Navigating the First 48 Hours of a Cyberattack

Resources February 24, 2022

Navigating the First 48 Hours of a Cyberattack

Download the PDF: Responding to a Cyberattack

Catching up on emails and trouble-shooting issues from the weekend can make Monday mornings stressful enough.  Discovering that your organization has fallen victim to a ransomware attack over the weekend can leave your organization fighting for its life.   Systems are down, data is unavailable, and leadership is scrambling to acquire cryptocurrency for a ransom demand.

Organizations must remain aware that cyber threats are continuing to intensify.  Recently, the United States, Australia, and the United Kingdom advised that in 2021, ransomware increased in sophistication globally.1  Prior to launching attacks, threat actors often perform reconnaissance for business intelligence to understand the victim’s pressure points and determine the value of the ransom.  The FBI estimates that losses from cybercrime have topped $4 billion and keep increasing sharply.2   The FBI also warned that it expects a significant increase in cyberattacks, including ransomware, targeting small and medium-sized organizations.

With the growth of frequency and sophistication of cybercrime, organizations must prepare and remain vigilant for this leading risk.  Kivu Consulting offers the following roadmap for organizations to find solid footing during a ransomware event.

First Steps – Limit the Impact. 

To mitigate an attack quickly and efficiently, start by disabling internet activity, killing active user sessions, and resetting all passwords.  Once the bleeding is stopped, the organization should deploy a robust Endpoint Detection and Response (EDR) tool to all systems/devices to identify the scope of the intrusion and eradicate active or dormant threats. If not already enabled, multi-factor authentication should be implemented.

As triage continues, the organization should provide notice to its cyber insurer.   While complete forensic findings likely remain unknown at this stage, early notice can expedite approvals for vendors by the insurance company.  Failing to provide notice can jeopardize coverage and force the victim to incur costs.  Cyber insurers may also coordinate the next steps with the client, forensics investigator, and counsel to assist with containment, recovery, and legal analysis.

Work the Plan

There is no magic formula for responding to a cyber incident, but every organization must possess and regularly exercise an Incident Response Plan (“IRP”).  A well-practiced IRP is a valuable tool to guide response stakeholders in performing a solid forensic investigation and recovering business operations quickly.  Typically, the IRP will follow a known methodology and provide for incident detection and analysis; assignment of resources, roles and responsibilities; steps toward containment and recovery; communications; and absorbing “lessons learned.”

Plans are good, but exercised plans are better.  The IRP should be regularly updated and practiced with simulated tabletop or live exercises with key internal and external stakeholders.  The IRP should also identify vendors such as law firms, technical consultants, and public relations firms, and advise whether these costs can be insured.  Following an established, tested, and updated IRP will ensure that all the necessary people are notified, and the right resources are brought to bear rapidly to respond.

Get Help for Ransom Negotiations

Organizations should proceed cautiously when entering conversations with cybercriminals.  Ransomware extortionists are often unpredictable and will apply maximum pressure to force payment.  To level the playing field, organizations should leverage the insights and observations of seasoned negotiators who frequently communicate with these criminals.

Relying on an experienced third-party negotiator will help the victim organization understand the attacker’s tactics and techniques and increase the chance for a successful outcome. The negotiator can set a structure and pace for evaluating the extortion demand, collecting forensic evidence, and facilitating the purchase and transfer of cryptocurrency.  In addition, some insurance carriers will set requirements for who may negotiate and what can be discussed with a threat actor.

Companies should pay close attention to regulatory mandates and cooperate with law enforcement during the process.  Any dollar amount countered by the victim will likely also require approval by the cyber insurer.

Business Continuity is Everything, but It’s Not the Only Thing.

After containing the threat, business continuity becomes the priority.  Victims must quickly evaluate the viability of backup data and decide whether to pay the ransom demand for a decryption tool to regain access to the compromised data.

As the victim evaluates business continuity, it must not lose sight of evidence preservation.  Threat actors often increase their leverage at this early stage by following a two-pronged attack of encrypting systems and stealing data.  Counsel will review forensic evidence to understand what data was stolen and how to respond to obligations for notification and mitigation.

Any rush to restore critical systems without retaining snapshots of virtual machines, live memory captures, and/or operating system hard drives can hinder a thorough forensics investigation. Additionally, perimeter logging must be immediately collected because many devices are not configured for long-term retention of events.  Failure to do so can compromise evidence with each passing hour based on large amounts of network activity. The victim organization can also best handle later litigation by maintaining forensic discipline during the response.

Looking Forward

As the cybersecurity climate continues to deteriorate, organizations face operational disruption and financial and legal risks.  Companies must remain vigilant and be prepared to respond quickly and effectively.   

A successful response will proceed through several stages and combine the right planning, technology, and expertise.  With the right strategy, companies can stem the bleeding, get back online, and prepare for the cascading consequences of cybersecurity failures.   Then we can get back to managing Mondays.    

Sources:

1. https://www.cisa.gov/uscert/ncas/alerts/aa22-040a

2. 2020 Internet Crime Report , published by the FBI’s Internet Crime Complaint Center