Four steps to prepare for a ransomware attack: a C-Suite guide
By Rob T Lee, Chief Curriculum Director and Faculty Lead at SANS Institute
The increased threat posed by increasing ransomware attacks, including the latest Kaseya attack that impacted nearly 1 500 organisations, has forced the C-Suite to think differently about the possibility of compromised systems. In the aftermath of Colonial and JBS, this attack highlights the critical need for businesses to plan for these events. Just as business leaders have an emergency preparedness plan in a natural disaster, it is critical to implement one for ransomware.
While these attacks had a substantial impact, quick action helped mitigate the scope of the damage. Had Colonial not quickly sprung into action, the effects would have exponentially increased if leadership had stalled on response. Flights out of the southeast were already making stops due to limited fuel at their originating airports. Had the situation remained uncontained for much longer, our transportation infrastructure, which was critical to helping distribute COVID-19 vaccines and other essential services, would have been even more crippled.
But how can leaders prepare for a ransomware attack that could take an entire organisation’s system offline? While CISA’s ransomware checklist is a great place to start, organisations should ready a comprehensive ransomware preparedness strategy ahead of time that can be adapted depending on the severity of an attack. Here are four steps leadership should follow in developing a ransomware response strategy.
1. Evaluate the levels of risk ransomware could pose to operations ahead of time and conduct tabletop exercises
Organisations need to understand where they are most vulnerable, from their most critical operations to other seemingly innocuous areas like HR or business records.
In the case of Colonial, although the ransomware attack took down its payment system, company leadership also decided to shut down the pipeline’s oil production to mitigate damage. While some business operations may not be top of mind when thinking about potential ransomware impact, any business operation relying on internet access is vulnerable. Organisations need to secure their most critical networks and think through how other business operations could be hampered by ransomware. If one segment of the business is compromised, it can have ripple effects across the entire enterprise.
2. Develop a business continuity plan
It is critical to create a business continuity plan (BCP) and a disaster response plan (DPR) before any cyber incident, particularly a ransomware attack. These plans are critical to ensuring an organisation can move quickly to get business up and running in the aftermath of an attack and mitigate damage. What systems could be held up by ransomware? Is valuable organisation data backed up and encrypted regularly?
In high-stakes situations like ransomware attacks, company decision-makers must be involved from the get-go. Which leaders should be interested in these early-stage conversations? How will customers, key stakeholders and the public be notified of the attack? Which entities should be engaged to help mitigate any additional risk?
Having plans in place is imperative, but practising them is also equally as important. Tabletop exercises are critical to helping business leaders and managers get acquainted with the protocol beforehand. Knowing exactly who is responsible for what and what strategies should be deployed when is vital. Plans should be easily accessible, saved in a secure location and even physically printed if an attack results in a total system compromise.
3. Lay out your payment plan
If paying the ransom becomes the only path forward, it is crucial to have a payment plan in place. C-Suite leaders need to determine ahead of time where the company funds will come from and who will be responsible for the conversion to crypto-currency and subsequent payments.
Having these plans in place before an attack will make the response process more efficient and prevent further costly mistakes.
4. Focus on prevention
Ensuring that suitable security protocols are implemented companywide serves as the first line of defence from ransomware attacks. Train employees on security best practices early and often, as basic cyber hygiene can prevent costly mistakes. Applying a solid zero-trust architecture is also a smart, common-sense way to reduce the impact of any cyber attack.
Ransomware is something no organisation wants to experience; however, preparing for that possibility is vital. Planning for a ransomware attack can help limit fiscal damage and human risk resulting from inaction or a poorly executed response. Analysing the potential scope and impact of a ransomware attack should be on the top of the C-Suite priority list.
If you are interested in learning more about how ransomware impacts large global enterprises, check out the SANS white paper.
Rob Lee is the Chief Curriculum Director and Faculty Lead at SANS Institute and runs his own consulting business specialising in information security, incident response, threat hunting and digital forensics. With over 20 years of experience in digital forensics, vulnerability and exploit discovery, intrusion detection/prevention and incident response, he is known as “The Godfather of DFIR”. Lee co-authored the book: "Know Your Enemy, 2nd Edition", and is course co-author of "FOR500: Windows Forensic Analysis" and "FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics".