We recently asked renowned Ransomware Expert Allan Liska: “How Can I Get Help With A Ransomware Attack?” see his response in this video, and in case you’ve missed it, here’s the transcript:
So Allan, even organizations with a dedicated security team who practice this stuff all day long, can find themselves in over their head. And it’s hard to know when to call it and to phone the experts and say, we need help. I think especially IT and security people, we tend and to think that we can do it and we’re not ready to quite give it up and say, we need help. But as a professional incident responder, what is your perspective on how an organization kind of look at the situation and just know when to say, Hey, we need help here?
Well, as a great philosopher once said, you got to know when to hold them and know when to fold them, and really that’s what we’re thinking about here. A lot of organizations, even large organizations, their incident response and disaster recovery plans are built around a single server failure. What happens if the exchange server goes down? What happens if our Oracle database goes down and is unavailable? What are we going to do? How are we going to recover? It’s very different when all of your servers are unavailable. And even planning for that, even conducting tabletop exercises for that, when the reality hits you, then you’re going to realize just how bad that situation is. And even a full time incident response unit, it can feel like it’s going to take you months and months to recover. Whereas your incident response company can bring people in and bring in a lot of people to help with that recovery.
So there are a few areas where you want to look at. One, is how bad is the ransomware attack? How long based on your initial triage is recovery going to take you? Because obviously every day that the organization is down, you’re losing sometimes millions of dollars. So bringing in an incident response team, even though there’s a cost associated with that, if that speeds up the recovery, it gets the organization back up and running faster. So you have the financial consideration, but then you also have the technical consideration. You may have been planning for certain types of ransomware attacks. The one that you’re hit with is completely different and something that maybe your incident response team hasn’t seen. And so an outside IR firm is going to have a lot more experience with that, but outside IR firms also bring in other capabilities as well.
Communication is one of the things that those teams can help you with, especially in an land of the double, triple extortion, where now the ransomware actor is reaching out to the press and saying, look what we’ve stolen from such and such a firm, or again, reaching out to your clients, reaching out to your employees and saying, look, we’re going to release all of your sensitive data. So, an outside incident response firm can help with that communication, help set those expectations both internally with your clients and more importantly with leadership say, Hey, this is really common. We see this, this is a sign that they may be bluffing, the data they have may not be good. Let us do some of the work to find that out. So they’re really helping on multiple fronts. They’re helping with the actual recovery process, but also with the interaction with both the ransomware actor and with your stakeholders, whether they’re internal or external.
I know it’s becoming more and more common to have an incident response firm on retainer, ready to go. But again, these organization that I’m thinking of that have a dedicated security team who are really good at this may think we’ve got that covered. We don’t necessarily need them. The caveat that I understand, I’m asking a professional incident responder from an incident response company. Would you advise that even those that think they’re well prepared to cover this, have a retainer like that in place?
So even large organizations that don’t necessarily think they need outside incident response, often have cyber insurance and cyber insurance generally includes incident response retainer as part of the cyber insurance premium. So if you don’t have your own separate agreement with the cyber insurance company, often your cyber insurance company can provide those incident response services. But outside of that in general, yes, I recommend having incident response on retainer simply because you never know what type of ransomware attack it’s going to be. And often incident response retainers provide other valuable services. So I know some incident response companies will provide tabletop exercises, for example. So you pay the retainer. And one of the things you get if you don’t need to use the incident response company is they’ll help host a tabletop exercise and they’ll have the latest intelligence on ransomware attacks. And so they can host a very realistic tabletop exercise for you. So there are benefits to having that outside organization come in and provide their outside perspective on how things work.
Got it. Thanks, Allan.
Interested in viewing more videos about Ransomware? Visit our Ransomware Video Gallery