When Ransomware Strikes: Lessons Learned from a Simulated Cyberattack
Imagine this scenario: An employee’s PC starts behaving strangely and displaying a message that files have been encrypted and data exfiltrated. The user is unable to access any files, signaling a serious ransomware incident is unfolding. Nuspire’s Mike Pedrick, VP of Cybersecurity Consulting, and Chris Roberts, Chief Strategy Executive & Evangelist, who each have extensive experience in both developing and executing incident response plans, walk through responding to this type of simulated real-world cyberattack to highlight critical lessons for navigating a major incident.
The First 72 Hours are Critical
The incident response team must work heads down in the first 12-24 hours to keep the company alive while figuring out what happened. By the 72-hour mark, regulatory and fiduciary obligations come into play, with breach notification laws in many states requiring notifying interested parties within this timeframe. Trying to hide or downplay the incident will only make things worse in the long run.
“There’s blood in the water…somebody is ready to file a class action lawsuit against your organization,” Mike warns.
Mike and Chris emphasize the importance of having a clear process to validate the incident, contain it, eradicate the source and proceed to recovery. Visibility into your environment is key to identifying what systems are impacted and prioritizing containment efforts.
Key Incident Response Principles
Several key principles for effectively responding to a significant cyber incident include:
- Have a clear, documented process for validating, containing, eradicating and recovering from an incident. Ad hoc responses waste precious time.
- Understand your environment and assets to quickly identify impacted systems and prioritize containment efforts. You can’t stop the bleeding if you don’t know where you’re hurt.
- Establish a single source of truth with validated information to communicate effectively with leadership and external parties. Inconsistent messaging erodes trust.
- Engage legal counsel, public relations, executives and potentially law enforcement by the 72-hour mark to address regulatory requirements and control the narrative.
- Regularly rehearse your incident response plan with key stakeholders through tabletop exercises. Waiting until an actual incident is too late to figure out roles and responsibilities.
- Consider engaging outside experts to pressure test your incident response capabilities and guide you through the complexities of a major cyber incident.
The Importance of Practice
Having a well-rehearsed incident response plan is crucial. Tabletop exercises help ensure everyone knows their role and can respond effectively when an incident strikes.
“When the building is on fire, it is not the time to pick up the A to Z and start flicking through to see which one of your friends you can call,” Chris colorfully puts it.
Developing and regularly practicing a robust incident response plan is essential to responding effectively and emerging stronger on the other side.
Get Ahead of Cyber Chaos
By implementing these principles, organizations can bring order to the chaos of a cyberattack and emerge stronger. But preparation is paramount – the time to build cyber resilience is now, before an incident unfolds. Developing and regularly practicing a robust incident response plan is crucial to responding effectively when cyber chaos hits. Don’t get caught flat-footed – take steps now to proactively prepare.
Nuspire’s Incident Response Readiness Service can help you proactively prepare through customized tabletop exercises that pressure test your ability to respond. Ready to build your cyber resilience?
