Prepping and Practicing Incident Response Plans Remains Essential, Experts Warn
The U.S. government has warned all businesses that they’re at elevated risk of online attacks during the Thanksgiving holiday.
“Malicious cyber actors aren’t making the same holiday plans as you,” warns a joint alert from the FBI and Cybersecurity and Infrastructure Security Agency.
“Recent history tells us that this could be a time when these persistent cyber actors halfway across the world are looking for ways – big and small – to disrupt the critical networks and systems belonging to organizations, businesses, and critical infrastructure,” it adds.
Similar alerts have been issued numerous times by the FBI and CISA in recent months, ahead of other holidays. As before, the White House hasn’t said it has any specific intelligence on planned attacks, or regarding any attackers who might be already inside corporate networks, ready to signal their crypto-locking malware to forcibly encrypt every possible endpoint.
“Although neither CISA nor the FBI currently have identified any specific threats, recent 2021 trends show malicious cyber actors launching serious and impactful ransomware attacks during holidays and weekends, including Independence Day and Mother’s Day weekends,” the alert states.
Indeed, many major attacks continue to be launched when businesses have fewer hands on deck. In the runup to the July Fourth holiday weekend, for example, attackers wielding REvil – aka Sodinokibi – ransomware exploited a vulnerability in IT remote management software built by software vendor Kaseya and used by managed service providers. Attackers were able to use Kaseya’s software to push their malware out to customers of 50 different MSPs, ultimately crypto-locking systems used by up to 1,500 organizations.
But attackers don’t always wait for holidays. For example, Bangladesh Bank was attacked on a Friday – a Muslim day of prayer in the country – leading to $81 million in losses. Attacks targeting non-Muslim countries, meanwhile, often start on a Saturday.
It’s impossible to predict when attackers behind any particular incident might strike, says Devon Ackerman, a managing director and head of incident response for North America with New York-based consultancy Kroll’s cyber risk practice. “But threat actor groups do tend to strike during the time frames in which they are least likely to be detected,” he says. “During the nighttime, over weekends, over a U.S. holiday for many businesses and corporate networks is an unfortunate time, to catch when more people are likely away from their keyboards, rather than at them.”
Where to Begin
The focus of the CISA and FBI alert, experts note, isn’t to say the sky is falling. Rather, they’re using attackers’ proclivities as a reminder to organizations to be ready.
“If you haven’t given it some thought with the holidays coming, this should be a forcing function to start,” says Sam Curry, CSO of security firm Cybereason, of the latest advisory.
In particular, it recommends being prepared to repel phishing attacks, financial scammers and spoof sites, especially around Black Friday. It also urges businesses to have well-tested incident response plans in place and communications strategies designed to work even in the event of a ransomware attack, in which all access to IT infrastructure gets lost.
The advisory also recommends:
- Designating responders: “Identify IT security employees for weekends and holidays who would be available to surge during these times in the event of an incident or ransomware attack.”
- Using MFA: “Implement multifactor authentication for remote access and administrative accounts.”
- Strong passwords: “Mandate strong passwords and ensure they are not reused across multiple accounts.”
- Securing RDP: “If you use remote desktop protocol or any other potentially risky service, ensure it is secure and monitored.”
- Building awareness: “Remind employees not to click on suspicious links, and conduct exercises to raise awareness.”
In Pursuit of Business Resilience
Already, organizations with more mature approaches do all of these things and have redefined their focus as being not just on “cyber resilience,” but “business resilience,” says Rocco Grillo, managing director of global cyber risk and incident response investigations at New York-based consultancy Alvarez & Marsal.
But the nonstop pace of – and disruption caused by – ransomware attacks helps demonstrate that not everyone has good enough defenses in place, especially as ransomware-wielding groups over the past five years have continued to innovate. “If anything, in the last six to 12 months, it’s exploded into an epidemic,” Grillo says.
And yet, a recent survey of ransomware victims conducted by Cybereason found that a significant number of them still haven’t refined their incident response practices.
Of the 1,200 surveyed security professionals at organizations that had previously suffered a ransomware attack, one-third said they believed the incident “was successful because there was no contingency plan in place and only a limited number of staff to respond,” Cybereason says. In addition, 24% said the attack had not led to their organization creating new contingency plans for weekends or holidays to ensure they could respond more quickly.
Essentials: Monitor, Detect, Respond
What might firms do better? Not every attack can be stopped outright, which reinforces the need for “better monitoring, better detection, and then response,” Grillo says. “The response plan isn’t there to stop it from happening. In some instances it can – for the basic attacks. But if someone gets into your environment, it’s critical to identify it, understand what’s going on, contain it, limit the damage, be able to recover and restore, and hopefully get back to normal business operations.”
Incident response experts have long recommended tabletop exercises – aka mock cyberattacks – so everyone inside an organization understands their roles and responsibilities during an incident, whenever it might happen.
“With the right systems in place to quickly detect, you need to be able to respond confidently,” Kroll’s Ackerman says. “There have been situations where incidents are detected, containment actions are triggered, but it’s 2 a.m. on a Saturday and there’s no one to fully execute and evaluate the impact. It’s crucial to have adequate staff available, or the right vendors empowered to take the necessary actions on your behalf.”
Honing Incident Response Plans
In other words, planners need to address a variety of factors, including attackers’ proclivity for striking outside business hours.
“In well-developed incident response plans, there are contingencies for incidents occurring outside of business hours, or when key actors are on vacation,” Ackerman says. “Those scenarios are best developed during tabletop exercises and then documented in the plan. Yes, organizations need to have the ability to respond during Black Friday, Christmas Eve or when their head of IT is on vacation, and the incident response plan should detail how.”
The shortfall in planning does not just bedevil U.S. organizations. In Britain, for example, the National Cyber Security Centre reports that “one in 10 organizations don’t have an incident management plan.”
The list of steps organizations need to take to put themselves in a good defensive position “is not complex – it’s just things you have to do,” Cybereason’s Curry says. “It’s not just: ‘Deploy controls.’ There are controls that can help, and having a detection strategy … is important … but it’s also the business prep and the redundancy in IT. How long do you keep backups for, not just do you keep them? Have you practiced restoring from them? Who are you going to call in an emergency?”
Answering such questions in the aftermath of an attack, without a well-rehearsed plan, can be complex.
“There’s either companies that know about it” and are also “doing something about it,” Grillo of Alvarez & Marsal says. “Or they’re finding out the hard way.”