As any true-crime aficionado will tell you, the first 48-hours of an investigation are the most important. In the realm of cybercrime however, when struck by an attack, the first 24-hours are the most crucial which is why a disaster response plan is so important.
One of the worst types of attacks that can be launched against a business is ransomware. Not only does the malware encrypt all of your files until a payment is made, cybercriminals can also threaten to release any sensitive information they glean from the attack.
It’s vital that businesses operate at speed once an attack is detected as the longer an attack runs for, the more disastrous it becomes. Chief technology officer at Integrity360, Richard Ford, outlines five steps businesses need to take in the first 24 hours after an attack is detected.
Step One: Identify, Confirm and Isolate
While ransomware can make itself known through a scary looking popup, that’s not always how it works. Cybercriminals have a habit of living in a network, gathering information and planning an attack long before ever executing it. Cybercriminals are careful but, they can slip up and here are signs that they may be siphoning off data such as unusual outbound traffic. Once an attack begins, early warning signs include failed logins, inaccessible files and of course, the aforementioned menacing pop-up.
At this stage efforts must be made to confirm that an attack is happening and what the target may be.
“Once confirmed, isolate affected systems from the network immediately. Time is of the essence – ransomware often seeks to maximise damage by spreading across shared drives and cloud platforms. Disconnecting devices, disabling Wi-Fi and VPNs, and blocking access at the firewall level are essential measures to prevent further infection,” Ford advises.
Having a cybersecurity team on standby is ideal, especially for a small business. Cybercriminals tend to target smaller firms, cognisant of the fact their protections may be lacking. A managed service provider can be a valuable asset during an attack no matter the size of the organisation.
Step Two: Light the Beacons
At this stage your company’s incident response plan should be put into action. While the temptation may be to keep the attack quiet, this is the opposite of what should be done. Once an attack is detected and containment has begun, stakeholders should be notified.
“Ransomware response is more than an IT issue – it’s a business-wide challenge. Once containment is underway, inform key internal stakeholders, including executive leadership, legal, compliance, and communications teams. Appoint a central response lead, ideally from your crisis management team, who can coordinate efforts and make key decisions quickly,” says Ford.
Step Three: Secure backups and don’t engage
The temptation to pay a ransom may be strong but this would be a dire mistake. For one, there is no guarantee that the attackers will make good on their promise to decrypt the data. Paying the ransom also opens the door for further attacks as it signals to the attacks that you are willing to pay should you be compromised.
“Instead, secure all backups and logs. Identify when the attack began, which systems are affected, and what data may be at risk. This information will be crucial for both remediation and regulatory reporting,” says the CTO. “Having an expert partner will improve this process, by providing rapid forensic support to help assess the impact by identifying indicators of compromise (IOCs), tracing the attack vector, and determining the attacker’s dwell time. This information can also help you understand if data exfiltration occurred – an increasingly common element of modern ransomware.”
Step Four: Your options and obligations
Depending on the industry you operate in and the data at risk, a breach could trigger legal obligations on your part. It’s at this stage that you will want to consider which bodies, such as the Information Regulator and those you do business with.
It’s important to record every step that is made during the disaster recovery process for not only legal reasons but to help inform future attacks.
Step Five: Recover and improve
Once the attack is thwarted it’s vital to conduct a full audit of your systems and infrastructure. Cybercriminals will leave backdoors wherever they can to conduct attacks in future. This sweep needs to be completed before any backups are done as a business would simply open themselves up to re-infection. Again, a trusted, secured managed service provider can be a useful asset during these times.
“Cyber security firms offer different ways to ensure organisations are ready to face ransomware. This includes emergency incident response, where teams can rapidly deploy to help take control, contain the threat, and recover operations – whether remote or on-site. Another option is to hold an incident response retainer; this is designed for preparedness. Retainer services give you guaranteed access to expert responders when you need them most. With predefined SLAs, threat intelligence, and environment familiarity, these tools can help businesses respond faster and more effectively,” Ford concludes.
When a ransomware attack hits it can feel like the world is ending but this is why a disaster recovery plan is so important. Take the time to formulate a plan and if you don’t know where to begin, businesses like Integrity360 can help.
