Technology Overload 

Incident Response- Minimize the Impact

It is not news that data breaches cost companies’ operational downtime, reputational damage, and financial loss.  We’ve all seen the growing number of copious cases of damage cyber-attacks have inflicted on organizations over the last few years. For most organizations, breaches lead to devaluation of stock and loss of customer confidence. To minimize these risks, companies need a well-structured cybersecurity program. That program must include a well-planned incident response plan. That plan should aim to …

  • Restore daily business operations quickly without significant impact
  • Minimize financial and reputational losses
  • Patch exposed cyber vulnerabilities comprehensively and quickly
  • Strengthen security posture to avoid future attacks
  • Where regulatory standards are required, ensure compliance to those standards, avoiding sizable fines and penalties

With a successful incident response program, damage can be reduced or avoided altogether.

Malware Attack – Critical Steps in Incident Response

A few statistics regarding ransomware highlight the challenge that organizations face today.

  • The Ransomware attacks are up over 600% during COVID-19. (ABC News, 2021). And they were up 500% from 2019 to 2020.
  • 37% of respondents’ organizations were affected by ransomware attacks in the last year. (Sophos, 2021)
  • The average ransom fee requested has increased from $5,000 in 2018 to around $200,000 in 2020. (National Security Institute, 2021).
  • Experts estimate that a ransomware attack will occur every 11 seconds in 2021. (Cybercrime Magazine, 2019)
  • The average downtime a company experiences after a ransomware attack is 21 days. (Coveware, 2021).

Based on the above, you should have cyber security/ransomware insurance to help not only protect your organization financially in the event of a ransomware incident, but also to help you navigate the incident response process. Remember, it’s in the insurance companies’ best interest to assist you with all the resources they can bring to the table. The more successful you are, the less they will likely be responsible for paying a large cyber claim.

As an IT leader, it’s critical that you have security measures in place to prevent cyber-attacks, but the above tells us that in many cases, this simply won’t be enough.   The attacks on your business are becoming more frequent, more intense, and more sophisticated. If you’re one of the businesses that get hit with ransomware, being prepared for, and how you respond to that attack can potentially mean the difference between a quick recovery and paying a large ransom and significant downtime for your business.

Being prepared for a cyber security incident:

First, before an incident occurs, have a documented and tested plan for how you, your team, and your organization is going to respond. You won’t have time to create a plan when you’re in the middle of a malware attack so make sure you’re prepared. Some of the components to have in place include:

  • Create a documented communication plan that includes 2 communication leads. One for internal communications to keep IT and associates updated on regular basis, and one for external communications for customers, vendors, and partners. Only one thing is worse than leaving employees to create their own narrative on what’s happening, and that’s having employees share their narrative with your customers or vendors.

The first communication to employees should be accurate, and direct, but discrete. Let them know exactly what’s expected of them and what they can and can’t communicate about the event.

For external communications, it’s important that any information coming out be accurate, consistent, and controlled. Have a list of who needs to be contacted, when, and how frequently. You’ll want to keep your key customers and partners updated so they aren’t reaching out to their internal contacts looking for information.

  • Have communication templates already developed for what you want to communicate. You will need to fill in some details about the specifics of the event, but you can have much of it prepared ahead of time.
  • Develop a response plan for the IT team and the business. How you respond in the initial 24 hours of the malware event shouldn’t be left unscripted. You’ll have too many decisions to make with very little time to be guiding the business and directing IT without a defined plan.
  • Keep all contacts' email and cell phone numbers updated. This includes IT, communications leads, senior leadership, and relevant partners including insurance contacts. Review this information twice a year and keep it current.

** All of your plans and documentation should be maintained in an on-line account, not on any local servers.

Incident response to a malware attack:

If you become a victim of a malware/ransomware attack, the first thing you should do is cut off physical access to your network immediately. This is likely too late and the damage has already been done, but any opportunity to potentially stop malware/encryption from spreading or data from being exfiltrated should be done until you can get a firm assessment of your environment.

