Governments urge organizations victimized by ransomware not to pay criminals to get their data back.
But a veteran in digital forensics and incident response admits sometimes there are valid reasons to give in.
“No one wants to pay, but it’s not black and white,” Jaycee Roth, Toronto-based associate managing director for cyber risk at Kroll LLC, told the Canada West Virtual Summit last week. “You really do need to weigh the pros and cons.”
That includes doing a cost-benefit analysis of how much it will cost to be out of business, she said, noting that the biggest cost of any data breach (38 per cent of expenses) is business interruption. That not only includes loss of revenue but also loss of customers and loss of reputation.
But one prime factor in the decision is whether the IT department can restore data from backups.
“I can’t tell you the amount of times — I think every call I’ve had — where clients think they have backups, think they have all the information they need. But it boils down to testing, making sure you’ve actually used the backup before. We’ve come into so many situations where the backup is outdated or it doesn’t have the information you thought it had, or it’s missing that one database file that is critical to your business.”
Another vital component IT managers need for responding to any cyber incident: Having a complete inventory of their environment. When a management/IT/consultant team is formed for a response, the first technical questions will be, how many workstations and servers are there, is there virtualization, are there firewall logs, describe the email infrastructure and more. “You will be surprised how many people cannot answer these questions, ” she said. “If you don’t know your environment, if you don’t know how many endpoints you have, how can you protect or secure it?”
Roth is among the consultants that organizations call in a panic at 5 p.m. on a Friday, when many cyber attacks are launched.
For organizations that aren’t big enough to handle a cyber event on their own, she said, incident response will look like this: “Hopefully,” she started, “you have a cyber insurance policy.” That’s good because insurers have list of per-approved vendors who can help. The first will be an outside counsel or a breach coach who would be the response quarterback. Then, under a three-party agreement (the insurer, the coach and the organization) a vendor would be chosen to lead the IT side of the response. Following that there will be a scoping call, where, among other things, that question about describing the environment will be asked. Finally, there will be an agreed statement of work, which outlines what will be done.
Remediation involves three steps: Stabilize the environment (remove any active threats); restore service (everything from possibly installing backups, rebuilding the network, negotiating with the threat actor for decryption keys) and investigation of the cause of the incident.
This has to be done in the right order and in a way that doesn’t erase key evidence, Roth emphasized, to assist the forensic investigation. The worst thing IT can do is roll back the system before log data is collected.
One action Kroll insists on is the installation of an endpoint detection and response solution (EDR) if the organization doesn’t already have one, Roth said, because of its ability to detect unusual network behaviour. That will help in ejecting an attacker who is trying to maintain a foothold on the network.
When it comes to defending an organization, some things are out of your control, Roth said, like zero-day vulnerabilities. But defence in depth is still vital, as is EDR, network segmentation, patch management and even “canary accounts” — an admin account that is never used so if someone tries to log in with it, it’s that’s a sign of intrusion.
She also warned that IT has to be able to understand, — and not ignore — the alerts their systems give. Every time a client with EDR has a compromise there were blocked alerts for days before, Roth said.
“I can honestly say in the last couple of years every time I get online with insureds, with people who have suffered these breaches, I can hear that they’ve really responded to the top cyber security risks of the past few years. They’ve increased multifactor authentication, they’ve retired old and vulnerable operating systems, updated and secured remote access points.
“But it’s important to note that as we progress, so do our adversaries. They’re not going to stop or give up tomorrow. They’re going to keep going.”