Responding To Ransomware - A Pragmatic Guide

ransomware
Written By Andrew Alaniz

One of the most common questions I see and get asked is, “Am I secure from ransomware?” I wrote a bit about this: Am I Secure From Ransomware? — alaniz.io

The second most common question is, “How should I respond to ransomware?” That is what I would like to cover today. As I mentioned in the first post, there is no one size fits all. That being said, there are some universal concepts that can be put into place to make a response more effective. I have put these in place before myself, and I have seen them work in real life.

Key Contacts To Maintain:

  • Cyber Liability Insurance

    • Knowledge of how to use them to engage outside counsel and incident lead

  • In-house legal counsel

  • Local FBI Cyber liason

  • Retainer contact for additional incident responders

  • Executive liason within your firm

Overall Plan:

  1. Have a plan and practice it regularly

  2. Have cyber liability insurance, know how to use it and what it provides

  3. Know who you need when and have them on retainer

  4. Practice

Incident Response Plan

Above all else, this is #1. I don’t mean just make sure you have the document. I mean make sure know your plan of action and its simple enough you never have to reference your plan. This should be practiced regularly. I don’t mean annually. I mean full scale practice at least once a year (including senior executives, PR, in house legal counsel, etc), and smaller scale practice at a minimum of monthly (these should include both security and IT teams). There is no security incident that only involves security, so if security is the only ones practicing, you will have as some say, a Charlie Foxtrot, when it happens.

Quick Reaction Force (QRF)

For those of you in the military, you know that this means a team that assemble within minutes to hours and be onsite and taking action before force multipliers can spin up.

This should be part of any good response plan. There are usually a lot of things that need to happen, and decisions that need to be made quickly in a ransomware event. This should include the IR lead internally, a senior engineer/architect for IT, a senior engineer/architect for networking, and maybe only a handful of others. It needs to be small, all part of the larger IR team, and if called, the incident takes priority over all other work. The first few minutes, require some hard decisions of do we contact liability insurance, do we cut off network connections, who do we wake up, etc. This team decides that and ultimately informs the CISO and other senior leaders, but they have to be able to make triage decisions without waiting for approvals. (this is not PR and legal type decisions, this is like do we cut off the internet, do we shut down the main application, those kinds of things)

Cyber Liability Insurance

I can hear the trolls now. “This is junk”, “they would only screw you over”, “it’s not worth it”. But the key here is I’m not looking at them for recovery payments (Honestly I would look at business loss policies for this just as much), though that can be helpful. The reason this is number one is because given the right carrier, they will have faster lead times and retainers with organizations to respond.

Counsel

The cyber liability insurance carrier will have a retainer with legal counsel that specializes in security incidents. You might say, well we have in house counsel. So did we. Ask them, if you have a situation with major loss implications OR potential major breach notification actions, they are going to want outside counsel. I am no lawyer, and I am not providing legal advice here, so please consult your legal counsel before making legal decisions. In my experience, I have been able to get expert legal counsel on the phone within minutes of notifying the carrier of an incident. For those of you who have dealt with incident response, you know that literally minutes matter.

Also, don’t use the term ‘breach’ in speech, email, text, IM. Let legal counsel decide if that is the case. For you, it is ONLY an incident.

Initial Incident Response

In addition, your carrier likely has requirements AND retainers with some incident response carriers. Here’s a big caveat. Not all incident response vendors are equal. Some are better at forensic investigation for legal proceedings, some are better with ransomware, some are better at recovery, etc. It is for this matter, that in my experience using cyber insurance to kick off an engagement for a lead incident handler is important. The main goal for this vendor is to help maintain a timeline, evidence, and quarterback other vendors.

Cyber Insurance Summary

This insurance can provide some financial risk transference, but in my experience their biggest value is in providing outside incident legal counsel and a lead incident manager. I have been able to get both, literally within minutes to a few hours. This is huge, ESPECIALLY, if you don’t have your own internal incident managers.

Incident Responders

As I mentioned earlier, not all incident responders are created equal. In addition to this, you likely have in house incident responders. Their role in a major incident will likely not be to manage it end to end. Their main role will be initial triage, internal comms management, and some evidence gathering (but depending on the legal potential, maybe not even that).

Their number one job should be to preserve the ability to gather evidence. In my experience, if the stakes are high enough, the desire for plausible deniability and expert counsel outweighs inhouse expertise. This means, outside help. This means, the primary job for in house people is to identify timelines, ensure logs are preserved, remove devices from the network (DO NOT Shut them down or reboot them except when cutting losses), but most actions outside of cutting losses should be directed by the counsel retained lead investigators.

Retainers

If you haven’t been a recluse, you will know that ransomware is always happening to someone. You are going to want to identify your areas most likely to be impacted by ransomware and have retainers with organizations that can help. Since it is happening so often, without a retainer you could be looking at weeks of lead time. Also, I have been advised in the past (check with your counsel), to let the lead counsel for the engagement to be the ones to engage the incident responders and not to do it directly. Again - Not a lawyer, just my experience.

Generally I would suggest the following:

  • Retainer with Microsoft - this could be through your agreement already or it could be some other negotiation because if you are a Microsoft shop you will want to immediately open a Sev A and possibly engage their IR teams.

  • Containment - In my experience, this was provided through the relationships of Cyber liability insurance. If it is not you will want someone who can come in and stop the bleeding, hopefully in a matter of hours if you can’t do it yourself.

  • DFIR - Digital Forensics and Incident Response - You will want someone who can provide this service for reporting, legal proceedings, and evidence. Also provided through outside legal counsel in my experience.

  • Recovery - This one is pretty obvious, but I don’t mean putting the systems back together. I mean making sure that the ransomware wasn’t a smokescreen for a now deeply embedded threat. Think Sony Breach.

Summary

  1. Practice, practice, practice. That is my #1 advice.

  2. Have a plan and have a QRF

  3. Have good backups and test their recovery

  4. Cyber Liability insurance

    1. Know who is approved and not approved as a vendor

  5. Retainers

  6. Practice some more

Andrew Alaniz
Previous

Leadership Culture
Next

AWS Lambda Function URL