How prepared are you for a cyber attack?

How prepared are you for a cyber attack? – Part 1

Its just another day in the office, you can hear the tapping of keyboards, the ringing of phones, the hum of people talking and the smell of fresh coffee wafting over from the kitchen.?Suddenly, the tapping of the keyboards stops. ?The hum of people talking turns to “Can I call you back, somethings come up”, and all you can hear is phones ringing and ringing unanswered as colleagues are slowly standing up from their desks looking around the room eyes wide and slack-jawed over the message that has just appeared on their screens....?“Ooops, your files have been encrypted!”?A feeling of terror and disbelief washes over you.?You pinch yourself, nope, you’re already awake, this is actually happening, the business that you have poured your sweat and tears into for years is paralysed and being held to ransom by someone you cannot see and will likely never catch.?

I realise I’m leaning heavily on an emotive response here, however the scenario described has been a very real scenario for many organisations in 2021 and will be in 2022.?I hope that I have stirred enough emotion and interest for you to read on and to take action in forming your own incident response strategy.?

Being prepared for it could be the difference between your business surviving or not.

The first step is accepting that this event could happen to you, and planning for its eventuality.?Being prepared for it could be the difference between your business surviving or not. In this 3 part article I hope to give you information, ideas you can use to go about producing your own Critical Security Incident Playbook.

Some quick stats

Ok, so to put this in perspective id like to share some UK government stats.?Something every office has once it gets to a certain capacity is at least one Fire Marshall.?Fire drill training is also mandatory, fire alarms are also tested once a week.?Now the government statistics for reported fires in offices and contact centres in 2019 was approximately 11,025 businesses (cant include 2020 / 2021 for obvious reasons).?Of that, there were zero fatalities and 7 non-fatal casualties.

If we compare that with the government stats on cyber breaches in 2021.?The government reports 39% of uk businesses (2.3 million) had reported some sort of security breach in 2021.?A sample taken of 654 businesses that experienced a breach shows that 7% experienced an incident relating to ransomware, so if we use the 7% of the sample against the total number of businesses reporting a breach that would be 161,000 UK businesses potentially experiencing a ransomware incident in 2021.?If we compare that to the likelihood of a fire, according to theses stats you are 200 times more likely to experience a cyber security incident and 14 times more likely to experience a ransomware attack than a fire in an office environment.?

14 times more likely to experience a ransomware attack than a fire in an office environment.?

At this point I will state that you should not relent on your legal responsibility to enforce fire safety, my comparison is that how many businesses have thoroughly tested procedures and protocols in place when it comes to a fire, but not when it comes to cyber security.

Another statistic for you is from one of the most notable ransomware incidents of 2021 which was the Irish health service reported the cost of recovery of the incident to be in the region of ￡440million.?Now this is obviously a very large organisation, but if we were to divide that figure by its 119,000 employees that gives you an approximate cost of ￡3,697 per employee, and multiply it by the average number of employees in a SMB of 150 employees will give you a comparative figure of ￡554,550.00 for recovery.

To Pay or Not to Pay?

What are the actual consequences of paying??Ransom payments are said to be One Tenth of the cost of manually recovering data.?This makes sense for the payments to be cheaper, they are trying to incentivise victims.?Along with gangs offering an initial “lower” rate if you pay quickly and avoid the involvement of authorities.?Gangs are also trying to appear more reliable – stats show that of the 57% of businesses that do pay the ransom, 71% of those get their data back in full (the % has increased steadily year on year from below 50% in 2018).?Gangs are wanting to be seen as more reliable for businesses that pay them, but this perpetuates the cycle and the only beneficiaries here are the ransomware gangs who can grow with more stability.?

Your plans A, B, C, D… should always be NOT to pay.?

Your plans A, B, C, D… should always be NOT to pay.?That said, in a report published by a leading Threat Intelligence provider, there are 57% of businesses (globally) in 2021 still paid.?In addition to this, some businesses even have thresholds agreed at senior level in what circumstances a ransom will be paid.

What are the risks of not paying though??If that is going to be our plan we must anticipate the moves of our opponent.?We are now seeing what’s called “quadruple” threats.?These are:

• Encrypted systems and files
• DDoS threats
• Exfiltration of customer data and publication online
• Harassment of staff, customers, suppliers, and media publication.

Some of these are simple to get around.?For example, having a high speed backup service in place will allow a fast restore, and has been noted on multiple occasions to be faster than running the ransomware gangs decryption keys (the key is to not restore a compromised backup – we will come to this later).

DDoS attacks can be mitigated through your internet service provider.?Having a protocol in place with your service provider for such an event, combined with your service providers technical controls can assist with mitigating this.?Depending on the nature of your business this could be a lengthy exercise to undertake, partnering up with the right provider is key.

The Exfiltration of Data is a tough one.?Having encryption technologies in place, along with strong identity and access management and strong detection capabilities will likely stop this happening before it gets to this stage, however the scenario here is that the horse has already bolted on this one.?Your options are pay or not pay.?However, that decision becomes slightly easier if you are not storing sensitive information so looking at what data you do store and making sure you only store what is necessary will make the decision to tell the attacker to “go fourth and…” much much easier.?Remember though if you do pay, you do not have any guarantees that data wont find its way to the surface.

you don’t have guarantees – remember this is still a deal with cyber pirates

Harassment again this is a pay or no pay scenario, but again you don’t have guarantees – remember this is still a deal with cyber pirates.?Having good protocol to follow and warning those who could be targeted is key here.?This is going to be tough.?

Other Consequences can range from fines from the ICO, loss of compliance certifications, fine from other industry regulator, fines from regulators for paying the ransom, cost to recover the business, lost contracts, loss of potential contracts, having to lay off staff, insurers forcing you to increase your security budget significantly more than you would have spent normally.?

Prevention is better than Cure

Without doubt stopping something from happening to begin with is the preferred option here, however that’s not what this article is about.?What I will say about prevention is that you must get ahead and STAY ahead.?This means processes, people, tools, education, and more education.?What will help you keeping ahead is ensuring whatever you put in place you can measure the output, and where you’re falling short. ?It is essential that the board can see this in clear statistics and can relate this to a monetary figure – no emotion. ?Have you also considered apportioning a slice of the new business profits towards a security budget? Security is often seen as money off the bottom line, however some businesses are starting to use this as an assist to selling.?Working with a business because they have a more mature IT security is no different to wanting the best quality product – security now being part of that over all product.?Prevention is without a doubt always cheaper than the cure, but as I’ve said this article isn’t about prevention, so lets continue.?

Get Ahead and be Prepared!

So, where do we start? The first item is preparation.?The picture below is the model used by ISC2 and is an industry standard for incident response professionals and security consultants.

The end goal of your preparation stage is that should an attack happen, your staff are well drilled and know exactly what to do.?You will have a “Play Book” available for you to work through in order to contain the incident as quickly as possible, and you will have a list of contacts to call for assistance and protocols to follow for communications internally and with entities outside the businesses who must be informed.?Some organisations even have decision trees in place on whether a ransom should be paid or not – this is obviously something I don’t endorse, but you get the picture.?This is the point where you theorise all scenarios and how they could play out.?On your first attempt just try to cover what you believe the more common scenarios rather than getting lost down rabbit holes.?Each year you review it you can add further layers if need be.?

In Part 2

In part 2 I plan on further exploring the enemy and detailing steps and things you should think about during the preparation stage that will assist you in detection, response and Mitigation stages of an incident.??

resources used

https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2021/cyber-security-breaches-survey-2021

https://www.gov.uk/government/statistical-data-sets/fire-statistics-data-tables#incidents-attended