Tuesday, Oct 6, 2020
BY: Jerry Nguyen - Director of Threat Intelligence & Rapid Response
It is a Wednesday afternoon, all of the alerts in your security information and event management (SIEM) system are being addressed. A few escalations need to be handled. The help desk is starting to pick up, but is it the normal uptick? You glance at your dashboard and see the help desk tickets climbing and suddenly a common theme shows up. The words a chief information security officer (CISO) or a cybersecurity analyst never want to hear, “I’ve been locked out of my laptop, and there is a message saying, ‘Pay us to get access to your data again’.”
The scenario above is no longer hypothetical. It is one all organizations should be prepared to manage. Every security team needs to have a plan in place to address a ransomware attack. The plan at the minimum needs to address three phases:
As organizations adapt to a world where ransomware is inevitable, they must prepare for when it will happen. Preparing for a ransomware event requires at a minimum:
- A cybersecurity incident response plan (‘Plan’)
- An asset management program (‘Program’)
- A method to test the Plan and the Program
Organizations can prepare by having a cybersecurity incident response plan in place that has a call out especially for a ransomware event. The plan should also include roles and responsibilities for all parties involved during an incident. If an organization has a managed security services partner (MSSP), to include a managed detection and response (MDR) function, the MSSP/MDR needs to be included in the plan as well. Including MSSP/MDR functions in the plan allows for both internal and external teams responsible to respond in unison. Having the MSSP/MDR work side by side with internal teams during a ransomware event will reduce the amount of time it will take to scope, isolate and eradicate the threat. All external providers and contractors should also be listed in the plan to include point of contact information.
Organizations should have an IT asset management program in place. Having asset management in place will aid in identifying critical assets not only during a ransomware attack but during all other events relating to IT. Focusing on ransomware events specifically, a method to identify critical assets during a ransomware attack allows responders to make decisions on what systems can or cannot be shut down. The asset management program will aid in applying compensating controls during a ransomware event.
Testing of the Plan and the Program should occur on a regular basis. The test should be conducted by an external party to alleviate conflicts of interests within the organization and any external service providers that may be contracted by the organization to provide day to day operations.
An organization’s response to a ransomware should contain three phases: scope, isolate and eradicate. Tying back to the preparation, the response to a ransomware event should be outlined in the Plan. The Plan should cover how to scope the event out to identify how widespread the ransomware has spread. Once scoping has been completed the move to isolate the spread needs to happen. Once the ransomware is isolated to a controlled environment, then eradication of the ransomware can begin.
To effectively scope the ransomware infection, an organization needs to understand how the ransomware spread. Utilizing function from an MSSP/MDR such as cyber threat intelligence services will enable an organization and its MSSP to fully understand how the ransomware operates. This information should be automatically integrated with the MDR service.
Having an MDR service, whether it be internal or external, allows an organization to quickly and at times automatically identify infections and scope infections across the enterprise with installed MDR agent(s).
The MDR service is not only used to scope the infection but can be vital in isolating the systems that are infected. Most MDR services have varying degrees of isolation. They can isolate at the host level, however; isolation can be done at the host level or at the network segmentation level. Depending on how the Program was implemented, identifying network segments to isolate would be key to stopping the spread of ransomware.
Once the scope has been identified and isolation has been achieved, then eradication can take place. The key for eradication is to stop the spread and remove the ransomware. Just as in the isolation phase, the eradication steps need to be in the Plan. An effective MDR strategy and implementation would allow for the eradication of the ransomware and to prevent the ransomware from infecting new hosts.
Recovering from a ransomware event requires many elements. The first is the obvious question: “To pay or not to pay”. We will not cover that here in this post as that is a post for a later time. In this instance let’s assume an organization had a good back up plan. When building the Program, priority assets and services should have been identified. The Plan should have a playbook to bring back priority systems and services and in which order. The Plan should also include a playbook for verifying clean images of systems and backups prior to restoring them.
As fiscal years are coming to an end for many organizations, the crunch for closing the books on time are a reality. During these crunch times, stress levels are at an all-time high and can result in the accidental click in an email that can launch a ransomware event. These events are inevitable now, and organizations that are prepared for them will recover faster and resume business faster.