By Steve Schwartz, director of security, ECI
Earlier this year, a ransomware attack on the Colonial Pipeline led to a shutdown of 45% of the East Coast’s fuel supply, 12,000 gas stations running dry and the highest gas costs in years. Five days and $4.4 million later, the pipeline was back up, with the CEO of the company acknowledging he authorized the ransom payment because executives weren’t sure of the extent of the breach and how long it would take to restore operations.
He noted, “I will admit that I wasn’t comfortable seeing money go out the door to people like this.”
Yet, it was all about business, and eerily, that’s what it was for the perpetrators. Hackers from DarkSide were quick to make this point clear; the attack had nothing to do with a political agenda or social causes — it was about money. Period. DarkSide not only carries out such attacks, it offers Ransomware-as-a-Service so aspiring cybercriminals can profit from doing the same. In fact, DarkSide provided assurance that moving forward they’d “check each company that our partners want to encrypt to avoid social consequences in the future.”
Sounds fairly professional, right? You bet it is. And that should worry a chief information officer (CIO), whether they’re in investing, insurance or any industry where identifying, assessing and quantifying risk to the organization is essential. Businesses produce a wealth of data, and not only can downtime take a devastating financial toll and result in missed opportunities, a breach can ruin a corporate reputation and send customers for the door.
CIOs don’t want that and hackers know it. Further, their perception is organizations must have the resources to pay huge demands, quickly, and their cybersecurity efforts are probably underfunded because corporate emphasis is placed on generating profit.
In their eyes, this all makes your company a prime target.
First things first
Yes, hackers know when they have a company over a barrel. So, how should you respond to a ransomware attack? What actions should you immediately take or avoid?
The immediate question for many leaders is should they pay the ransom at all? The knee jerk reaction is “no” in order to discourage extortion. But, the reality is, the pros and cons needs to be examined on a case by case basis. Operations must get back up and running ASAP, so nine times out of 10, paying a ransom is a straight business decision. After all, inaccessible data equals loss, and in a worst-case scenario, perhaps even the end of a company
There are two mistakes that often occur during response. Failure of personnel to immediately report the initial signs of an attack can enable ransomware to spread across systems and do even greater damage. This can be caused by an employee lacking understanding about what’s happening, thinking they can rectify the situation and getting in over their heads or simply not wanting to admit there’s an issue out of fear. The other mistake is turning off systems and possibly losing the ability to recover keys or thoroughly conduct a forensic investigation.
Some companies wonder if they should take matters into their own hands and look for decryption keys online. Once you’ve contained the malware, then you can search online or even try to get them directly from the locked system. With limited ransomware applications being written, there isn’t a huge volume of keys out there, so it’s possible to find them. Some groups use static keys, which are easily decrypted, others use asymmetric ones and key pairs, which are more difficult to crack. But it helps that hackers often re-use the same underlying code.
What are you going to do about it?
Today, it’s not a matter of if you’re going to be attacked, it’s a matter of when. But there’s plenty you can do to mitigate risk, including the following:
- Stop the bleeding: Segregate the system or systems from the networks so you can reduce the damage and keep other parts of your business running.
- Maintain backups: Be sure you regularly review backups of your data so that you can recover with as little loss as possible. If a full restore will take longer than you can tolerate, prioritize the data and applications to be restored in order of importance.
- Create and update response plans: These strategies should include such things as immediate containment tasks, chain of command, disaster recovery processes and more. Update these regularly whereas new threats are constantly emerging, personnel can leave key posts and infrastructure changes.
- Assess and test: Perform risk assessments and network penetration tests. This includes conducting table-top exercises so IT and executives can define and refine the response plan.
- Go phishing: Employees are often the way into a company’s network, particularly now whereas remote workers often have lax security. Test them with fake phishing attempts and be sure to regularly conduct preventative training.
Fuel for thought
Some attacks I’ve seen have been investigated internally, but typically, these efforts don’t include a forensic chain of custody that provides the chronological electronic evidence needed for a court of law. I make this distinction because I believe it’s very difficult for a company to get all the data that they need in order to take legal action that may result from a ransomware or other type of attack.
If an organization uses a managed services provider (MSP) to get the cloud-based services they need, they likely won’t need to hire a forensic investigator to delve deeper. For that matter, an MSP can defray a lot of costs, concerns and aggravation, particularly if they cater to industries that deal with financial and sensitive data. MSPs tend to have the best security in place, constantly invest in new technology and have experts versed in best practices and fast recovery. And, it doesn’t hurt to have a team that can take a calm, collected approach during chaos.
The Colonial Pipeline attack has indeed given CIOs “fuel for thought.” In a way, that’s good, after all, the frequency of ransomware and other threats is on the rise. Your organization could be next – so be sure you’re ready.
About the Author
Steve Schwartz, director of security, ECI.
Steve has spent more than 15 years in the cybersecurity industry with the past five at ECI. At ECI he helps clients understand the shifting cybersecurity landscape and to plan, prepare and respond for cyber-related events. Steve also works to bridge the gap between the business and the security priorities, helping organizations make sense of their investments.
Prior to joining ECI, Steve spent five years in the U.S. Navy onboard a submarine and has worked with several boutique consulting organizations in addition to S&P Global Markets and PwC. Steve’s experiences primarily revolve around penetration testing and security assessments. He has worked with a variety of different security standards and frameworks and has multiple industry recognized certifications.
Steve can be reached online at Sschwartz@eci.com and at our company website ECI: Cloud, Digital Services and Cybersecurity Solutions