Graphic collage ransom note on a piece of paper.
Image: Cisco Talos

Top executives are increasingly dreading the phone call from their fellow employee notifying them that their company has been hit by a cyberattack. Nearly every week in 2021 and early 2022, a prominent organization has been in the media spotlight as their public relations team struggles to explain how they were attacked and how they can regain consumer confidence. A recent survey showed that 37 percent of organizations surveyed had been affected by ransomware attacks in the last year.

Worse, the days when executive leadership teams could fully delegate responsibility to a CISO are over. Regardless of reality, surveys have shown that about 40 percent of the public perception of fault for a ransomware attack lands squarely on the CEO’s shoulders, and that 36 percent of attacks result in the loss of C-level talent. While executive involvement in the security program does not guarantee a successful defense, it does give the executive leadership team (ELT) a degree of ownership of the final product, as well as the ability to speak confidently and knowledgeably to the public.

When, not if

Many teams center their plans around prevention of the initial attack, not response, after an adversary successfully gains a foothold. A ransomware attack is always a multi-stage process, and it is up to members of the ELT to set a strategy that slows and frustrates the adversary during an attack. Those aspects of planning should focus on quick response, tested containment techniques and eradication. Some examples of questions you should ask might be:

  • Does your team have standard operating procedures for a ransomware attack and regularly practice containment “battle drills” such as quickly changing all privileged account passwords through the entire enterprise?
  • Do they have ways to quickly isolate a compromised network segment to preserve the integrity of the rest of the network?
  • Is your team working toward zero-trust architecture?
  • Does your team know where your critical data resides, and is it encrypted at rest?
  • Do they know what your business-critical services are, and what technical dependencies they have?
  • Are your backups redundant and protected from casual access by a compromised administrator account?

The answers to these tough questions can be the difference between success and failure when facing an impending ransomware attack.

Teamwork makes the dream work

It’s hard to build an effective cross-disciplinary team in the heat of the moment. Almost every CISO delegates responsibility for coordinating immediate actions in a cybersecurity emergency to a trusted subordinate, often called an “incident commander.” When your incident commander builds the ransomware “war room,” do they have an at-a-glance roster to ensure the right people are included? Since your time as an executive is very limited, how do you want to be updated, and does the incident commander and/or CISO understand that requirement? Is legal embedded into your organization’s incident command structure?

Your top performers will often push themselves beyond the point of exhaustion during a major incident and make mistakes as a result. Do you have trusted individuals holding each other and their teams accountable to set a proper tempo? Generally speaking, incident responders can only perform at peak mental efficiency for about 10-12 hours per day, so that figure can be used to structure a good rotation. Does your team have an effective rest plan with redundancy built in for key roles in case of personal life emergencies? Top-tier security operations centers (SOCs) structure their emergency personnel planning similarly to personnel planning for military operations, in the sense that every person has one or two designated backups fully trained to perform their role.

SEE: Hiring kit: Data scientist (TechRepublic Premium)

Can you hear me now?

One of the most common questions asked is: “How can we prepare for ransomware communications?” In terms of internal communication, it is critical to define what communication system will be used to send notifications. Is it capable of reaching and rallying the team after hours? Assuming the worst-case scenario where the entire corporate network is offline, do you have a truly out-of-band (OOB) communication method? Referring to the military planning model, it is no accident that even the lowest-level operations orders define primary, secondary, and tertiary methods of communication.

Time matters for external communications. We have observed that attacks on high-profile organizations generally appear in the media within 24 hours. Do your communications and PR teams have pre-built templates they can use for initial public notifications of an incident? Writing them now will save time and ensure that key details are not overlooked during a crisis. What are the key points needed to take control of the news cycle early? What is the approval chain—does the CEO need to personally review it, or can it be released at the direction of the head of corporate communications?

A thoughtful CEO might want to establish circumstances under which direct review is required, such as in the case of confirmed sensitive data compromise, but give corporate communications the authority to publish notifications without CEO review under all other circumstances. If you have a customer facing team like a customer care, or help desk, is there a canned message they can provide that keeps everyone calm while ensuring that sensitive information is not shared? In all cases, legal counsel should be consulted and work in partnership with corporate communications.

Negotiating with attackers

Are you willing to set a hardline policy that your organization will never pay a ransom under any circumstances? No data exists to say whether a publicized statement to that effect decreases the likelihood of being targeted, but the inverse effect has been observed. Organizations that set a precedent for making ransom payments are heavily targeted, since they are perceived as a guaranteed payday by adversaries. In fact, a recent survey showed that 80 percent of organizations that paid a ransom were re-attacked shortly afterward.

If you cannot set the hardline policy of non-payment, many secondary considerations are important, including the legality of the payment if an OFAC-sanctioned entity is involved. Do you have your legal counsel, cyberinsurer, and possibly a professional ransomware negotiation firm you can contact quickly? As always, consult with your legal counsel.

SEE: The COVID-19 gender gap: Why women are leaving their jobs and how to get them back to work (free PDF) (TechRepublic)

Advice to any CEO for preparing a ransomware preparedness plan

  • The executive leadership team can and should be closely involved with the development of the anti-ransomware plan.
  • Attempted ransomware attacks are almost inevitable for the average organization today, but proper post-breach actions can allow excellent damage mitigation.
  • Team structure and good communications plans matter just as much as strong cybersecurity tools and configuration.

Ransom payment considerations are complex and there is no “one-size-fits-all” answer, but in most cases, paying a ransom leads to increased targeting in the future.

Nate Pors is an incident response commander for Cisco Talos with more than six years of experience in the field of cybersecurity and five years of experience in operational leadership. Prior to joining Cisco in February 2021, Nate worked as the senior cybersecurity watch officer for the U.S. National Geospatial-Intelligence Agency. Nate served in the United States Marine Corps as a combat engineer officer, leaving with the rank of captain. 

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday