Sponsored Post: Palo Alto Networks.
One of the most impactful cybersecurity strategies an organization can employ is the use of tabletop exercises. These simulated ‘what-if’ scenarios are not exclusive to the realm of cybersecurity. For example, coastal cities practice evacuation plans for potential storms, while police forces run drills in preparation for terrorist attacks. In the context of IT and cybersecurity, tabletop exercises offer teams a chance to methodically plan out their response to a hypothetical cybersecurity event.
We often discuss preventative measures against ransomware attacks, but it’s equally crucial to simulate an attack and test your response across teams. What action would be taken first? Who would step in to manage the situation if a key senior team member is unavailable? How would you confirm that the malware has been fully eradicated? Addressing these questions in advance can equip your team to act decisively, rather than being caught like a deer in headlights when an actual ransomware attack happens. Below are some recommended steps to get the discussion started.
Refer to the Incident Response Plan
Hopefully you have a well-designed, updated, and rehearsed Incident Response Plan (IRP). The IRP is a comprehensive written document, formally approved by the senior leadership team, that serves as a guide before, during, and after any cybersecurity incidents. The plan needs to be readily available to everyone assigned to the incident response team so that it can be referred to quickly. It will clarify the roles and responsibilities for everyone on the IR team and provide an incremental outline of what needs to be done at the various stages of the incident. It should list critical contacts, such as legal advisors, public relations specialists, cyber insurance representatives, and third-party cybersecurity experts, to ensure timely communication and coordinated action during a crisis.
Access and Contain
The first step is containment if possible. The smaller the footprint of the attack, the easier it will be to mitigate. That requires a quick assessment of what has been compromised already. Your team must quickly determine information such as:
- Which servers and systems have been infected?
- Which applications are affected?
- Have user accounts been compromised?
For example, if a remote office is compromised, it should be promptly isolated from the corporate network to safeguard the central data center and other locations. Companies without publicly accessible online assets might opt to cut off internet access entirely to disable the attacker’s command and control mechanisms. In extreme cases, some organizations even keep a pair of scissors alongside instructions on which fiber cables to sever, enabling even non-experts to halt further incursion. Additional containment measures might include:
- Preserving online backups by disconnecting them until the threat is completely neutralized.
- Deactivating any privileged and local accounts not required for the incident response process.
- Terminating all remote login sessions immediately.
- For local Active Directory environments, uninfected domain controllers should be disconnected to maintain the integrity of the directory services.
It’s worth noting that containment strategies will vary by organization, underscoring the importance of having a customized incident response plan in place.
Don’t Shut Down Systems
It seems only logical to shut down all your systems immediately to curtail the spread of the attack, but cybersecurity experts advise against it. This approach is similar to how a crime scene is cordoned off to preserve evidence for forensic analysis. For example, fileless ransomware attacks operate within a computer’s memory, which would be erased if the system is shut down or rebooted. The recommended course of action is to isolate compromised devices, rather than shutting them down entirely, to preserve crucial forensic data.
Bring in Experience!
The timetable to your recovery will be directly related to how prepared you are, including the speed of your response and the effectiveness of your tools and playbooks. Unfortunately, with even the best laid plans, experience matters. While everything up to now can be performed by most IT teams, it is at this point that real expertise starts to be required to perform tasks such as
- Hunting for indicators of compromise and exploitation frameworks
- Determining whether there is evidence of unauthorized access or activity
- Stopping lateral movements of the attackers across on-prem networks and cloud assets
- Analyzing endpoint artifacts for clues about the early stages of the attack
- Cleaning all infected devices and confirming the “all clear” for the network
Even companies with dedicated in-house security teams frequently turn to external Incident Response (IR) experts. One example is Palo Alto Networks Unit 42®. Their team performs more than 1,000 incident response investigations every year for incidents involving everything from rogue insiders to organized crime syndicates and nation-state threats.
Of course, the best time to involve an outside firm such as Unit 42 is prior to an attack. Their ransomware readiness assessment specialists can assist your team in crafting a strategy using up-to-date industry standards and threat intelligence, offering advice on both procedural and technological fronts. Unit 42 offers a Retainer, where clients pre-purchase credits that can be redeemed for services like incident response or cyber risk management services. Each service request is subtracted from the total of prepaid credits so you can use a Unit 42 Retainer to proactively improve your cybersecurity program. Having a Retainer in place allows you to put seasoned experts who know your environment on speed dial. They can lead tabletop exercises and other proactive services, drawing on their extensive experience based on thousands of previous incident response investigations.
Meet Compliance Obligations
It’s crucial to have a coordinated communication strategy to decide when and how to inform the public. Specify which team members are authorized to communicate with external agencies to guarantee the dissemination of accurate information. If your organization stores personally identifiable information (PII) of customers, students, employees, or third parties, you must also comply with any mandated regulatory requirements. For example, non-compliance with the new Securities and Exchange Commission (SEC) cybersecurity reporting rules could lead to substantial fines.
Conclusion
Baseball great, Roger Maris, once said that home runs are hit not by chance, but by preparation. This principle holds true for mitigating the impact of a ransomware attack. During the crisis of an attack is not the time for planning because by then, you should already have a well-defined and tested action plan. Whether you’ve developed your own in-house resources or need specialized help from experts like Unit 42, the time to prepare is right now.