While your IT team is controlling network access, the first and immediate contact you need to make is to the incident response team associated with your insurance company. They should have a 7x24x365 incident response team to contact. It’s important to work through your insurance company as a first contact. They will not only have a playbook to work from, but they will step you through exactly who you should contact and what process to follow. They will coordinate a lawyer and initiate any claim and recovery process to ensure that any supported costs are covered. Working through a cybersecurity attorney will ensure that any communications you have with vendors, 3rd parties, and service providers are protected by client-attorney privilege. This should all be done in the first hour after the attack.

You will likely need support from a dedicated cybersecurity response team. They will have resources, tools, expertise, and a process to begin regaining control of your environment. Your insurance company will likely have a number of cyber security firms that they recommend and will connect you with their team.

Next, you will need to work to regain control of your environment. The Cyber Security team that you are working with will run forensics and help to ensure that there is no more lateral movement within your network and any potential encryption or data exfiltration activity has been stopped. You shouldn’t attempt to do any data recovery at this time – no matter how tempting it may be to try and get back to “normal”, wait until you coordinate with the Cyber team. You could inadvertently destroy important data or simply give the threat actors additional targets.

Your communication teams should be engaged and working through their communication plans.

At this stage, you should also:

  • Identify what ransomware you’ve been infected with
  • Understand the impact - Assess specifically what systems have been impacted and organize them by criticality.
  • Through your attorney and insurance company, you should contact a ransomware specialist. This specialist will know how to contact and negotiate with the threat actors.

While your cyber security team is doing forensics and securing the environment, the ransomware specialist should be making contact with the threat actors.

  • The communication with the threat actors should be polite and professional. While it may feel good to let them know how you feel, you may very well need some things from them. At this point, you are dealing with and communicating with people. You may not like it, but you need to have constructive communication with the attackers in order to get the best outcome for your organization.
  • The ransomware specialist is an expert at negotiations and will work with the threat actors and help to determine if any data has been exfiltrated by obtaining proof from the attacker. This information will be important in determining how valuable the data is or isn’t to your organization.
  • This negotiation process will take place over several days and the ransomware specialist will work to get to the best deal for you. They will know how to drive the ransom down, and when they have probably gotten to the lowest point.

Now you have a decision to make:

  • Can you recover from backup and was no important/confidential data exfiltrated?
    • You may decide to ignore the threat actors at this point and facilitate your own recovery.
  • If you can’t recover fully from backup, can you recover some files and negotiate an even lower ransom.
  • If you can’t recover adequately from backup and/or critical or confidential data was exfiltrated, you will need to obtain the decryption keys from the threat actors based on the negotiation completed. The ransomware specialist will be able to obtain the proper payment in bitcoin and coordinate the exchange of payment for the decryption keys.
    • If you decide that you need to pay the ransom, the threat actors will likely provide your keys as negotiated. This is a business to them and it’s not good business to go back on a deal. If they get in the habit of not honoring their agreements, fewer firms will be inclined to pay their extortion.

Once you get the decryption keys from the threat actors, keep in mind that the decryption process is extremely slow. You will still need to prioritize your critical systems and decrypt them first. Decryption on a large scale can create system stability issues, disk space, and memory issues, and may require additional specialist support to help you through the process.

Additionally, as a not-so-obvious note - Make sure to decrypt your test environment early in the process. There will invariably be some testing and changes that will need to take place when bringing up your critical production systems; f you don’t have a test or staging environment available, you will be making changes that could very well destabilize an already challenged and fragile system.

The most important part of managing a cyber security/ransomware attack is to make sure you’re prepared and have a documented plan in place and available. Often these events take place over holidays or weekends when resources aren’t always at the ready. It won’t be easy, but if you generally have solid security controls, good backups to recover from, and a well-defined plan in case of an incident, you have a much higher likelihood of turning a potential business disaster into simply a very challenging business recovery process.

Contact

Chris Persiani- Senior Vice President, Executive Partner  

CP Headshot

Chris is Senior Vice President and Executive Managing Partner at Vaco Cincinnati, where he helps empower businesses to perform their best by providing real-world solutions to clients’ problems. His leadership, relationship building and expertise help solve for a client’s needs today and tomorrow. Chris provides businesses with both strategic direction and staffing to see their solutions through to execution.

Through an ability to connect people and help them with their next career steps--no matter their stage, Chris can connect talent with expertise to help staff the right people for their right tasks. He sees networking not as a business obligation but rather an opportunity to help others forge their futures.

Reach out today l LinkedIn l Email