Cyber Game Plan: a tabletop exercise in defending a ransomware attack November 16, 2017 Moderator: Frances Floriano Goins, Ulmer & Berne Panelists: Ryan Macfarlane, FBI Betty Shepherd, R-T Specialty, LLC Christopher M. Prewitt, TrustedSec, LLC Gregory P. Stein, Ulmer & Berne
Ransomware Exercise Overall goals of this exercise: Gain a better understanding of how an incident progresses Identify appropriate questions to ask Determine roles and responsibilities during a response Ensure all team members understand the needs and capabilities of the team and organization Better understand what capabilities exist, how they can be used, and what is needed if there is an incident Questions and discussion are helpful No need to wait until the end, ask now, ask later, ask anytime, just ask!
Beginnings of an Incident Public company, manufacturer, global business that includes operations in Europe IT Support Desk receives phone call from someone in the organization saying they cannot open certain files As IT dispatches someone to look into it, more and more calls start coming into the IT Support Desk The issue appears to be ransomware and it is encrypting data across the network Does your IT organization have a IR program for how to handle an incident? Who would you involve internally for the initial investigation? Do you have an incident response partner? Would you contact them immediately? Do you engage them through counsel? How do you communicate to senior management? Do you notify the board? Next steps? FBI? What is the process? Is it network dependent? Who is making the decisions? Legal guidance 3rd party involvement What steps do we take? Remote clean up of all effected systems System re-imaging Open source research Payment process
Incident Briefing #1 Your team is investigating the ransomware and you have engaged your Incident Response (IR) team. It is unclear whether you can recover data and systems if you pay the ransom Email systems are inaccessible for employees It is unclear whether there are multiple strains of ransomware Multiple systems are impacted, including systems that enable customers to place orders Questions: Systems are not available, do you have recovery plans? Can you pay BitCoin? Do you know how to procure? How are you coordinating the investigation? When do you contact your cyber insurance partner? Is ransomware or human error covered? Does the FBI or your IR partner suggest paying the ransom?
Incident Briefing #2 An IR forensic analyst has joined the investigation onsite. Based on logs and initial forensics, it appears that data may have been ex-filtrated in addition to encryption Web servers were accessed Internal file shares were accessed Appears that corporate emails were accessed Difficult to identify specifically what was taken or whether data has been permanently lost Additional malware was found, unclear if it is related or not Questions: Do you have logs and security systems to provide the visibility needed to quickly identify issues and respond? How are you conducting the communications around the investigation? Does this change with the new information? What is counsel’s role in this? Engaging external IR support? Outside of the data identified, what other information are you most concerned about with the likelihood of email compromise? Do you share information with the FBI? What can the FBI bring to the table?
Incident Briefing #3 You have paid the ransom, and while some of your systems and data are restored, some are not Your IR forensic analyst identifies that there are two similar but different payloads that are on your systems; one is taking the decryption key the other is not Where possible, you have restored from back up, but in some cases, restoration was not possible Questions: How confident are you in your backups? How long would it take to recover your data center? How are you conducting the communications around the investigation without a working email system? What is counsel’s role in this? Engaging external IR support? Outside of the data identified, what other information are you most concerned about with the likelihood of email compromise?
Incident Briefing #4 About 8 hours after the incident began, a well known online security journalist posts an article on his blog detailing the ransomware event and breach He cites an “undisclosed” source No specific mention of data theft, but describes broad outages The journalist called your CEO, CIO, and Security Director for a quote Questions: How does this change your approach to internal/external communications? Do you have a Crisis PR Firm identified? How do you communicate to employees? Who helps define this message? Do you have a way to determine if there are leaks? How would you communicate updates to your board?
Incident Briefing #5 Investigation determines that the attacker is still active in the environment Endpoint technology tracks current commands and activity performed by the adversary Attacker is leveraging an administrative account with access to all areas of the environment (Domain Admin) IR forensic analyst recommends speeding up remediation process to remove access and lock down the environment and to unplug from the internet Questions: What factors into your decision to remove the attacker’s access immediately vs. monitor activity as you ready for a full remediation event? How much of this information is shared with the board? With the employees? What risks and concerns do you have now that you know the attacker is still in the environment? What role would FBI or local law enforcement have at this point?
Are Corporate Directors concerned about liability from breach? Incident Briefing #6 Large shareholders and important customers have reached out to your company to find out details about the incident Shareholders have expressed concerns about the impact on the organization Some large customers have called, asking for meetings to understand their exposure Questions: What assurances can you provide to consumers or suppliers to keep them from walking away? Are Corporate Directors concerned about liability from breach? Do you have Director and Officer (D&O) coverage? Does it cover for breach?
Incident Briefing #7 IR forensic analyst finalizes report about what happened and includes a list of remediation recommendations: The report identifies the attack to be tied to an organization working on behalf of the People’s Republic of North Korea Remediation recommendations require significant time, money, and resources to further lock down the environment There were other threats, in addition to the ransomware, and it is unclear whether they are related Questions: Does it matter who receives the report for maintaining attorney-client privilege? Does knowing who the attacker is matter? What factors into your decision to implement the list of recommendations and other ongoing value driven business initiatives? What next?
Lessons Learned Did you understand how a security incident can impact the organization beyond IT? What are your biggest takeaways from this exercise? Did anything catch you by surprise?
Questions
Frances Floriano Goins Christopher M. Prewitt, CISSP, CISM Co-Chair, Data Privacy & Information Security, and Co-Chair, Financial Services & Securities Litigation Vice President, Advisory Services TrustedSec, LLC Chris.Prewitt@TrustedSec.com Ulmer & Berne 877.550.4728 fgoins@ulmer.com 216.583.7202 Betty Shepherd Senior Vice President Ryan Macfarlane R-T Specialty, LLC Supervisory Special Agent, Cyber Squad – Cleveland Division Betty.Shepherd@rtspecialty.com 860.656.1362 Federal Bureau of Investigation grmacfarlane@fbi.gov Gregory P. Stein 216.522.1400 Vice-Chair, Data Privacy & Information Security gstein@ulmer.com 216.583.7446