines as they’ve become more sophisticated, direr and more frequent. What warranted less than 10 minutes on the agenda in the C-suite is now arguably among the most pressing issues that organizations face around the world.
As we’ve seen with the cyberattacks on the Colonial Pipeline, Springhill Medical Center and JBS Foods, the effects of cybercrime go beyond a hefty price tag. Oftentimes, lives and livelihoods are also at stake. Although organizations have recognized the clear risks that cyberattacks pose, there is still a gap in understanding the security measures that need to be in place to mitigate these attacks in the first place as well as what to do when they happen — because they will happen.
In my own experience, formulating a before, during and after approach is key to organizational sanity and survival in a world increasingly dominated by ransomware attacks. In this article, I’ll walk you through the template I use to assess each phase of my ransomware mitigation plan.
Before: Beware Business as Usual
For organizations that have never experienced a cyberattack, the preparation phase often can fall behind. Yet preparation is paramount to mitigate the growing risks of a ransomware attack in today’s digital world. Companywide buy-in is the first step to bolstering defenses and ensuring a quick response when faced with an attack. When implementing preventative measures, here are the five core areas to keep top of mind:
● IT hygiene: Once threat actors gain access to an environment, they look to exploit key systems and sensitive data. Performing good data hygiene and having a well-defined patch management program are crucial to preventing breaches. Often, by the time a vendor releases a patch, cybercriminals have already been made aware of a vulnerability. Given this tight timeframe, critical patches should be made within 24 hours, while other levels of criticality range in the timeframe expected, but should be made no more than 30 days later.
● Multi-factor authentication: It has been said that employees are the weakest link in cybersecurity as poor password management practices can create vulnerabilities. With multi-factor authentication, an added layer of security protects against issues that arise when the same password is used across multiple accounts.
● Admin credential vaulting: In addition to poor password management practices, improperly secured shared resources can create vulnerabilities. Vaulting credentials and admin credentials provide extra safeguards for credentials of shared resources on your network, offering a repository with passwords automatically refreshed after each login.
● Consistent logging: Security and access logs are crucial before and after an attack. They provide critical indicators of compromise to help identify a potential adversary before an attack is launched. Additionally, a good logging solution can help identify the source of an attack and provide required proof of compliance to regulatory agencies. However, it’s not enough to just maintain security logs, they need to be protected as well.
● Fast analytics: Quick, real-time analytics leveraging security logs will help spot suspicious behavior and send timely alerts on potential attacks. Implementing a fast analytic platform across three vectors: the endpoint, the network and the end user, can help you spot indicators of compromise and allow threat hunters to eradicate threats before an attack is launched and data is compromised.
● Critical employee training: Set clear Internet and email policies and issue relevant end-user awareness training for employees across the organization. Follow up-to measure efficacy and use that information to identify weak spots where additional training may be needed. However, it’s critical to understand that employee education isn’t enough. Executive management and boards must also be trained via tabletop exercises on how events will unfold and how to respond during a cyber attack.
During: As the Attack Unfolds
An organization’s exact business continuity and disaster recovery plan will depend on its business and the specific breach, however, there are steps that should be taken across the board regardless of industry or sector. As an attack plays out, the organization’s business continuity and disaster recovery plan will need to be put into action. At this point, containing the attack and locking down the environment is the first step. Isolate impacted systems on the network without fully shutting down systems or turning off the power as this could reduce the ability to forensically analyze those devices later. In addition, here are four other steps you should take:
- Put your backup communications plan into action: If your email systems are down, continue communications within your organization using your backup communications plan. Use this method to inform leaders and internal stakeholders of the attack.
- Mobilize your emergency response team: This team will look different depending on your organization, but each person on the team should have clear marching orders. This team may include legal counsel, forensic experts, corporate communications and other key players.
- Initiate your external communications plan: Get in contact with authorities, cyber insurance providers, regulators, media and other critical partners to inform them of the situation. The plan should also include notifications to affected customers and businesses. Be sure to have a clear statement drafted that details the situation and your subsequent plan of action.
- Start the forensic process: Triage impacted devices for forensic review. The sooner your team can identify what type of attack was launched and its severity, the sooner your team can apply patches.
After: Steps to Recovery
There’s only one thing that matters after an attack, and that’s SPEED. While having the proper precautions in place to prevent an attack and respond to an attack are essential, it’s equally as critical that organizations plan for recovery. As part of a solid disaster recovery plan, organizations should have a recovery environment that has been staged, tested and ready to go, providing a tried-and-true way to get back online right after an event. Once an attack has run its course, you may be faced with a choice to pay a ransom. Whether you decide to pay or not, at this point, you’re also working to minimize damage and get back online as quickly as possible.
Of note, in many cases, an organization will not be able to reuse production devices that may have been implicated in an attack. As a result, having a clear line of sight into an additional recovery kit should also be planned.
Based on your response plan, you’ll need to prioritize which systems should be recovered and restored first. There will be a number of application dependencies that will need to be worked through. As you continue the forensic process, it will be important to work in tandem with the proper authorities, including regulatory agencies and authorities. As you begin the restoration process, make sure to do so in an offline environment that allows teams to identify and eradicate any persistent malware infections.
Throughout the whole recovery process, communication will be key. Be sure to consistently communicate progress each step of the way to all affected parties. This includes but is not limited to employees, customers, investors and business partners. It’s also important to keep any affected service providers or suppliers in the loop and ensure they take the necessary steps to prevent another breach.
It’s almost naïve to think that your organization won’t be affected by a cyberattack or breach at some point. Cybercriminals will undoubtedly continue to innovate and evolve, and we can expect ransomware to get even more creative and capable of even greater damage. Although we can’t predict the next big ransomware attack, we can certainly prepare ourselves by continuing to evolve our cybersecurity strategy.