Your company has just been hit with a ransomware attack. Who’s going to run point? The CIO, CISO or both? The answer depends on whether you have both. If you do, they can work in parallel to minimize the impact of the attack while enabling business continuity.
It’s also important for organizations to be prepared for a ransomware attack, which is why CISOs run tabletop exercises. A playbook may be available that outlines the necessary steps and assigns responsibilities.
But not everyone advocates playbooks, because the attack it covers probably won’t match the attack that occurs. Irrespective of how CISOs and CIOs feel about prescriptive playbooks, they tend to agree that the time for planning is not when the incident has just occurred.
We discussed the matter with three CISOs, one of whom also leads the IT function:
-
Zachary Lewis, CIO and CISO at the University of Health Sciences and Pharmacy (UHSP), warned that when shutting down or restoring systems, necessary forensic data may be lost. He’s a big fan of tabletop exercises.
-
Brian Blakley, CISO at venture capital firm Bellini Capital, said the first three steps should be confirm, contain and anchor. He also warned that rigid playbooks can be more of a hindrance than a help, which is why he recommended using reusable components that can be assembled, as necessary, on the fly.
-
Chris Reffkin, chief security and risk officer at global cybersecurity software and services providerFortra, said that while containment will differ in organizations based on their architectures, controls and technology, the worst thing to do is second-guess strong and decisive decisions. He’s also a fan of tabletop exercises.
Zachary Lewis, CIO and CISO, University of Health Sciences and Pharmacy
Zachary Lewis, UHSP: Be prepared and
don’t accidentally delete forensic data
“Typically, before [CIOs] know it’s a ransom[ware] attack, they’re usually trying to troubleshoot something. And I would say, ‘Stop all troubleshooting disaster recovery.’ You need to stop all that immediately. You don’t want to damage any forensic evidence once you know and have confirmation that you have a ransomware incident.
“After that, you’re typically doing one of a couple things: You’re initializing your incident response team, if you have one. It might be the CIO and/or CISO, or a couple of other people inside the organization. In tandem, you’re also letting your leadership team know they need to be aware so they can start processing what’s going on. So, that might be going to your president or your general counsel and letting them know.
“Next, call your cyber insurance provider, because there are going to be specific steps you must complete with them. It might be a specific order that requires you to notify people. They will be able to provide you with forensic experts, threat negotiation, threat negotiators and general counsel that understand cyber landscapes [enough to] navigate that ransomware incident.
“I would strongly encourage involving the FBI and/or CISA [the Cybersecurity and Infrastructure Security Agency] during the first hour or so after finding that ransomware note.”
CIO and CISO priorities, preparation
“[CIOs and CISOs] will probably have different priorities for when they want to do things; the CIO is going to be more concerned [about the] business side of keeping systems operational, whereas the CISO [wants to know] where is this critical data? Is it being exfiltrated? Having a good incident response plan, planning that stuff out in advance [is necessary so both parties know] what steps they’re supposed to take.
“The best default to contain the attack is to pull internet connectivity. You don’t want to restart a system [or] shut it down, because you can lose forensic evidence. That way, if they are exfiltrating any data, that access stops, so you can begin triaging how they got in and patch that hole up.
“We also need to assume that they have compromised our systems and maybe have accounts where they can see our emails and chats, so we need to move to an out-of-band communication, setting up Gmail accounts or Slack channels — something outside of the normal realm so you can begin communications and figure out how to remediate.
“You’ve got to see if your systems are down. If they’re down [and] encrypted, you don’t want to recover over those [because] you might need that forensic data to figure out what’s happening. So ideally, have a cloud server or something else where you can restore those critical systems and get data flowing again.
“This is where having a CIO and a CISO together with two different teams makes sense, because the CIO can be standing up those critical systems again if they’re down, [while] the CISO can be going through forensic logs trying to figure out where the compromise happened and look for fake or malicious accounts [and whether] they have a backdoor into the system. We’ve got to make sure they don’t come right back in and encrypt us after we recover.
“You want to prepare for this before it happens. You want to run a tabletop with the executive team and have them think through a lot of this stuff, like, who’s going to communicate to the employees that this has happened? Did we lose employee data? If so, we must be able to tell them about it. Who communicates to the customers, to media? Does the CFO and her team even know how to buy Bitcoin if you are going to pay a ransom? It’s easy to say, ‘We’re not going to pay the ransom,’ until it happens and you realize you can’t restore from that.”
Brian Blakley, CISO, Bellini Capital
Brian Blakley, CISO at Bellini Capital:
Confirm, contain and anchor
“The first few minutes probably matter more than most organizations realize. In my experience, the first three steps come down to confirm, contain and anchor. We want to confirm that blast radius, not hypothesize or theorize what it could be, but what is it really? You’d be surprised at how many teams burn their most valuable hour debating whether it’s really ransomware.
“Second, contain first, communicate second. I think there’s a natural [tendency for] humans to send an all-hands email out, call an emergency meeting and even notify customers. What matters most is to triage and stop the bleeding, isolate those compromised systems and cripple the bad actor’s lateral movement. If you can’t stop the momentum of the attacker, the story gets worse by the minute.
“Communications end up being way more painful later. Clear communication is essential, but I think it’s most effective once you have the incident contained enough to speak truthfully and authentically.
“The third part is anchor, and this is the thing that most technology nerds miss: At every next step, anchor it to the business because ransomware thrives on chaos. Anchoring means making decisions based on critical business functions that drive revenue. What’s still operational? Which systems represent customer trust and enable cash flow? Think restoring in the order
the business makes money, not in the order infrastructure happens to be structured.
“When I worked for a midsize company that was hit with ransomware, the dashboard had systems listed alphabetically, so the team instinctively talked about them in that order. This is when a good CIO steps up and says, “That flight of attack is not a strategy — it’s which of these systems make us money. [Restore] revenue-critical systems first [to] keep the business operating and bring the rest up in a thoughtful, meaningful sequence.”
CIO and CISO priorities, preparation
“I think a CIO and CISO naturally approach an incident from different angles, and I think that difference is essential. When they work in harmony, you get this balanced response that’s fast and safe. I think a CIO helps move the business forward, and a good CISO helps move the business forward faster with confidence.”
“Left of boom is all this awesome, proactive stuff. You’re building policies, a program, you’re building muscle memory and becoming brilliant at the basics of what you need to do on an operational level to prevent bad things from happening.
“Preparation pays huge dividends. The organizations that I’ve seen recover the fastest are the ones that design a minimum viable business way before [an attack]. If you don’t understand your critical business functions before the ransomware event, you will learn them painfully during the event. You want to enable manual or alternative processes to keep revenue flowing.
“[You should have] building blocks, not rigid playbooks [because they] look great on paper and check the compliance box, but I can tell you from experience, no scenario that you come up with ever matches reality of the real scenario, so what happens is playbooks get thrown out the window within the first 15 minutes of [the incident].
“If you have reusable components that you can quickly assemble on the fly based on the situation that’s in front of you, that adaptability can save hours or days of recovery time.”
Chris Reffkin, chief security and risk officer, Fortra
Chris Reffkin, Fortra: Remain calm.
Practice makes perfect.
“[First,] contain and communicate. Time is of the essence. Ensure the teams are empowered with the clear authority to do what it takes to contain the outbreak, regardless of further loss of operational capability. It’s much easier to bring systems back from a controlled shutdown than restore from backups. Simultaneously, [provide] the CEO with a situational update, and other senior leaders, external counsel and insurance.
“Next, investigate and assess impact. Evaluate data and systems affected, origin of the attack and potential regulatory ramifications, and begin to assemble an overall timeline and scope of attack. At some point, the appropriate law enforcement agency should be contacted as well.
“[Last, focus on] response and recovery. There should be a dedicated response function that coordinates the information flow, priorities, dependencies, etc. For example, where would the organization go to respond to a customer inquiry or media inquiry related to the event if it’s been made public, and how would that information be shared? There is much more to coordinate than the technical pieces, and often they are harder to deal with than the technology.
“[The best way to contain a ransomware attack will be different for each organization depending on their architectures, controls and technology, but in general, isolate as completely as possible. That may seem like overkill; however, assuming you are focusing on containment before investigation, you do not know the origin, secondary or tertiary tactics or motives at play. The worst thing to do is to second guess strong and decisive decisions.
Priorities arbiter
“[To ensure critical operations during the response,] engage the executives on their availability and restoration priorities, and name an executive — not the CEO, CIO or CISO — to be the arbiter of priority. This allows for a complete view of perceived priority of systems, with restoration and operations focused on business priorities [rather] than individual executive priorities. Theoretically, you should already have an RTO (recovery time objective)-based priority of systems, though that may or may not be effective in a real event, pending the last time you practiced your response processes.
“Remain calm. Practice makes perfect. When is the last time you ran a tabletop exercise of a recovery? Key systems, business priorities, contact lists and changes to technology should be validated during your practice exercises. Do not assume you will have access to an online version of your recovery plan, those systems may be offline during a real event. Understand where your break-glass recovery plan copies are located and validate that they can be accessed quickly enough to support your RTOs, along with being able to communicate with critical personnel.”
