Ransomware - The First 60 Minutes with the Board

The CEO of the company’s video pops up in the Web Meeting 15 minutes late to the last minute #executiveleadership meeting, still on the phone and sits down at her desk. The CEO then turns off the phone and puts it face up on the table, the screen is dark, the corporate device is off. Personal phone right next to the corporate device. Looking a bit grim, she comes off mute, the conversation starts….

“Team sorry about having to meet on such short notice, we have a serious situation here. I was just informed by our Security team and just had a follow up call with the FBI. It is confirmed we have Ransomware spreading rapidly through the operation, and currently believe we are about 20% infected and still spreading. We do not know exactly systems are impacted yet, but the teams are working on it. We have been instructed to shut down all machines and all mobile devices until we are sure we can get a better understanding of what is going on. Will you please do so now, and also place your devices on the table. The security team will be by shortly to collect them for forensics. The FBI believes the executive team was spearfished first due to our high levels of access and the many very large customers we work with. The FBI believes we may have been used to get to some of the Fortune 500’s customers we serve because we are smaller target.? There may even have been some very good social engineering through texting, and our security forensics team wants to start looking at our devices first. Our CISO and the #informationsecurity team has a war room set up and is busy working the issue with law enforcement and our internal team. I hope to get an update soon.”

The questions start….

Legal, have you already activated the? retainer agreement with our Security team for extra forensics services? We need to check immediately on the status of our Cyber #Insurance policy? We are going to need some outside help very quickly in examining this infection. It seems like we should not? start turning things on until we know exactly where this infection is. I am thinking that is the only safe point we can start our traditional recovery processes from the ground up. I am a bit concerned here, because that means I do not know how long we will be down operationally and how that will stack up from a judgment and litigation standpoint. There are some very strict guidelines on notification we must adhere to as well.

Operations, are we sure the backups of our operations software and control systems are air-gapped or vaulted on a completely different network? It was the first thing the FBI asked me and the CISO this morning. These adversaries have been known to find backup and disaster recovery systems on connected networks. I think we need to focus on recovering operations first.

Finance, assuming we can get operations back up and running by next week. What is it going to take to get payroll online, if we can’t pay our team members we can’t operate. Tensions are already high with our labor force, we need to keep them motivated in this crisis. The last thing we need is a walkout!

The CEO pipes back in. I have an update that after this call we need to stop using these devices. You will be receiving a box in the mail tomorrow to package the equipment in. Please do not turn on your devices after this call. We will be reverting to personal equipment and email for now. Here is my personal email please forward me yours and we can start to build out a chain from there. Most of our employees have no access right now anyway.

IT Operations, we have been told not to use any of our devices and the Voice Over IP systems are also to be kept offline right now. How are we going to communicate and organize all of this? Legal, what are the implications if we move to consumer based products like Gmail or Facebook messenger? Which one are we going to use? Do we have a corporate directory stored on a secure platform outside our “four walls”, how do we even get in touch with anyone? Another thought, how do we override Single Sign On with our cloud providers? If we can login directly, we might get clearance to use non connected systems in the cloud.

Logistics / Warehousing, I need to check on how much safety stock we have before we are out of core product? Do we have a way to move what we have to customers? Can we use the old paper process, keep track of orders so we can bill later?

Purchasing, I am wondering if we have a way to place emergency orders for clean laptops and servers? We need some of the most critical systems on line right away, clean systems are likely going to be the safest bet to kickstart a recovery?

Marketing / PR, Where are our pre-planned crisis communications plans and press contacts? Those plans are also on a secure system outside of our “four walls”, right? At least I think they are?? I am going to need to say something about this in the next hour or so. Now that the website is down it won’t be long before we are on CNN and FOX. We need to communicate that we have a plan and have this under control.

It has been nearly 60 minutes of questions and responses in the boardroom call. Some responses are made with confidence, some with trepidation and a few with an eerie silence. Teams are eager to get up and get their organizations motivated to the cause. The CEO looks up from several pages of notes taken with pen and paper, the laptop left the room about 30 minutes ago.

“Folks, we have a lot of work to do, and want to let the tension out of the room. This was an executive table top exercise put together through our CISO and our Insurance partners. We are going to start a steering committee next week so that we can start looking at these gaps in earnest. Hopefully, this exercise demonstrated that we are all in this together and each division has a part to play.”

To many reading this, it may seem like a replay of a meeting you already have been in. To others it may still seem too farfetched. What we have seen in the security space is the now dated “spray and pray” worms like NotPetya ransomware are being replaced by very tactical approaches where the adversaries may be in your network for days or even months to ensure that the ransomware gets as much as it can before launching - backups, infrastructure, industrial control systems, etc. The more painful the attack, the more likely they will be able to extract their fees. Further, as larger organizations have improved their security posture, adversaries are moving down the supply chain looking for weaker targets or even backdoors back into these larger business partners.

Want a real world examples? Jim Hagemann Snabe of M?ller-Maersk did the community a great service by being very transparent about what transpired in the light of NotPetya at the World Economic Forum a few years ago - https://bit.ly/NotPetyaVid (Jim starts at around 2:50). The story behind Jim’s talk is detailed even deeper in this Wired article https://bit.ly/NotPetaWired. Ransomware is also not the only threat scenario, maybe you forgot about Shamoon back in 2012? Jack Rhysider does a great recap on his Darknet Diaries podcast series here - https://bit.ly/Shamoon.?

The very important realization here is that Cyber Recovery and Resilience does not equal Disaster Recovery. In most Disaster Recovery scenarios, we are dealing with an isolated geographic event. Examples of disasters include, a pipe burst with a server room flood, a fire or an earthquake. Conversely, in a Cyber Recovery situation you may lose everything! Why??

• Because there is the potential that a worm or an adversary is looking to take over everything! Not just one geographic area. You need to be prepared to have NOTHING. This is different than most Business Impact Assessments done around a Disaster Recovery Scenario.
• You don’t need to perform extensive systems forensics on a fire or a flood. You have a good sense of your recovery time and hopefully well defined failover points in disaster situations.

The point? A Disaster Recovery plan is based on disaster scenarios. These plans are NOT Cyber Recovery plans based on losing massive amounts (or all) of your IT capability. The CEO of the company in this article https://bit.ly/RWWorstCase? had to deliver the news none of us want to hear.?

The next steps? Work closely with your #CyberInsurance providers to be sure you have the coverage to launch your recovery. Consider an executive tabletop like this, it will start to expose where your gaps are. From there start building the roadmap, and planning to improve your overall Cyber Recovery posture.