Ransomware Special Reports

14

Special Report

cases from reoccurring,” assures Dan - ielle Jablanski, an OT cyber security strategist at Nozomi Networks. Whatever decisions are made, in the event of a ransomware attack the first 72 hours after a data breach are critical, according Tamblin. “Every decision an organisation makes can carry financial, legal, regu- latory, investigatory, and reputational repercussions,” he warns. Incident response plan In the era of the zero-trust cyber se- curity framework it is not a matter of if a business is attacked, it’s a matter of when. While the experts we spoke with might have been split on the issue of whether to pay up or not, all emphasised the importance of having a robust incident response (IR) plan to run through in the event of attack. An IR plan is a living document com - prising of many different components of a drill to be prepared for in the event of a real-life cyber-attack. The key pillars of any IR plan fall around preparation; detection; analysis; con - tainment; eradication; recovery and post-incident response activities. The most important step of all is the first one, according to CheckPoint’s Muhammad Yahya Patel, as many businesses don’t prepare for a ran - somware attack thinking that it won’t happen to them – a mindset that needs to change. “Having an IR plan to run through is key to making sure you’re able to respond to an attack efficiently. You want to analyse the different streams in your business that need to get started once you are attacked and to make sure that they will be able to function as you deal with the threat,” adds Patel. Planning for an incident typically involves establishing roles and re - sponsibilities; identifying contingency plans; prioritising physical and envi - ronmental safety; dictating policies for backups; recovery and resto - ration; crisis communications and ensuring a thorough post-incident forensic investigation is conducted with lessons learned. This drill also needs to be routinely

Email entry IT service provider Greystone told TI of a customer who had suffered an email-based ransomware, though the customer could not be named for confidentiality reasons. In the attack, emails containing malware were received by a member of staff, opened, leading to an infection, resulting in ransomware encrypt - ing a large number of company files across the network. The customer contacted Greystone and its team tracked and isolated the entry-point user, cutting off their device from the network. A recovery process allowed compromised files to be restored and, to mitigate future attacks, the firm implement a Software Restrictions Poli- cy and File Server Resource Manager to filter files.

tested and revised to meet evolving needs, according to Larry Gagnon, senior vice president, Global Incident Response, eSentire. “An untested IR plan is little more than a list of sug - gested actions,” he says. “Test, test, test. This is best achieved by testing the plan through tabletop exercises delivered as scenario-based tests of your IR plan, help to identify gaps and inefficiencies in your docu- mented processes,” he adds. Who, what, where? In the event of a breach, it’s impor - tant to be able to reach out to the right people quickly and ensure that key players understand their roles and how they can minimise disrup - tion to your operations and custom - ers. According to eSentire’s Gagnon, there are typically two distinct tracks in response to a breach or a malware event – a tech track and an executive track. “The tech track is where the rubber meets the road. Forensic experts and client network teams work together to deploy and configure tools, con- tain the active threat, collect relevant data for analysis and remediate any security gaps within the network,” he explains. If it’s not your IR provider taking the reins, the responsibility for the tech track usually falls to the IT depart - ment. Within the IT team, an IR manager may coordinate the effort,

with security analysts undertaking the analysis and threat researchers who can provide context around informa - tion gathered. It’s also on the IT team to plan what steps will be taken to secure the envi - ronment and mitigate further expo - sure, identify impacted devices, data and log what sources are available, and engage with the company’s disaster recovery program or business continu - ity plan to restore the impacted devices and keep the business operating. The executive track, meanwhile, is focused on elements of risk. Damage to reputation, financing the response, business interruption and the potential for future litigation are all considered by the executive team. According to Qualys’ Paul Baird, the responsibility shouldn’t just lie with the tech track (although it often does) as more senior department heads in incident management rooms means the information and messaging can be controlled. “[IR] should involve a broader catch - ment that includes public relations, HR (If it is a staff data breach), legal and service delivery. Depending on the company and industry, it may also need teams responsible for things like manu - facturing processes as well,” he says. Oisin Fouere, head of cyber incident response at KPMG UK adds that it’s also important to keep customers, partners, suppliers, investors and regu - lators in the loop. In some firms this responsibility falls

techinformed.com

Powered by