Technical readiness is a common component of tabletop exercises that organizations undergo to prepare for potential cyberattacks, but often the work stops there.
Restoring operations for a breached or completely shut down network is critical, but enterprises often neglect even more important next steps, Dmitri Alperovitch, CrowdStrike co-founder and executive chair of the Silverado Policy Accelerator, said at the RSA Conference.
Enterprises need to remain calm, trust best practices over instincts, engage in negotiations and publicly disclose the attack quickly.
“Communication is often the most important thing of a response exercise,” Alperovitch said. “Where I’ve seen things go off the rails is often because people are not ready for the public relations disaster that is about to take place.”
Companies that fare better and earn respect following a ransomware attack are transparent. They share what occurred during the attack and the steps they took in response, according to Alperovitch.
“Everyone’s getting hit,” he said. “This is unavoidable but how you respond is actually going to make all the difference.”
The resiliency of an organization’s response to an attack is too often based on two- and three-alarm fires, or containing the spread of incidents already considered serious, National Cyber Director Chris Inglis said at the conference.
Under these scenarios, the best an organization can do to reduce the char is respond quickly: “We actually want to get to a place where we're inherently resilient and robust in ways that we aren't today.”
This requires governments, organizations and every link in the supply chain to assess and identify their respective cyber roles and responsibilities. Transgressors do this to great effect today.
If responsibilities are weak or undefined, or an organization’s security stature is deemed complacent, threat actors will exploit that, Inglis said.
Regardless of how a breach occurs, and since ransomware attacks are inevitable, there are specific moves a victim organization should make in response.
“Do not panic,” Alperovitch said. Enterprises need to practice for these incidents regularly and have rapid response teams and negotiators ready to go. Those negotiations can and should begin while a business buys itself some time to determine the damage done.
Alperovitch also advises companies to have press releases pre-written and approved by legal so they can quickly distribute them. Organizations often don’t know the extent of what’s occurred for days, but getting ahead of the matter can limit the broader impacts of the attack.
“A lot of organizations rush to pay a ransom even before they have a full appreciation of the impact that the malware may have caused on their network,” Alperovitch said. This can be exacerbated when CIOs and CISOs can’t definitively say how quickly they can recover after the initial attack.
Sometimes, it’s a relatively straightforward decision for executives. ”They’re just saying, ‘well, if it’s a couple million bucks, let’s just pay it,’” Alperovitch said.
Not so fast, Sandra Joyce, EVP and head of global intelligence at Mandiant, said during her global threat briefing with Alperovitch.
“You don't know who you’re giving money to at that point,” she said. “A lot of these groups are going to be funding their own regimes, their own illegal schemes. So when you do pay a ransom you could be funding something that you’re very much morally against.”