Ransomware Incident Response Planning

Ransomware attacks are ever-increasing globally. Here’s how to evaluate your cyber security partners and be resilient, when preparing for the worst.

Colonial Pipeline, Kaseya, Solar Winds, Microsoft… the list goes on and on. In the past 12 months alone, more than one third of all organizations globally have faced some type of ransomware incident, according to a recent survey by research firm IDC.

The ransomware industry has evolved in sophistication. Malicious actors even subscribe to Ransomware as a Service (RaaS), whereby criminal organizations lease ransomware variants the same way that legitimate software developers lease SaaS products. RaaS gives everyone, even people without much technical knowledge, the ability to launch ransomware attacks just by signing up for a service.

RaaS kits allow malicious actors, lacking these skills or time, to easily develop their own ransomware variants that can be up and running quickly and affordably. Such RaaS kits are easy to find on the dark web. A RaaS kit may include 24/7 support, bundled offers, user reviews, forums, and other features identical to those offered by legitimate SaaS providers. The price of RaaS kits ranges from $40 per month to several thousand dollars – trivial amounts, considering that the average ransom demand in Q3 2020 was $234,000.

A threat actor doesn’t need every attack to be successful in order to become rich. RaaS is big business, with total ransomware revenues in 2020 of around $20 billion—up from $11.5 billion in 2019.

Clearly, ransomware incidents are not going away any time soon. In fact, they are accelerating. It is vital to create a digitally resilient institution that can absorb the impact yet not be crippled by the attack, in order to recover quickly without significantly impacting students, faculty, and research. Digital resilience represents the ability to continue to operate through an impairment and stay in business while minimizing institutional harm, reputational damage, and financial loss.

Resilient organizations:

  • know their networks and data
  • set targets, measurements, and goals for cybersecurity
  • employ best practices in change management
  • prioritize risks and intelligence for better decision-making
  • respond rapidly to incidents while maintaining operational readiness, reducing the risk of data loss, and preventing additional harm

Given this “new normal,” what attributes should you consider when selecting a partner to help you minimize your risk and create a ransomware playbook to maintain resilience?

Not all cybersecurity services are created equal. Consider this checklist as one way to evaluate cybersecurity partners:

1. As the old adage says, “You cannot determine where you are going until you know where you are.”

Select a partner that is able to baseline and assess your current information security program. Typically, reputable cybersecurity services begin with a detailed policy assessment AND vulnerability assessment. What do we mean by that? A policy assessment analyzes your organization’s cybersecurity controls and its ability to remediate vulnerabilities. These risk assessments should be conducted within the context of your organization’s objectives, rather than in the form of a checklist as you would for a cybersecurity audit.

A vulnerability assessment is a systematic review of security weaknesses in an information system. It evaluates whether the system is susceptible to any known vulnerabilities, assigns severity levels to those vulnerabilities, and recommends remediation or mitigation, if and when needed.

Any cybersecurity service that doesn’t include both assessments will leave your institution exposed and more vulnerable to ransomware attacks. Vulnerability scans are like a photograph and show a snapshot in time, and that picture can change daily. Therefore, vulnerability scans should be provided continuously (e.g., daily, weekly or monthly).

2. Ask your cybersecurity partner…

…how they will assist in improving cyber hygiene in the form of patch management, to prevent ransomware attacks from having an access point into your network.

3. Hire a partner to help you create and routinely update your risk register in cooperation with your Board and Office of Risk Management.

Access control and governance issues must be scrutinized by all involved parties. Cybersecurity risk management is comparable to other forms of risk management and is therefore a Board-level issue. For example, did you know an institution can lose access to federal financial aid if it’s found to be out of compliance with national standards, such as National Institute of Standards and Technology (NIST) 800-171?

4. Find a partner who will assist your institution in creating your unique ransomware incident response playbook.

Think of this as your ransomware crisis plan. Off-the-shelf playbooks are fine for understanding concepts, but since your organization’s network architecture, data, and faculty requirements are unique, your institution needs a customized playbook handy should the need arise.

5. Ensure your vendor partner performs or arranges for an annual third-party penetration test.

This “pen test” includes scanning your network for weaknesses and, optionally, attempting to exploit any vulnerabilities that can enable attackers to gain entry. This is critical as new vulnerabilities are discovered every day, and what was thought to be secure may no longer be.

6. An effective partner will audit your security controls against relevant cybersecurity frameworks…

…like TAC § 202 or NIST 800-53 R5, in addition to your state-specific frameworks that may govern data security. This is a regulatory environment that is constantly changing, and your partner should proactively provide you with compliance requirements and discrepancies.

7. Partner with cyber staff who routinely communicate with governmental and law enforcement agencies…

…to provide relevant alerts and trends to your CIO for remediation.

8. Every capable vendor should also be auditing your organization randomly…

…to confirm its compliance with your cybersecurity plan.

“Organizations face a clear and present danger, but the more salient truth is that boards and C-Suite leaders face a clear and present certainty since they bear liability for the failure.” Digital Resilience: Is Your Company Ready for the Next Cyber Threat? Ray Rothrock, 2018.

Via the E&I Columbia Advisory Group (CAG) contract, CAG is available to assist your institution with cybersecurity services, audits, planning, and to help with your ransomware incident response playbook.