Cyber Incident Response Preparation – A Ransomware Use CaseIncident readiness services come together to build a robust ransomware preparedness program By: Sophie Bovy - Product Marketing
- As a leading threat, ransomware presents an important area for incident response preparation
- Incident readiness assessments can be used individually or in tandem to assess ransomware readiness
- Incident response preparation, for ransomware or other threats, benefits from a programmatic approach tailored to an organization’s current maturity and objectives
Recent high-profile events continue to reinforce that ransomware is the No.1 cyber threat to organizations today. Last year, our Incident Response team reported a 150% jump in the number of ransomware engagements compared to 2019. This year there are no signs this is slowing down.
A plethora of articles have addressed topical questions about how to best handle and recover from these events. Many are tactical, addressing whether to pay a ransom, for example.
One key, and strategic, question to also consider: Are we ready to deal with a potential ransomware incident?
As highlighted in a previous blog by the Secureworks® Counter Threat Unit™ (CTU™), ransomware operators seek to exploit existing systemic network weakness. Our researchers highlight that there are typically two approaches organizations take to prepare for ransomware. The first (and worst) approach is to invest in the latest technologies, expecting a silver bullet. The second is to recognize that 100% prevention is impossible and to take a more proactive approach. This involves seeking to better understand the IT environment, the critical assets that need protecting, and the level of exposure to a potential ransomware attack. The strategy is to master all these elements before it’s too late.
Ransomware Risk Assessments
With that in mind, the initial step for an organization on their ransomware readiness journey is to perform a threat-informed assessment, or Ransomware Risk Analysis. The aim is to document and provide a holistic evaluation of an organization’s security controls, processes and technologies across key security domains. Risk ranked findings and recommendations provide the overview that drive a roadmap for remedial action, inform a more pragmatic, prioritized approach to technology investments, as well as help shape an information security risk management process.
Complementing a risk assessment with technical assessments helps to highlight additional areas of potential risk and test areas often exploited by ransomware threats. Organizations often choose from one, or all, of the below tests:
- An Active Directory Security Assessment provides insights needed to fix weaknesses in Active Directory misconfigurations, often used by threat actors to distribute ransomware.
- A threat hunting assessment can also provide a baseline understanding of threats already present in the environment.
- The Secureworks Adversary team offers a Ransomware Resilience Test or Ransomware Simulation Test. This goes beyond automated scanning to mimic the adversary using a hands-on approach modelled using years of offensive experience and the latest threat research. In some cases, after compromise and with a customer’s permission, our team can go one step further and execute mock ransomware code for a live simulation to test the response of an organization’s blue team. This emulates real-world pre-deployment of ransomware to identify gaps in controls against real TTPs.
Incident Response Planning and Exercises
Finally, since every second counts during an incident, the key to effective and timely response is proactive incident response preparation. Transforming cyber incident response for readiness and resiliency is a journey that starts with planning, regularly reviewing, and evolving the existing incident response plan and processes.
For a well-rounded IR plan, a follow-up question is needed: Have we practiced enough?
Incident response preparation starts with planning, documentation, and continues into tabletop exercises. Having a clear objective, such as practicing ransomware readiness, is a requirement for planning an effective tabletop exercise. Tabletop exercises are a first, low-impact step to helping practice a plan.
While frequency of exercises matters to build readiness, it’s also important to note that tabletop exercises are just one type of incident response preparation exercise that can be used. Where possible, a robust response program should combine several exercises that leverage mock-ransomware simulations and artifacts, including:
- Functional exercises
- Purple team or full-scale exercises (leveraging live fire simulations as mentioned above)
Practice makes perfect. If you practice with the right inputs and often enough, most of the decisions you need to make during an incident will be made for you, as you’ve already thoroughly prepared for incident situations.
Programmatic Approach to Incident Response Preparation
No static plan, or single assessment or exercise is enough to keep pace with the evolving threat landscape. Think deliberately and programmatically to build a proactive program that helps improve incident readiness. An organization’s existing defenses, current security maturity, objectives and needs should all help dictate what shape incident response preparation should take. Measuring all these elements is a huge task. For this reason, many organizations prefer to get help from outside experts like Secureworks. Look for vendors who take a consultative approach and provide readiness services to build a program of activity that includes assessment, cyber incident response planning and exercises.
Some of our customers feel safest with a Secureworks Incident Management Retainer, which combines advisory and assessment services, workshops and exercises, testing and validation services, plus emergency cyber incident response support. Regular reviews also help organizations continue to mature their IR posture.