Can anyone share lessons learned from dealing with ransomware attacks? How did those experiences influence your org's security posture, or change your own approach/thinking?
Sort By:
Oldest
Senior Information Security Manager in Software7 months ago
Two things of many that need to be done around ransomware is to have it baked-in into the incident response program. Ensure that tabletop exercises are done and the teams can quickly respond to a ransomware attack.Also, have a Bitcoin wallet ready. Work with the CFO to ensure funds are quickly available to put into the wallet in the event of an attack. This is important as the timeframe in which to deal with ransomware is quite short and if you don’t have a wallet prepared, it could take a while to do if you don’t have existing approvals.
Chief Security Officer in Finance (non-banking)7 months ago
As Chief Security Officer at Silicon Valley Bank from (2007 – 2021)I had the pleasure of dealing with early ransomware attacks because we were the bank of the innovation economy and provided banking services to crypto exchanges.I recommend thinking in layers of defense, which means having the following:
Firewall filtering attacks
Proxy channeling traffic through filters
EDR detecting and hopefully stopping attacks.
MDR buying you time in case an attack is successful.
Backups that are validated regularly, including user acceptance testing.
Infrastructure that is distributed, immutable and ephemeral.
Red/Purple teaming testing these controls.
Business Impact Assessments to prioritize systems and applications.
IT Disaster Recovery with documented Recovery Time Objectives and Recovery Point Objectives.
Business Continuity Plans that wrap these together.
Crisis Management Team exercises with leaders that include curve ball exercises such as, “We can’t recover and need to pay” and then what happens? Do you have a crypto wallet, who has the authority to approve payment, who needs to be notified, what documentation needs to occur, what is Marketing and PR saying to the public. What if you pay, and you don’t get the key?
Protect your backups like they are the keys to your kingdom.
It’s a living hell when it happens, and if your attacker is willing to burn zero-day exploits on you, that is not easy day. But when you find yourself going through hell….keep going.
CISO in Banking7 months ago
A significant incident involved collaboration between an external company and a banking group entity, under my leadership as Global CISO, leading to the compromise of a user's access permissions. The Play ransomware group exploited this access to exfiltrate information for extortion purposes after launching an attack.The attack was detected post-launch, attributed to improperly configured alerts for indicators of compromise, primarily due to a communication gap about their existence from the compromised entity. Response measures were promptly and effectively localized, allowing for the removal of the compromised production environment and the establishment of isolated environments for forensic analysis and the deployment of new services in a secured manner. Notably, we opted against utilizing Active Directory backups, choosing instead to rebuild them from the ground up.
An immediate crisis management framework was put in place, facilitating transparent communication with both internal and external stakeholders, including regulators and customers, regarding the incident. This approach ensured consistent updates without the need for a specialized communication agency.
The cornerstone of our successful incident response strategy included rapid action, comprehensive forensic analysis, and efficient team communication. By isolating the affected systems, eliminating the threat, and restoring operations with minimal downtime, we significantly mitigated the attack's impact. Future enhancements could focus on improved threat detection through advanced monitoring, asset identification, and AI-driven anomaly detection.
I think best example is Microsoft with their k8 materiality filling to get up to speed
Quote Microsoft:
"As we said late last year when we announced Secure Future Initiative (SFI), given the reality of threat actors that are resourced and funded by nation states, we are shifting the balance we need to strike between security and business risk – the traditional sort of calculus is simply no longer sufficient. For Microsoft, this incident has highlighted the urgent need to move even faster. We will act immediately to apply our current security standards to Microsoft-owned legacy systems and internal business processes, even when these changes might cause disruption to existing business processes."
Reference K-8 SEC Filling Microsoft: https://microsoft.gcs-web.com/node/32306/html