Tabletop simulation exercises speed up ransomware response

Most people will never have a fire in their home or office, but everyone can remember going through a fire drill at some point. The process of evacuating a building and meeting outside prepares us for the actual conditions we might face in a real fire.

Many companies go to great lengths to prepare for disasters like fires and floods, but most remain woefully unprepared to deal with ransomware—despite the fact that ransomware attacks are far more likely. One way to improve your company’s ransomware incident response capability is to gather your employees and conduct some simple tabletop exercises.

What are ransomware tabletop exercises?
Tabletop exercises are informal sessions where employees meet to discuss their specific roles and the proper team response to an emergency. The meetings are typically led by a facilitator who guides participants through a simulation of a disaster scenario.

During a ransomware tabletop exercise, the facilitator walks each participant through the actions they should take if computers and servers become encrypted with ransomware. The facilitator explores unexpected additional problems that might pop up during the emergency—such as ransomware spreading to multiple servers or office locations. The goal is to make sure that participants spend time thinking through how they would handle these situations.

Facilitators also work to identify gaps in the current plan such as a lack of adequate backups, data recovery limitations, or insufficient contractual relationships with disaster recovery software vendors. The facilitator can then make recommendations for improvements to the plan.

Getting started
The first step in a ransomware tabletop exercise is to find the right facilitator. Ideally, the facilitator will have experience in ransomware incident response to make the session realistic. The facilitator must be well prepared to discuss the ransomware scenario and potential problems when they step into the meeting. The best facilitators are good communicators and discussion leaders who keep the team on task.

Start the meeting by introducing each person and their role in the organization. Participants typically include employees from the information technology, security, legal, public relations and operations teams. But your team could include others depending on your company makeup. For example, a company with custom developed applications might include those from software development, or a school might include faculty members.

It’s also a good idea to assign someone to attend the meeting to take notes on how the team decides to handle specific problems as well as notes on any unresolved issues that can be revisited later. Having a note-taker frees up the facilitator to interact with the participants. Each participant should come to the meeting with a copy of the current incident response plan, if available, and a notebook.

The facilitator should wrap up by reviewing what the team did well and what needs improvement. The facilitator can then use the notes send out a follow-up memo more details on the discussion, proposed revisions to plans, and responsibilities for each attendee. Be sure to plan meetings regularly until you’re satisfied with the incident response plan, then revisit the plan every so often as the company grows and changes.

For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.

Ransomware Incident Response: 7 steps to success

Ransomware infections are becoming increasingly commonplace, and companies that put a plan together before an incident are much more effective at combatting this pervasive malware.

Ransomware response can be broken down into seven steps. Here’s a cheat sheet:

Validate
The first step is to confirm whether a reported ransomware infection is an actual infection. There are cases where a user reports what they think is ransomware, but it turns out to be adware, phishing, or some other virus. Validation is important because it keeps efforts focused on important issues. But if you see a ransomware note demanding payment to unlock files, and your system or files are locked or frozen, then you’ve been hit.

Assemble
Now it’s time for the incident response team to assemble. Incident response teams often include members of your IT staff, management, public relations, and legal. The incident response plan outlines how each member should be trained on how to respond to a ransomware incident. In some cases, the primary person may be unavailable, and it will be necessary to call in a secondary resource to handle that role.

Analyze
The next step is to determine the scope of the incident, including which networks, applications and systems are impacted and whether the ransomware continues to spread. This is often the role of the IT and security point people.

Contain
Containment actions can take place concurrently with analysis activities. In this phase, infected machines are isolated to stop the spread of the ransomware by disconnecting the computers from the network or shutting them down. The scope often changes when containment is underway, and ransomware is still spreading. This phase ends when all infected machines have been isolated from clean machines.

Investigate
The investigation starts by preserving evidence. Some machines will need to be returned to service as soon as possible while others might be less critical. Evidence such as log files or system images is taken of the affected machines along with documentation of serial numbers and asset identifiers.

Eradicate
The eradication phase removes the ransomware from machines and brings them back into a functioning state. Isolated machines are wiped, and then data is restored from backupto each of the machines after the evidence on the computers has been preserved. In some cases, organizations may decide to remove the ransomware and then restore files that were encrypted by the ransomware without wiping the device first.

A full machine restoration prevents other ransomware or malware from causing problems on the computer, and it also prevents backdoors or other software that the ransomware might have installed from being used to infect the machine later. For this reason, it is typically recommended that you wipe the device and restore the operating system and data from backup.

Remediate
The last step is to remediate the problem that the ransomware exploited in the first place. This is often a user training issue, so companies implement more awareness training or coaching of individuals. In other cases, new technology needs to be put in place. If backups were found to be inadequate, the company would back up more data or back up more often. The ransomware incident should result in some improvement actions that the organization can perform to be better prepared for future incidents.

For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.

Crucial Elements of an Incident Response Plan

The news is crowded with reports from noteworthy companies of cyber-attacks.  Last year was the year of the data breach and this year is the year of ransomware.  Companies large and small, even those with large security budgets and mature security practices, still proved vulnerable to attack.  Every company will suffer a security incident someday, but not all companies are prepared for it, and preparation will determine what impact a security incident will have on your company.

Will your company weather the attack and come out stronger for it or will you lose customers, brand image, or your company?

“We’re not in Kansas anymore”

This is where your incident response plan comes in.  The incident response plan outlines the activities that will take place in an incident.  Decisions made before an incident are far superior to those made in the heat of the moment when the stress is on.  Plans can be thought through and properly vetted, and this leads to more robust decision making, more effective incident response, less company and customer loss due to the incident, and less stress overall.

“Houston, we have a problem”

The first step in an incident response plan is to define the team of individuals who will conduct and coordinate the incident response.  This is more than just a group of technical wizards or high-level executives.  It also includes PR, legal, security, and third parties.

“To the Batcave”

Once the team is assembled, the next step is to create an incident response plan.  This is not a step that is given to one or two team members.  Rather, those involved on the team should also be involved in the incident response planning effort.

Scenarios or table top exercises can be used to develop plans for specific incidents or to enhance existing plans.  Scenarios such as malware infection, ransomware infection, a lost or stolen device, Distributed Denial of Service (DDoS) attacks, cyber breaches, and social engineering should be specifically addressed in meetings where each team member walks through the actions they would take in that incident.  A facilitator guides the discussion and aids in making sure critical steps are not skipped.  The output from scenario planning is a detailed step by step process for handling specific incidents.

“Who’s on First?”

It is not enough to know what to do.  You also have to know who is going to do it.  Many plans have failed because no one knew who was supposed to carry out the expertly-written instructions.  Each task in the incident response plan should have a designated person or role assigned to it.  Role-specific tasks provide accountability and ensure that there will be someone to conduct those activities during an incident.  None of the tasks identified in the procedures should be overlooked.  It is important to also assign alternates in case the primary person is unavailable when the actual incident occurs.  Once the incident procedures have been properly vetted and approved and the roles outlined, response activities should be practiced regularly so that the incident response team is familiar with their responsibilities.

There is a lot more information available on incident response, but an effective incident response plan requires the right team, well-thought-out instructions, and tasks that are clearly assigned to individuals.  Plans lacking these elements will not provide your company, customers, and employees with the guidance they need when an incident occurs, and it will happen.  Be prepared.

This post is sponsored by AT&T Security.

5 steps to a winning incident response team

People are the core of any incident response effort.  You must have the right people to provide the right response.  Incident response teams should include a diverse set of individuals across the organization including executives, information technology, security, public relations, legal and relevant 3rd parties.  Here is what makes a winning incident response team.

  1. Winning teams have top level support

Top level support is essential in an incident response team, and executives can provide it.  Executives are the ones who will be able to allocate the resources necessary to take action during a breach, and they can rally support and establish budgets for planning and preparation activities.  Executives also bring legitimacy to incident response plans and procedures.

  1. Winning teams have the technical skills

Almost every incident will require some level of technical skill to resolve it and most incidents will require significant technical effort.  Information technology (IT) team members are usually the first to find out about an incident.  Sometimes users report an incident to IT and in other cases, IT learns about the incident through detective security controls such as log monitoring or intrusion detection systems, or antivirus.  IT is also responsible for making technical changes as incident response activities progress.

  1. Winning teams have a security perspective

A keen understanding of the risks, impact, and scope are needed in incident response.  This is where members of the incident response team responsible for security step in.  Security team members take point on validating reported events and determining if they constitute an incident.  They analyze information collected by technology tools and assess the scope and impact of the incident.

