The key to a resilient incident response is to have a continuous process and tested relationships in place before an issue occurs. In the end, this strategy can reduce the intensity of an attempted attack, if not fully eliminate it.
Over the last year, ransomware has been extremely active, affecting the supply chain, government, and individual enterprises. The good news is that tools and resources are available to assist companies in developing a robust incident response capability to combat ransomware.
Ransomware has been a source of concern for IT and cybersecurity professionals for several years. It is no longer simply a concern for security specialists; it’s also a threat that affects people’s daily life. It is becoming a major security following a series of high-profile events involving Colonial Pipeline, SolarWinds, Kaseya, and a host of other companies.
The ultimate goal of threat actors is to raise the chances of the victim paying the ransom. Adversaries are improving ransomware payload capabilities to ensure that an attack on an enterprise has the biggest impact possible. There has been an increase in attackers “living off the land,” leveraging native system tools to help distribute ransomware.
Another troubling development that threat actors are relying on is ransomware-as-a-service (RaaS). Instead of having to design their own ransomware cybercriminals can use the RaaS model, which allows them to scale ransomware attacks for profit through affiliates.
Ransomware attacks tend to follow a predictable pattern. It all starts with the first point of entry, whether it’s through phishing, a stolen credential, insecure software, or another method. After that, privilege escalation and lateral movement across an environment might occur. Finally, the attackers may exfiltrate and encrypt data, holding it for ransom or double extortion, if they have the necessary access and are in the correct location in the network.
Even with the most sophisticated ransomware threats, there is usually a detection opportunity while investigating these attacks. The issue is that most businesses aren’t doing enough logging or actively monitoring to spot the threat in a timely manner.
Resilient Incident Response
Trust in the organization’s incident response capability — trust that systems can be recovered — as well as trust in relationships throughout the enterprise, with vendors, and with law enforcement — is what resilience is all about.
It’s critical for enterprises that don’t have incident response capabilities in-house to have that expertise available through a third-party service, usually on a retainer basis. Collaboration has been shown to enhance response time and help prevent ransomware attacks. It’s critical to have a plan and a strategy in place before an incident occurs, whether the incident response team is in-house or with a trusted partner.
Incident Response Process
Test the incident response plan – The first step is to test the incident response plan to ensure that businesses are prepared. This phase consists of table top exercises that are conducted throughout the organization to assist individuals involved in learning how to respond. Organizations should test data backup and recovery as part of their preparation to ensure business continuity.
Identify detection capabilities – In order to understand the presumed cyber-risk, the company must first identify its detection capabilities and determine where the gaps are. It’s also crucial to identify third-party and supply-chain risk during this period.
Ready to respond when an incident occurs – Businesses must ensure they have either an incident response team on retainer or in-house, with service-level objectives, prepared to respond when an incident occurs.
Process of continuous improvement – It is crucial to do an after-action review – after an incident – that details lessons learned. Those lessons should be fed back into the incident response plan for continuous improvement.