It’s not that it happens but how you respond: a ransomware attack (or similar network intrusion) is going to hit the network, and alarm bells are going to go off. You’ve got to move fast: what do you do?
First, call the CISO. But ideally, the CISO should know first and be ready to act or already in action by the time the CIO calls. Clear, top-level guidance is a must. Here’s how to stay calm under pressure and be an effective leader when there is not a checklist to guide you.
Contain
A CIO should have communicated to their security teams beforehand that the number one priority in a breach is containment – regardless of operational downtime. If it protects the enterprise, do it. Bringing systems back online from a complete shutdown is much easier than restoring from backups.
To have these marching orders clear when disaster strikes, a CIO should have taken pains to communicate this golden rule ahead of time. And then ensured their teams had the capabilities and authority to do what needs to be done.
Communicate
Even before full impact is understood, communicate with your CEO. They need situational updates to keep them abreast of the latest developments because they’re the ones that have the responsibility of informing the board and other stakeholders, and it’s their job to consult and support you during the response; they are owed the information they need to make their best advice and recommendations.
You’ll also be responsible for informing other senior leaders as needed, while keeping external counsel (legal, most likely) and insurance companies in the loop. At the right time, contact the appropriate law enforcement agency - this is often an overlooked and underappreciated step in the process. Engaging law enforcement opens another avenue of support and resources most do not realize exist.
Assess the Impact
Have your teams report to you with the core basics:
- What data and systems were affected (and are they now stable/secure or are we still under attack)?
- Where did the attack start, and how confident we have the attack chain identified?
- What was the timeline and scope of the attack: do we have all our bases covered, and do customers need to be notified?
Legal counsel should be involved or at least notified, and when the above has been ascertained, they will assist in understanding potential regulatory, commercial, or other ramifications that may necessitate notifications or other compliance-related activity.
You may not have been able to control the fact that ransomware compromised your systems, but you do have full control over how you respond in those critical first few days.
Focusing on doing “right” for your customers, employees, and the organization overall, and avoiding distractions, whether internal or external speculation, should be your guiding light. Everyone will not be happy but when the dust settles, and you’re able to demonstrate care, speed, and precision in your response, you’ll be confident it was a job well done.
Prepare to Respond
There should be a clear chain of command for response actions when a ransomware breach hits. Red team engagements and other offensive security tactics can be great for getting this muscle memory in place.
This dedicated response flow should include how you’re going to coordinate the flow of information, who takes point for communications (internal and external), who makes the ultimate decisions about what information goes out and when, who reports directly to you (think security teams) and with what intel, and finally, teams need to be clear on security priorities and dependencies.
Dealing with these non-technical pieces is just as much as part of ransomware response as shutting down systems and containing the impact. In reality, it's containing the impact on another level; being able to do this smoothly reflects on the leadership of the entire organization.
Do As Many Practice Runs as You Can
Ransomware attacks are meant to be disorienting and disruptive. That’s why tabletop exercises and red team engagements are key to executing a smooth response and recovery. Practice makes permanent, and you want your response engine to be second nature by the time your teams deal with an incident in real life. These things should be nailed down during practice exercises:
- Key systems.
- Business priorities (executive operational priorities).
- Restoration priorities (RTO-based, ideally).
- Contact lists.
- Changes to technology.
- Where your break-glass, offline version of your recovery plan is, including key contacts (because an online version may be impacted in a breach)
Nailing these things down ahead of time means that when a ransomware attack actually does happen, you can put all your energies into the response. Because you know that all the logistics of response can run on autopilot - you’re not making them up as you run down the road.
If you want breach containment to run on autopilot as well, at least as well as it can, put your team and tools in front of simulated ransomware attacks ahead of time by honing your red team, blue team, and purple team skills.
Keep Calm and Don’t Second-Guess
But as they say, when the time for decision is here, the time for preparation is past. When faced with a crisis, make decisions, stick to them, and pivot as needed as the response unfolds – facts change rapidly during an emerging event and your response actions may need to evolve though the trick is to still stay focused on the above and not extend the scope of your response mission.