  1. Winning teams know how to communicate

Communication, both internally and externally, is a fundamental component of incident response.  Public relations team members communicate with employees, partners, law enforcement, the media, or investors regarding the incident.  They work with the legal team to understand the compliance and contractual liability and cyber breach notification requirements.

  1. Winning teams cross organizational boundaries

Teams may include both internal employees and contractors.  Incident response is not something most companies do every day, and an effective response requires individuals who have the unique skills, tools, and techniques required to address the incident.  Some third parties that may be part of the incident response team include forensics, security consultants, attorneys, insurance, law enforcement, or upstream providers such as Internet Service Providers (ISP), datacenters, or cloud providers.

Team makeup is critical for successful incident response.  A winning team needs to have adequate support, the required technical and security skills, effective communicators, and outside expertise.  So who is on your team?

This post is sponsored by AT&T Security.

Effectively gathering facts following a data breach

It is easy for miscommunication to happen after a data breach.  There could be many people working on the incident and those people may document differently and without guidance, critical facts could be lost due to inconsistent or ineffectual documentation procedures.  This can make it difficult for incident response teams to understand the relevant facts of the matter.  Here are some guidelines in documenting a breach.

It can be very helpful to start with a timeline.  Discuss the incident with those who first noticed it and those who validated that there was an incident.  Put the time of the reported incident and the validation on the sheet and then add the events that led up to the incident.  Keep adding events to the timeline as you progress and this will help show the incident flow and help you determine the cause and effect of the incident.  Review the timeline with the incident response team and receive feedback.  The timeline can be used similar to a murder board in a police investigation.  Post the known facts and their times on the wall in the incident briefing room and then tack on new facts to it as you progress.  You can do this digitally as well if the team is not all in one place.

Next, record the facts only.  Don’t let personal opinions creep into the log.  Documented assumptions can lead the incident response team in the wrong direction.  They can also be detrimental if legal action is taken as part of the investigation as these documents could be part of the discovery process.

The National Institute of Standards and Technology’s (NIST) Computer Security Incident Handling Guide suggests that teams should have a person designated as the documenter while another person performs tasks so that the critical facts are not left out.

Lastly, don’t jump to conclusions.  There could be many explanations given the available data so care must be taken to eliminate available options.  Determine what data you will need to eliminate an option and then seek that out.  Keep track of the possible scenarios and their underlying criteria and whether those criteria have been proved or disproved.

Hospitals are the highest risk for data breaches

Recent research shows that hospitals are the highest risk for data breaches.  The third annual benchmark study on patient privacy found that 45% of healthcare organizations had suffered more than five data breaches.  This is an increase from 29% in 2010.  In the majority of cases, 46%, the cause of the data breach was a lost or stolen computing device.  Employee carelessness and business associate mistakes were tied for the second most likely cause.

Healthcare IT News put together a list of the top 10 healthcare data breaches of 2012 listed below:

Healthcare Data Breach Top 10

 

 

 

 

 

As we move into 2013, health care organizations can help prevent data breaches by maintaining tight control over organizational computing assets containing Protected Health Information (PHI) since this is the highest cause of breaches.  They should also be concerned with employee security training and require higher security standards of business associates.  Last but not least, HIPAA compliance is a must.

When a data breach or cyber security incident does occur, the impact can be minimized if clear direction for handling the breach has been given through incident response plans.  It is also important to know when to call for outside help.  Identify providers of breach response services and computer forensic services and have their information at hand to minimize the scope and impact of a data breach or cyber security incident.

Culture change through incident response

A while back, I published a white paper on security culture.  An organization’s culture in relation to information security determines how receptive employees will be to security initiatives.  Culture can make the difference between security that is embedded into the organization versus security that is simply an afterthought or even worse, ignored.

Culture is formed through a series of successes that reinforce the underlying assumptions behind those successes.  Alternatively, failures diminish assumptions associated with the failure.  There are many actions an organization can take to being the process of instilling a culture of security.   A recent example at Seattle Children’s Hospital shows how the organization’s security culture was improved through incident response planning.

In an interview with Information Week, Cris Ewell, Chief Information Officer for Seattle Children’s Hospital stated that employees have recognized that breaches will happen even with the best preventative measures now that they have implemented incident response plans.  They also realized that some incidents require outside help.   It is important to know who to contact ahead of time because time is precious following an incident.