Author: Alexandre Palma
Cybersecurity incidents are a matter of “when,” not “if.”
2021 saw the highest average breach cost in 17 years, and 10% of breaches involved ransomware.
Ransomware is malware designed to deny a user or organization access to files on their computer. By encrypting these files and demanding a ransom payment for the decryption key. Nowadays it is imperative for security and risk management leaders to prepare: the key tools are a documented response plan and a detailed playbook for the incident type.
THREE COMPONENTS TO GET RIGHT
In each component, we have several steps that must be completed:
1. Build an incident response plan – First, we need a general plan for responding to cyber incidents.
- Develop a Response Process Map: The incident response plan should dictate detailed, sequential procedures to follow in the event of an incident. The incident coordinator (or similar role) should ensure that each step of the process is completed, and that progress is tracked and communicated on a rolling basis.
- Define Incident Severity Tiers: All security incidents must be triaged and assigned a severity tier. This helps to guide incident escalations, assign service-level agreements, and otherwise inform stakeholders of the potential or realized the impact of an incident on the organization. The severity also drives who is notified, what the escalation path will be, and, therefore, which playbook to communicate.
- Assign Roles and Responsibilities: Effective incident response depends on teamwork. Maintain a RACI chart that indicates all the organization’s roles and responsibilities for incident response. Common stakeholders to include are the C-suite, legal, privacy, and HR teams.
2. Develop detailed response playbooks – Detailed guides are necessary for handling specific incident scenarios.
- Create Response Playbooks: The CSIR team should develop specific playbooks for common or high-impact incidents, as shown in this example. Response playbooks are designed to provide detailed guidance and procedures that go beyond security’s general incident response plan.
- Develop a Ransomware Response Process: Create a ransomware response process and decision tree. This process can then be used to develop detailed response procedures, assign roles and responsibilities, and develop additional documentation that the CSIR team can use to guide their response.
- Document Detailed Response Procedures: Work with subject matter experts (SMEs) to document detailed ransomware response procedures. These procedures should include specific guidance, tools, example, settings, etc. — and should identify responsible parties for every step.
3. Conduct regular tabletop exercises – Do a routine test to practice incident response plans.
- Create an Agenda and Invite Participants: Incident response tabletop exercises should include leadership and decision-makers across the organization. A successful tabletop defines specific objectives and is highly structured to cover preplanned scenarios to which participants must react.
- Develop an Incident Scenario and Scenes: Cybersecurity tabletop exercises are the most effective when structured as an initial scenario (e.g., malware), followed by a series of scenes that add new information to the incident to which participants must react. This structure replicates the uncertainty and evolution of real incident
- Craft Challenging Incident Scenes: Tabletop exercises should replicate challenging questions that stakeholders must address during an attack. In a tabletop exercise, you can challenge participants to react to a ransom demand from an attacker, for example.
DURING A RANSOMWARE ATTACK
- On average, only 65% of the data is recovered, and only 8% of organizations manage to recover all data.
- Encrypted files are often unrecoverable.
- Attacker-provided decrypts may crash or fail.
- Recovering data can take several weeks.
- There is no guarantee that the hackers will delete the stolen data.
- They could sell or disclose the information later if it has value.
- It may be easier and cheaper to pay the ransom than to recover from backup, but that only encourages criminal behavior.
- In some cases, paying the ransom could even be illegal.
It is far easier to prepare for a ransomware attack, rather than respond to one. By preparing and taking some precautions against ransomware attacks, you can avoid critical damage to your company, be cautious.