Destructive cyber-attacks such as ransomware and wiper attacks are forcing a culture change within organizations as teams need to come together to build resilience. In many organizations, the CIO and CISO and their teams pursue their own, sometimes conflicting, goals and maintain their own cultures and methods. But to build resilience to attacks, security and IT operations must work much better together.
Historically CISOs primarily had to deal with incidents of data theft, or more accurately an unauthorized disclosure of data, where the original data is left intact. In a destructive cyber-attack, the data is no longer available to support delivery of products and services. The CISO will be seen as failing in their main mission to protect against the impact of a cyber-attack, yet the responsibility for the availability of data has largely been outsourced to IT operations or facilities as a part of business continuity and disaster recovery.[1]
Compared with monetizing stolen data, the quick and large returns of ransomware attacks make the motivations of attackers so great, and modern organizations have such a large attack surface, that organizations must accept that it is impossible to prevent, or even detect, 100 per cent of cyber-attacks. Adding yet another preventative or detective control to a CISO’s existing stack of tools often increases cost, creates more user friction, further reduces the organization’s agility and continues to drive alert fatigue, while only moving the residual risk needle only a fraction.
Today, investments in mitigating attack impact tends to reap risk returns. By building resilience through effective and efficient response and recovery, the CISO is more empowered to tackle the threat posed by destructive cyber-attacks and deliver the CIO’s mission of maintaining availability of the systems that power an organization’s products and services.
Establish an open culture - A ransomware incident cannot be resolved by the security team or IT team working in isolation. The CIO needs to have answers about system prioritization, interdependencies and options for rebuilding and recovery of systems and data which they gain ahead of the attack through the Business Impact Analysis. A frequent gap in this analysis is including the dial tone services and tools that the company needs to have in place to even start the investigation, mitigation and recovery process. Post-incident the CISO team needs to use these tools to investigate to understand the timeline including the initial intrusion method, persistence mechanisms and gaps in controls. The information from the CISO’s team drives the threat mitigation steps that IT operations must take before systems are put back into production to prevent reinfection or reattack.
When dealing with a wiper or ransomware attack, this cooperation needs to be extended far beyond this to the entire board, and internal stakeholders from PR, through Legal to HR.
The CIO and the infrastructure team are already quite experienced in this regard, as floods, fires, power outages, equipment failure and misconfiguration also threaten data centers in their world. They can learn from this wealth of experience and work together to understand how services and infrastructure depend on each other and what their failure due to a destructive attack would mean.
The CISO and CIO must prepare for ransomware, establishing the ability to rapidly instantiate their response and recovery environments in advance. Isolated clean rooms can be set up to store an emergency set of trusted security tooling as well as the communications and collaboration capability required to manage the incident and contact employees, insurers, law enforcement, regulators and impacted data subjects. Inside of the clean room, the security operations team builds the timeline of the incident along with a manifest of steps that need to be taken by the IT operations team to bring back systems in production safely. They do this by hunting for indicators of compromise, performing forensics and artefact analysis but these actions need to be supported while maintaining the required network and host isolation needed to stop the spread of the attack. Some traditional security tooling that resides on the edge of networks can struggle to deliver these tasks when organizations have isolated hosts and networks to contain the attack, this is an important consideration.
Do not have blind faith in our ability to prevent cyber-attacks, instead have the tools to mitigate the consequences - The IT operations team meanwhile, are recovering or rebuilding systems from trusted sources inside of a staging room. It is here that they undertake the steps stipulated by the security team to mitigate the threats, test the functionality of the recovered and mitigated environment before restoring it back into production. A good final step is to take a new baseline snapshot of the interdependent systems prior to moving back into production, just in case not all of the badness was discovered and further investigation in the clean room is needed without the need to revert to square one. The reality of response and recovery is this is a highly iterative process which is context dependent, the teams and systems that form the clean room and staging rooms need to work seamlessly together.
In today’s environment having a cyber incident should not be seen as a failure of cyber security, but having a cyber incident and not dealing with it well due to a lack of preparedness and awareness is. Cyber incidents happen just like traditional disaster recovery scenarios, the solution is not to have blind faith in our ability to prevent attacks but instead in having the tools and processes in place to mitigate the consequences of the cyber incident. If CISOs can manage this shift from pure defense to operational defense, it will impact their investment behavior.
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
[1] https://www.ft.com/partnercontent/cohesity/resilience-against-cyber-attacks-requires-internal-cooperation.html
Comments