Disaster recovery and IT security personnel must take ransomware and other cybersecurity attacks seriously. Even if there is a ransomware recovery plan in place, ransomware technology and methods are constantly evolving. Periodic exercises of cybersecurity response and recovery plans ensure that organizations can minimize the effects of cyber attacks and protect the business and its continued success.
Tabletop exercises are DR planning activities that propose a specific crisis. Organizations use these activities to examine and validate the company's response process from beginning to end. A ransomware tabletop exercise begins with a specific ransomware attack, the details of the attack, and how the organization reacts, step by step.
Every company's approach to ransomware will vary based on numerous factors, such as size, network and infrastructure resources and existing software. For the purposes of the ransomware tabletop exercise here, this sample scenario will adhere to the following assumptions:
- the organization is a medium-size firm with 400 employees and three locations;
- it has an IT department;
- its network connects to the internet for most business activities, including voice and data communications, across all three locations;
- its perimeter is protected by firewalls and intrusion prevention systems that the organization regularly updates;
- it uses antimalware, antivirus, antispam and anti-ransomware software in addition to its existing perimeter protection systems; and
- it has a documented plan with step-by-step procedures for responding to security breaches.
After reading this tip, check out our customizable ransomware tabletop exercise template linked at the bottom. This provides a starting point to create an exercise uniquely suited to each organization.
Set parameters and designate participant roles
If an organization has an antimalware response plan, that will be the basis for the ransomware tabletop exercise. Participants will reference the response plan during the course of the exercise. For example, an exercise may simulate the unauthorized entry of an intruder that somehow bypasses the primary perimeter defenses. It might then attack several critical systems and attempt to block access to those systems with encrypted keys.
Participants can include personnel from within the IT department and other interested parties, such as department leaders and subject matter experts. To help facilitate an exercise, check out the included slide deck with the exercise template located at the bottom of this page.
In most attacks time is of the essence, so it is important that participants know their roles and actions in advance of the exercise. Non-IT participants may serve as observers and can also comment on the response for the subsequent exercise after-action report.
In an attack where malware or other suspicious code enters the firm's network, the code must be identified as suspect and then moved as quickly as possible to an isolated area in the network to be analyzed. Firewalls and intrusion prevention systems help effectively identify suspicious data packets and can trigger alarms when they are discovered.
Consider worst case scenarios
In this example, the attacks are sophisticated enough to bypass the perimeter security. Because of this, the organization must launch the antimalware software to try to neutralize the ransomware before it can compromise systems and data. If an intruder attacks and blocks access to systems and files, anti-ransomware software can unlock the systems and files, and then eliminate the ransomware software.
A worst-case scenario is one where the encryption that locks systems and files is too strong for the anti-ransomware software, and the assets remain inaccessible. Many experts encourage organizations to refuse to pay any ransoms. With proper anti-ransomware protection and regular system and data backups, the overall affect to an organization can be minimal.
It may be necessary to escalate the incident to an external security firm, or possibly a cloud service provider whose resources the organization uses. These third parties can assist with the code analysis, prevention measures and post-event assessments. If financial or operational damage has occurred, check with insurance providers to see if ransomware coverage can help recapture any losses from the attack. It is usually a good idea to have cybersecurity insurance, with an emphasis on antimalware attacks and the potential losses they can generate.
If an attack brings serious harm to an organization, consider initiating business continuity and disaster recovery (BCDR) plans to help recover the business and its operations. Tie together BCDR plans to cybersecurity plans to ensure that the company and its business are fully protected.
Use these exercise findings for future preparation
Regular and comprehensive backups of systems and files can minimize damage to mission-critical IT assets. Internal and external backup arrangements, such as cloud-based backup services, can ensure that critical information resources will be available following a ransomware attack.
Once the attack is neutralized, use the anti-ransomware software to analyze the code exploited in the attack. The software can also remove the malware and clean the system of any remaining code. Conduct assessments of any damages to systems, databases, files and other IT assets. Commence recovery of affected assets using backed-up systems and files, and carefully test the backups to ensure they are usable before they are placed back into production.
Prepare an after-action report describing what happened, how well the cybersecurity measures worked, how well response team members handled the incident, how well the software worked and lessons learned from the exercise.