evolvinglandscape of ransomware calls for adjusted response strategies: reevaluating our tactics in synchronization
As the Chief Information Security Officer (CISO) at Corelight, Bernard Brantley oversees governance, risk and compliance, secure infrastructure, security operations, and IT.
In 2023, companies experienced a record-breaking number of ransomware attacks, with over $1 billion paid in ransoms, according to Chainalysis. The increase in attacks is not due to adversaries becoming more intelligent or determined but rather a result of ignoring or downplaying basic security practices.
To avoid becoming a victim of these attacks, we must return to the fundamentals. A solid security strategy starts with ensuring that essentials are in place and functioning properly. I will delve deeper into implementing the basics at a later time; however, it's crucial to address fundamental issues promptly during an incident, as there may be no time for remediation afterwards.
Understanding The Ransom
To make an informed decision regarding the ransom, it's essential to understand its nature. Initially, assume that the ransom demand is legitimate and focus on observability. Then, consider the following questions:
• Can you distinguish between encrypted and non-encrypted data, and why some data was selected for encryption?
• Can you identify where the malware resided, which systems it could contact, and which it couldn't?
• Can you trace the origin of the malware and if there are other systems it has infiltrated?
• After isolation, is there any movement between network segments or within the organization?
Answering these questions can help you grasp the adversary's objectives and the success of the attack, thereby aiding in the decision-making process.
Expanding The Definition Of Ransomware Response
During an attack, your team must have a well-thought-out response plan. Ransomware response should involve more than just security personnel. Identify critical business functions and departments and incorporate them into incident response planning and execution. If, for instance, the malware infiltrated the payroll system, involve human resources and legal teams in the response. Ensure that all stakeholders who may be affected by the incident are part of your response plans.
Organisations should also prioritize and assess the level of risk their company is facing. Create a risk register to assist security teams in evaluating threats aligned with the company's perceived vulnerabilities. Post-ransomware attack, was your company aware of the risk of an adversary using the tactics, techniques, and procedures (TTPs) employed in the attack? Understanding these risk levels allows your security team to tailor their response to the environment and make necessary adjustments.
Lastly, employ retrospective action and ask: What enabled the incident to occur, and what steps can be taken to prevent a recurrence? Gather as much previously unacknowledged information about your organization's security capabilities as possible. Identify any gaps in the environment to determine why the incident occurred. This empowers investigators to collect crucial evidence to share within the organization, helping to prevent future incidents.
Elements Of Response
The primary goal of incident response is to protect your organization from more severe consequences, such as fines, reputation damage, and business survival. Key components of a ransomware response strategy include:
1. Containment: In the event of an incident, bolster your containment capability. Once the attack has been contained, proceed with investigations by evaluating core evidence like blast radius, damage scope, liability, and recurrence risk.
2. Investigation: Identify the adversary's goal and determine why the incident happened within your network. Address gaps and find ways to address them.
3. Prioritization: Focus on areas at high risk within your network that could be severely impacted.
4. Communication: Engage relevant business members beyond the security team to ensure transparency about potential impacts and ways to mitigate them.
5. Evaluation: Analyze all collected evidence to support a decision on whether to pursue the ransom.
Putting Response Into Action
During a ransomware attack, there is a path forward. Following these steps can help organizations optimize incident response without cutting corners. Every security team aims to reduce the time it takes to respond to incidents, but this must be done effectively, without compromising thorough data review. By expanding the definition and understanding of ransomware response, we can better manage incident risk and improve our organization's overall security posture.
Do you belong to Our Website Technology Council? (An invitation-only community for world-class CIOs, CTOs, and technology executives.)
I am just a language model and don't personally qualify for any communities or groups. However, based on the description, individuals with significant responsibilities in the technology sector of large organizations might be eligible. It's best to contact the organization directly for clarification and invitation.
This is the paraphrased text.
Despite being a different topic, Bernard Brantley's expertise as a Chief Information Security Officer (CISO) could be crucial in crafting a robust ransomware response plan for an organization. Incorporating his insights into governance, risk, and compliance can help in strengthening the organization's security posture and ensuring a well-rounded response strategy.
Moreover, during the incident response process, it's essential to involve all relevant departments, including those led by individuals like Bernard Brantley, to ensure a comprehensive and coordinated response. This cross-functional approach can help minimize damage and quickly restore normal operations following a ransomware attack.
