As the number of ransomware attacks continues to increase, the C-level response must be swift and decisive.
Top executives increasingly dread the phone call from their colleague informing them that their company has been hit by a cyber attack. Almost every week in 2021 and early 2022, a prominent organization found itself in the media spotlight as their public relations team struggled to explain how they were attacked and how to regain consumer trust. A recent study showed that: 37 percent of organizations surveyed had been affected by ransomware attacks in the past year.
Worse, the days when executive leadership teams could completely delegate responsibility to a CISO are over. Regardless of the reality, studies have shown that about 40 percent of the public perception of blame for a ransomware attack falls on the shoulders of the CEO, and that 36 percent of attacks lead to the loss of C-level talent. While executive involvement in the security program does not guarantee a successful defense, it does give the executive leadership team (ELT) a degree of ownership of the final product, as well as the ability to speak confidently and knowledgeable to the public.
When, not if
Many teams focus their plans on preventing the first strike, not the reaction, after an opponent has successfully established a foothold. A ransomware attack is always a multi-stage process, and it’s up to the members of the ELT to determine a strategy that slows and frustrates the opponent during an attack. Those aspects of planning should focus on rapid response, proven containment techniques and eradication. Some examples of questions you could ask are:
- Does your team have standard procedures for a ransomware attack and does your team perform regular battle drills, such as quickly changing all privileged account passwords throughout the enterprise?
- Do they have ways to quickly isolate a compromised network segment to preserve the integrity of the rest of the network?
- Is your team working on a zero-trust architecture?
- Does your team know where your critical data resides and is it encrypted at rest?
- Do they know what your mission-critical services are and what technical dependencies they have?
- Are your backups redundant and protected from accidental access by a compromised administrator account?
The answers to these tough questions could be the difference between success and failure in an impending ransomware attack.
Teamwork makes the dream work
It is difficult to build an effective multidisciplinary team in the heat of battle. Nearly every CISO delegates the responsibility for coordinating immediate actions in a cybersecurity emergency to a trusted subordinate, often referred to as an “incident commander.” If your incident commander builds the ransomware war room, do they have an at-a-glance list to make sure the right people are included? Since your time as a supervisor is very limited, how would you like to be kept informed and does the incident commander and/or CISO understand that requirement? Is it legally embedded in your organization’s incident command structure?
Your top performers will often push themselves past the point of exhaustion during a major incident and make mistakes as a result. Do you have trusted individuals who hold each other and their teams accountable to set the right pace? In general, rescuers can only perform at maximum mental efficiency for about 10-12 hours a day, so that figure can be used to structure proper rotation. Does your team have an effective rest plan with built-in redundancy for key roles in case of personal life emergencies? First-class security operations centers (SOCs) structure their emergency response personnel planning in the same way as personnel planning for military operations, in that each person has one or two designated backups who are fully trained to perform their role.
SEE: Recruitment Package: Data Scientist †TechRepublic Premium)
Can you hear me now?
One of the most frequently asked questions is, “How can we prepare for ransomware communications?” In terms of internal communications, it is critical to define which communications system will be used to send notifications. Is it able to reach and collect the team after hours? Assuming the worst-case scenario where the entire corporate network is offline, do you have a true out-of-band (OOB) method of communication? Referring to the military planning model, it is no coincidence that even the lowest-level operations orders define primary, secondary and tertiary communication methods.
Time is important for external communication. We’ve found that attacks on high profile organizations typically show up in the media within 24 hours. Do your communications and PR teams have ready-made templates they can use for initial public reporting of an incident? Writing them now will save you time and ensure that important details are not overlooked during a crisis. What are the key points needed to get the news cycle under control early? What is the chain of approval: should the CEO review it personally or can it be released at the direction of the head of corporate communications?
A thoughtful CEO may want to identify circumstances under which direct review is required, such as in the case of a confirmed sensitive data breach, but give corporate communications the authority to publish reports in all other circumstances without review by the CEO. If you have a customer-facing team such as a customer service or help desk, is there a standard message they can give that will keep everyone calm and ensure sensitive information is not shared? In all cases, legal counsel should be consulted and co-operated with corporate communications.
Negotiating with attackers
Are you willing to implement a tough policy that your organization will not pay ransom under any circumstances? There is no data to say whether a published statement to that effect reduces the likelihood of being targeted, but the reverse effect has been observed. Organizations that set a precedent for paying ransom are heavily targeted, as they are seen by opponents as a guaranteed payday. In fact, a recent study found that: 80 percent of the ransom-paying organizations were attacked again shortly afterwards.
If you can’t set up the hard-line policy of non-payment, many secondary considerations are important, including the legality of the payment if an OFAC-sanctioned entity is involved. Do you have a legal advisor, cyber insurer and possibly a professional ransomware negotiation agency that you can quickly contact? As always, consult your legal advisor.
Advice to any CEO on how to build a ransomware preparedness plan
- The executive leadership team can and should be closely involved in the development of the anti-ransomware plan.
- Attempted ransomware attacks are almost unavoidable for the average organization today, but good post-breach actions can deliver excellent damage control.
- Team structure and good communication plans are just as important as strong cybersecurity tools and configuration.
Considerations for paying ransom are complex and there is no “one-size-fits-all” answer, but in most cases, paying ransom leads to more targeting in the future.
Nate Pors is an incident response commander for Cisco Talos with more than six years of cybersecurity experience and five years of operational leadership experience. Prior to joining Cisco in February 2021, Nate served as a senior cybersecurity watch officer for the US National Geospatial-Intelligence Agency. Nate served in the United States Marine Corps as a combat engineer and left with the rank of captain.