The intent of nearly every business entity, public or private, is to portray itself both internally and externally as a living caring entity you can trust. Ransomware can bring your business to its knees. It can put into question the core values, capabilities and intents of your entity by your current and future employees, customers, vendors, partners, competitors, stakeholders and constituencies. Trust is a mindset directly related to your brand that is easy to lose but very difficult and time-consuming to regain. Have you identified the handful of things that can bring your business to its knees and the assets that drive them? If not, you are putting your entity’s future at risk.
How much is your data worth? Before the era of mobile devices, remote access and distributed offices, companies could base the cost of protecting their data on the size of the IT operations budget. However, today, as almost 100% of operations have moved online, the size of the risk is now based not on the IT budget, but on the overall revenue/profitability, brand loyalty, customer and supplier trust. Attackers are now demanding record amounts of blackmail, and companies have been forced to pay or risk going out of business completely. We have seen record payments ($40 million for an incident, in some cases) and record numbers of attacks (more than 300 million in 2020).
Regional Clouds Could Be the Answer
Ransomware is a severe threat that exists across all enterprises — private or non-private, big or small. Attackers are only concerned with how much money they can extort. Importantly, they do so through ways that are nearly unimaginable and, thus, bring forth the reality that you cannot protect everything all the time.
Yet waiting until you are under attack to deal with it is a big mistake. Both fortunately and unfortunately, COVID-19 has forced all stakeholders in and around an entity to think differently and cooperatively about preparing for, dealing with, adapting to and mitigating the severity of a threat. It is from this reality that experts at the Bace Cybersecurity Institute (BCI) have created the D2R2 Dynamic Framework for Ransomware Threat Mitigation.
D2R2 is about ransomware management: It is a process to turn the “unimaginable” into the specificity of action through D2R2 toolsets, including: 1) big-data analytics; 2) risk tolerance decision matrices and the resulting scenario roadmaps; 3) predefined cross-stakeholder courses-of-action playbooks, resource maps and protocols; 4) threat response reverse-engineering tools; 5) identification and commitment of “the negotiator” and the strict authority process; 6) adaptive risk/response path director; and 7) threat learning adaptor.
Pre-attack phase (R -2): D2R2 ransomware management occurs over three distinct phases. These phases relate to the time of attack. This first phase is where ransomware detection intelligence, communication and defenses are analyzed and turned into actionable items. The objective of this first phase is to detect, manage and block potential ransomware threats. This is where artificial intelligence (AI) is used to make sense out of massive amounts of data.
You might want to think about this step as the “smell” test. After a “smell” is detected, it goes into an attack management system (AIS) that measures the probability of an attack and determines alert levels, which mobilizes and prioritizes the actions of your security team and, importantly, drives the organizations’ alert levels and momentum. The keyword here is communications, executed in a precise manner across all stakeholders. Finally, depending on the tempo and velocity of the threat indicators, senior management may take preemptive protective measures.
R -0 is the attack phase: Chaos is the best definition of what typically goes on during an unexpected attack. The objective of the D2R2 ransomware management process is to turn chaos into an orchestrated network of adaptive actions and communications between stakeholders, all focused on stopping the attack and minimizing the damage. Again, it’s all about communication and the quality of the pre-planning action processes and dynamic protocols. The D2 part of D2R2 is all about the adaptive dynamics of data that drive dynamics of response at any point in time.
The goal of the attack phase is to manage the attack to minimize the total economic impact through the toolsets listed above. The fundamental problem in this phase is time. Everything must be done immediately and in sync as the attack progresses and its dimensions are refined. As such, the organization requires specific plans and detailed resource contingencies for responding immediately and the authority/discipline to do so.
The most important issues in the attack phase are the things not to do. These include responding to executives asking for status or communications outside of the attack response plans, attempting to determine the source of the attacks, contacting the attackers before a proper negotiation team is in place and prepared to start negotiations, and more. The R2D2 toolset defines and prepares for these items in advance.
Planning and preparing for R -0 is a complex and expensive task. Loss containment may be challenging to quantify in advance of an attack, but lack of planning comes at a much higher cost and entity risk.
When It’s Over, It’s Not Over
R +2 is the post-attack phase: Even with the best-advanced detection of “smells” and response event management and recovery, you may be forced into a position to negotiate with the attackers.
The goal of the ransomware minimization phase is to manage and minimize the total economic impact of the attack. This requires contingency plans and what-if plans for negotiations. Negotiating with a ransomware attacker is like any other negotiation. This is a very complex process and why an experienced external ransomware specialist needs to be employed as they would have the best chance to maintain the proper perspective needed to minimize the adverse consequences of an attack. Only the experienced negotiator should be able to time and execute contact with the attackers.
Negotiations must include making arrangements for payment. This means acquiring a cryptocurrency, which may not be as simple as it seems, especially when under attack. In addition to negotiating payment, it is essential to track restoration and assurance that any data ex-filtrated will not be passed to others. Critically, the adverse consequences of the attack on the entity’s brand require multidisciplinary stakeholder insight analytics, innovative building-block messaging and quick response communication metrics all orchestrated as the attack progresses and once its aftermath is assessed.
When the attack is closed, the ransomware management process should be updated in detail based on what was learned in the attack. This requires input from most all stakeholders and the rethinking of risk tolerance and time-critical decision/resource commitment processes.
Ransomware is a complex and changing threat to organizations today. All organizations need detailed processes and procedures that are constantly maintained. Many organizations may have implemented something similar to those toolsets identified in ransomware management above. But, unfortunately, far too many organizations have poor or incorrect preparation.
What is presented here is a very brief overview of detailed processes and tools. If you want to learn more about D2R2, you may contact BCI for further information and access to its panel of experts.
The views expressed in this article are the author’s own and do not necessarily reflect Fair Observer’s editorial policy.