There is more to ransomware response than restoring data from known good backups. Having a comprehensive ransomware...
incident response plan is crucial for information security programs -- it can serve as the foundation of those programs -- and every incident response plan should include a feedback loop to update the information security program when new vulnerabilities are identified.
Recent wide-ranging ransomware attacks have made the news for significantly impacting enterprises; however, it is possible that the impact of these attacks, such as the one on the city of Atlanta, could have been reduced with better planning.
In this tip, we'll discuss ransomware incident response plans and the appropriate enterprise responses to those attacks.
Ransomware incident response plans
Ransomware is no longer just an endpoint being encrypted by malware; a server, application or even data in a cloud service can be encrypted and held for ransom. While the specific details vary depending on the systems involved in the incident, being prepared with a comprehensive ransomware incident response plan can help reduce the impact of any attack.
An incident response plan should be complemented by a backup plan, a business continuity plan or even a disaster recovery plan -- all of which may be necessary when responding to and recovering from an incident.
A standard incident response plan will spell out the details of how to investigate an incident, including what evidence to collect, escalation details, contact information, root cause analysis, incident data reporting, security controls that can prevent future incidents and when to contact law enforcement. If the details of an incident diverge from the plan's assumptions or if additional details are needed, they can be documented later in the enterprise's specific incident response plan.
When developing a ransomware incident response plan, companies may want to review the NIST guidance on recovering from ransomware and destructive events. Every incident is different, with unique challenges to document, respond and follow up on.
A good ransomware incident response plan should address these variations, including:
- Containing the incident: Every incident will generate some volatile evidence. However, when ransomware is involved, that evidence may include a recoverable encryption key -- if the investigation begins before the encryption key is deleted. In some case, if the incident is detected quickly enough, you may even be able to stop the encryption.
- Thorough investigation: Some ransomware uses weak encryption that has a publicly available decryption solution provided by a security vendor or researcher.
- Contacting law enforcement: Responders may wish to involve law enforcement agencies in the case of a high-impact incident or data breach. Law enforcement experts may be able to offer guidance for paying ransoms based on previous experience with a ransomware or criminal organization involved in the attack.
Enterprise responses to ransomware
The first step in any incident response plan is to determine the scope and impact of the incident. Companies can use many parallel work tracks depending on the scope and impact of an event by following the incident response plan.
Outside of the actual incident response and planning, companies should test an incident response plan. Using a tabletop exercise focused on testing the response to a ransomware incident, participants can use existing tools to see if they can help respond to the incident and determine if additional tools are necessary. Companies may want to have annual, quarterly or even monthly exercises to test the plan and prepare the enterprise. These tests should include all the relevant parties, such as technical staff, the communications team and the legal team.
Enterprises may also want to check how their backups perform when recovering from a ransomware attack, as well as if any of their security tools have ransomware prevention or recovery functionality. Companies may want to verify that a test system infected with ransomware can be restored using a backup in a known-good state. While some systems save only the most recent version of a file or a limited number of versions, testing to restore the data, system or access to all critical systems is a good idea.
Some endpoint security tools have even added functionality to detect and block ransomware functionality. An enterprise with cyberinsurance may want to see if it covers a ransomware incident.
The tradeoffs of how much to spend on prevention versus response will continue to drive information security. As costs from ransomware attacks -- outside of paying a ransom -- become more significant and disruptive to the enterprise, the importance of planning how to weigh these costs prior to an attack will become more important.