On Data Privacy Day, Kroll’s Alan Brill and Brian Lapidus share recommendations for companies who have fallen victim to ransomware attacks, emphasizing the importance of reporting a breach promptly and how to investigate an attack under the assumption that data has been stolen.
The Planning Imperative
When a ransomware attack includes data exfiltration, there’s a complex regulatory environment that organizations must pay attention to in order to determine if the attack constitutes a data breach. If the forensic investigation determines that data was indeed stolen as part of the attack, several clocks begin ticking. Based on different state and national laws, the time requirements for breach notification may be as tight as 24 hours, presenting a significant challenge for most organizations. There is significant benefit in undertaking fundamental planning steps, with considerations for tactical, operational and consumer impacts.
Time is of the Essence
While there is some room for interpretation in the definition of “discovery,” the reality is that it may take a significant amount of time to alert the right people within the organization – let alone communicate with customers and stakeholders – about a data compromise. Hoping that data wasn’t stolen or assuming it wasn’t because doing so is easier aren’t effective defenses for failing to report a breach to regulators.
Whether you are a part of a board, occupy a C-suite position or serve in a general counsel or compliance role, your fiduciary obligation is to find out what happened so that the organization can take the prescribed steps regarding notification if that turns out to be required. If you are not engaging in these steps, you are creating additional liability for the organization, impacting its future reputation and financial viability. The potential for multiple fines imposed by different states and nations becomes increasingly real as more jurisdictions enact data security and privacy laws.
The Data Tells a Story
Carrying out a forensic examination can be complicated or even blocked by ransomware. Data that a forensic investigator might look to in developing an understanding of an incident may itself be encrypted as part of the attack. In other cases, log files which could shed light on the incident were never activated by the company or had limitations, making them ineffective as sources of forensically sound data.
A recent analysis from Kroll’s cyber threat intelligence team showed 49 percent of ransomware incidents handled by Kroll investigators involved the theft of data for extortion. In layman’s terms, if ransomware is involved, there is a 50/50 chance that stolen client data could end up held for ransom, sold or released on the dark web. In cases involving state-sponsored attacks, the data could have been gathered for espionage purposes.
The best way to ensure that forensic data will be available when it is needed the most is to think about the need before the attack ever occurs – even in the design phase of the systems themselves. This type of planning – sometimes called “proactive forensics,” helps ensure log files are turned on, set for a reasonable retention period and stored somewhere inaccessible to a ransomware attack. Proactive forensics can also consider segmenting the network with protective devices that make it harder for attackers to spread the infection to adjacent segments, a common tactic in ransomware attacks.
These system modifications can reduce the vulnerability of the data to ransomware encryption and can often be accomplished quickly through a short consultation with experienced forensics and network security organizations. Equally important, our experience across hundreds of incidents demonstrates that in-house responders often inadvertently modify or destroy important forensic clues. Making sure that initial responders understand how to do their work without compromising forensically vital information should be part of every organization’s incident response training.
Charting Parallel Courses of Action
Given our findings that 49 percent of all ransomware attacks result in some form of data theft, when an attack occurs, a company should provisionally assume that data may have been stolen and take appropriate steps while the forensic analysis is carried out. While working in parallel may require additional effort, it allows the organization to pivot in line with results from the investigation.
Initial steps typically include victim notification and remediation, often with third-party experts. Preparing a notification campaign compliant with multiple laws can begin even as the forensic examiners are working. One example of parallel path for organizations seeking an efficient response involves securing the proper agreements for the establishment of a customer contact center that can confidently explain the nuances of the incident in the customer’s native language, which is critical to re-establishing customer confidence following a ransomware attack.
Practice Makes Perfect
One of the best ways an organization can help reduce the risk is to prepare and practice for the event before it ever happens. Like muscle memory, an organization that practices how it would handle a cyber event will respond more efficiently.
Practice can include full executive briefings or tabletop exercises where lawyers, forensic specialists, notification experts and PR mavens can help with crisis communication and possibly shareholder impact. One of the newer techniques that can be included in this practice is simulation training for the organization’s service operations center.
One of the principles to keep in mind when developing practice sessions is to expect the unexpected. Too many plans have failed when needed because there was an assumption that everyone who participated in the simulations would be available during a real incident. That doesn’t always happen. Good planning should include having a designated backup for each person who will have a key role in responding to an event. The designated alternate should be part of the simulations and should be kept up to date.
Facing Reality
Ransomware is a modern reality and mandates careful risk management to include technical, operational and personnel controls (security awareness training can be highly effective), but response and recovery processes cannot be overlooked.
As attacks evolved into even more dangerous territory involving data theft for extortion, organizations face costly financial, legal and regulatory risks. Prudent planning to develop and implement more secure technical controls, protect digital forensics data and build relationships with seasoned response and notification vendors establishes a strong foundation to handle every step of a ransomware attack. Once in place, strengthen this foundation by practicing various response scenarios to reach a point where organizational memory takes over in a crisis – your team will be in the best possible position to respond.