By Nate Pors.
Top executives are increasingly dreading the phone call from their fellow employees notifying them that their company has been hit by a cyber attack. Nearly every week in 2021 and early 2022, a prominent organization has been in the media spotlight as their public relations team struggles to explain how they were attacked and how they can regain consumer confidence. A recent survey showed that 37 percent of organizations surveyed had been affected by ransomware attacks in the last year.
Worse, the days when executive leadership teams could fully delegate responsibility to a CISO are over. Regardless of reality, surveys have shown that about 40 percent of the public perception of fault for a ransomware attack land squarely on the CEO’s shoulders, and that 36 percent of attacks result in the loss of C-level talent. While executive involvement in the security program does not guarantee a successful defense, it does give the Executive Leadership Team (ELT) a degree of ownership of the final product, as well as the ability to speak confidently and knowledgeably to the public.
Cisco Talos Incident Response (CTIR) has assisted hundreds of organizations through recent ransomware incidents and executive tabletop exercises and compiled the following observations for how top executives can best prepare and evaluate their teams.
When, not if
Many teams center their plans around the prevention of the initial attack, not the response, after an adversary successfully gains a foothold. A ransomware attack is always a multi-stage process, and it is up to members of the ELT to set a strategy that slows and frustrates the adversary during an attack. Those aspects of planning should focus on quick response, tested containment techniques, and eradication. Some examples of questions you should ask might be:
- Does your team have Standard Operating Procedures for and regularly practice containment “battle drills” such as quickly changing all privileged account passwords throughout the entire enterprise?
- Do they have ways to quickly isolate a compromised network segment to preserve the integrity of the rest of the network?
- Is your team working toward zero-trust architecture?
- Does your team know where your critical data resides and is it encrypted at rest?
- Do they know what your business-critical services are, and what technical dependencies they have?
- Are your backups redundant and protected from casual access by a compromised administrator account?
- The answers to these tough questions can be the difference between success and failure when facing an impending ransomware attack.
Teamwork makes the dream work
It’s hard to build an effective cross-disciplinary team in the heat of the moment. Almost every CISO delegates responsibility for coordinating immediate actions in a cybersecurity emergency to a trusted subordinate often called an “incident commander” or “CIRT lead.” When your incident commander builds the ransomware “war room,” do they have an at-a-glance roster to ensure the right people are included? Since your time as an executive is very limited, how do you want to be updated, and does the incident commander and/or CISO understand that requirement? Is legal embedded into your organization’s incident command structure?
Your top performers will often push themselves beyond the point of exhaustion during a major incident and make mistakes as a result. Do you have trusted individuals holding each other and their teams accountable to set a proper tempo? Generally speaking, incident responders can only perform at peak mental efficiency for about 10 - 12 hours per day, so that figure can be used to structure a good rotation. Does your team have an effective rest plan with redundancy built-in for key roles in case of personal life emergencies? CTIR has observed that top-tier security operations centers (SOCs) structure their emergency personnel planning similarly to personnel planning for military operations, in the sense that every person has one or two designated backups fully trained to perform their role.
Similarly, CTIR has observed that top-tier SOCs coordinate seamlessly with third parties. While we are honored to be the first call for many of our customers in case of an emergency, the most successful responses also often involve specialized support from third-party security software/hardware providers as well. Does your incident response team have those relationships already established and have well-documented procedures for getting their support?
Can you hear me now?
One of the most common questions we hear during tabletop exercises is: “How can we prepare for ransomware communications?” In terms of internal communication, it is critical to define what communication system will be used to send notifications. Is it capable of reaching and rallying the team after hours? Assuming the worst-case scenario where the entire corporate network is offline, do you have a truly out-of-band (OOB) communication method? Referring to the military planning model, it is no accident that even the lowest-level operations orders define primary, secondary, and tertiary methods of communication.
Time matters for external communications. We have observed that attacks on high-profile organizations generally appear in the media within 24 hours. Do your communications and PR teams have pre-built templates they can use for initial public notifications of an incident? Writing them now will save time and ensure that key details are not overlooked during a crisis. What are the key points needed to take control of the news cycle early? What is the approval chain — does the CEO need to personally review it, or can it be released at the direction of the head of corporate communications?
A thoughtful CEO might want to establish circumstances under which direct review is required, such as in the case of confirmed sensitive data compromise, but give corporate communications the authority to publish notifications without CEO review under all other circumstances. If you have a customer-facing team like customer care or help desk, is there a canned message they can provide that keeps everyone calm while ensuring that sensitive information is not shared? In all cases, legal counsel should be consulted and work in partnership with corporate communications.
Negotiating with attackers
Are you willing to set a hardline policy that your organization will never pay a ransom under any circumstances? No data exists to say whether a publicized statement to that effect decreases the likelihood of being targeted, but CTIR has observed the inverse effect. Organizations that set a precedent for making ransom payments are heavily targeted since they are perceived as a guaranteed payday by adversaries. In fact, a recent survey showed that 80 percent of organizations that paid a ransom were reattacked shortly afterward.
If you cannot set the hardline policy of non-payment, many secondary considerations are important, including the legality of the payment if an OFAC-sanctioned entity is involved. Do you have your legal counsel, cyber insurer, and possibly a professional ransomware negotiation firm you can contact quickly? As always, consult with your legal counsel.
CTIR recommends that victims of ransomware never pay the extortion payment, since it is impossible to guarantee the return or decryption of the targeted data. However, we have helped customers draft ransomware payment decision trees to guide them through the decision qualitatively or quantitatively, ensuring that they are making a well-reasoned decision while under extreme pressure. The Ransomware Task Force, an elite team on which CTIR was proud to represent Cisco, recently recommended requiring a cost-benefit analysis before payment.
Advice to any CEO for preparing a ransomware preparedness plan
- The executive leadership team can and should be closely involved with the development of the anti-ransomware plan.
- Attempted ransomware attacks are almost inevitable for the average organization today, but proper post-breach actions can allow excellent damage mitigation.
- Team structure and good communications plans matter just as much as strong cybersecurity tools and configuration.
Ransom payment considerations are complex and there is no “one-size-fits-all” answer, but in most cases, paying a ransom leads to increased targeting in the future.