Ransomware Playbook (draft)
I am drafting a Ransomware Playbook and am open to any input, you may also use this as a starting point for your own playbook.
1.???????? Detection or identification of the ransomware attack.
2.???????? Start isolation procedures.
3.???????? Notify the incident management team.
4.???????? Immediately notify your cyber insurance carrier.
a.???????? The cyber insurance carrier should take over high level management.
b.???????? They should bring in services for legal, communications, remediation, and forensics and they will should manage all customer notifications and provision of credit monitoring services.
c.???????? You will likely need to stop all restoration and follow the guidance of the insurance carrier and legal – that helps keep you out of trouble.
5.???????? Setup specific email accounts to use for all communications on the event – this helps to separate things for retention purposes, should you need to provide documentation for legal actions.
6.???????? Setup hotlines or electronic meetings where everyone reports in on updates and coordinates with the insurance carrier. Note that if you don’t have an insurance carrier that provides this service, then you need to find a 3rd party that does.
7.???????? Setup a War Room, where you can track all issues and all of the work that needs to be done. Post it notes work well for this. Make sure to retain all of the documentation for legal purposes.
8.???????? Establish regular check in meetings / status meetings and identify who will be running them as well as who will take notes.
?
?
Prevention and Preparative Measures:
·?????? Ensure you have adequate cyber security insurance and have documented processes and procedures for interacting with your cyber insurance provider. Make sure you have a good insurance provider that can effectively manage the incident.
·?????? Implement an Air-Gapped backup solution.
·?????? Maintain an inventory of all assets.
·?????? Maintain an inventory of spare hard drives and computers.
·?????? Ensure you have good, up to date images of end user computing.
·?????? Ensure you have copies of a business continuity plan available.
·?????? Ensure you have an accurate listing of who needs to be informed and at what point do they need to be informed. Cyber Incident Reporting Requirements & Notification Timelines for Financial Institutions - Bank Policy Institute (bpi.com)
·?????? Ensure you have a staging area or staging areas for managing large scale re-imaging of computers.
·?????? Ensure you have a response team that not only includes management, but also a team of employees who can assist the IT department in coordinating re-imaging and remediation (execution of forensic data collection and remediation on computers – such as running Sentinel One off of a thumb drive to scan every computer).
·?????? Regularly update all operating systems, software, and security patches to mitigate vulnerabilities.
·?????? Implement robust antivirus and anti-malware solutions across all endpoints.
·?????? Educate employees on recognizing phishing emails and suspicious links.
·?????? Employ email filtering systems to block malicious attachments and URLs.
·?????? Employ web content filtering to block countries and/or malicious sites.
·?????? Utilize network segmentation to contain the spread of ransomware.
·?????? Implement multi-factor authentication to prevent unauthorized access.
·?????? Backup critical data regularly and store backups offline or in a secure, isolated environment.
·?????? Implement managed detection and response with the capability to automatically or manually isolate devices.
·?????? Ensure all data (electronic files) are properly labeled, identified, inventoried and managed so that you know what files have GLBA data to protect and that you have adequate protections in place to prevent theft of customer data.
·?????? Ensure you have communication plans and protocols in place.
·?????? Ensure that you have manual processes and procedures for handling customer transactions and/or alternative ways to conduct business operations.
·?????? Use hosted e-mail; such as Microsoft 365.
·?????? Have communication tools such as Teams available (Webex, etc. can also suffice).
Additional Insights and Recommendations:
·?????? Consider changing your backup site infrastructure and configuration to make it a modified air-gapped backup, vs. hot or warm. This is in addition to an air-gapped backup solution.
·?????? Since you will need to preserve evidence, consider how or where you are going to recover to and still preserve evidence.
·?????? Know what data you have and where you have it; it’s best if you have a full inventory of files that have customer information and even better if you have those files well managed and access controlled.
·?????? Know what internet/network connections you can or may need to unplug and be prepared to unplug.
·?????? Have a process or way to communicate to all staff as you may not be able to use a VOIP system or E-Mail.
·?????? Make sure all branch operations have manual procedures to service customers.
·?????? Have a process in place to communicate to customers that you are experiencing a service interruption.
领英推荐
·?????? Have 3rd party resources you can bring in quickly to rebuild systems.
·?????? Ensure you have an order of restoration plan or guideline.
·?????? Be prepared to realign the IT staffing hours as you may need to change hours to support remediation and restoration.
·?????? Have a general list of employees that could help IT; employees that you believe would be able to do some of the basics. You will need this if you want to restore operations quickly. This will involve re-imaging computers, testing computers, retrieving computers from branches, taking re-imaged computers to branches, running malware scanning and remediation tools, coordinating and tracking computer reimaging. You will likely need a large staging area where you can re-image computers in mass. The non-IT staff really come in handy in tracking and reporting the status and corralling and coordinating everything with the end uses, especially if you have a lot of remote laptop users.
·?????? Have a plan for feeding the IT staff or anyone working on the event; they may be working long hours and need food and drink, don’t let them down.
Specific Recommendations if using Microsoft 365
·?????? Evaluate using One Drive and/or Azure for data storage.
·?????? Evaluate using Microsoft Purview to manage data and setting up DLP rules and alerts.
·?????? Evaluate using Exchange online.
·?????? Fully configure Intune and Defender, ensuring that you enable ASR rules, DLP, anti-virus scanning, end point encryption, alerts, and vulnerability management.
Detection and Response Procedures:
·?????? Do not rely on standard anti-virus and if you have standard anti-virus, an indicator of an attack is that the anti-virus becomes disabled or it starts uninstalling.
·?????? Best practice is to have anti-virus with end point detection and response capabilities and to utilize a 3rd party managed detection and response service.
·?????? Monitor network traffic for unusual activity or spikes in data encryption.
·?????? Establish data loss prevention alerts, if you have the software infrastructure to do so.
·?????? Utilize intrusion detection systems (IDS) and security information and event management (SIEM) tools to detect ransomware activity.
·?????? Establish clear escalation paths and response procedures for handling ransomware incidents.
·?????? Immediately isolate infected systems from the network to prevent further spread.
·?????? Preserve evidence by taking screenshots and documenting ransomware messages.
·?????? Notify relevant stakeholders, including IT security team, management, legal, and law enforcement if necessary.
·?????? Implement incident response protocols to contain, eradicate, and recover from ransomware attacks.
Communication and Negotiation:
·?????? Designate a spokesperson or team responsible for communicating with ransomware operators.
·?????? Assess the feasibility and risks associated with negotiating with ransomware attackers.
·?????? Do NOT let them know that you are restoring or that you have restored services.
·?????? Drag the communications on as long as possible, always come up with excuses for delaying a payment. You don’t really want to pay, but you don’t know if they are effectively removed from your systems. So let them think you are willing to cooperate.
·?????? Ask for proof of what they got – if they claim the exfiltrated information; play them a bit and ask for proof of how they did it.
·?????? If you identify IP addresses used in the attack, conduct analysis of these using tools such as Kali; make sure to report IP’s to telecommunication providers or owners of the IP.
·?????? Establish clear communication channels and procedures for negotiating ransom payments.
·?????? Collaborate with law enforcement agencies and legal counsel to ensure compliance with relevant laws and regulations.
·?????? Keep stakeholders informed throughout the negotiation process while maintaining confidentiality.
Recovery and Remediation:
·?????? Restore encrypted data and systems from backups once ransomware has been contained.
·?????? Conduct thorough post-incident analysis to identify root causes and improve security posture.
·?????? Update incident response plans and security controls based on lessons learned from the ransomware attack.
·?????? Update BCP based on any findings.
·?????? Conduct employee training and awareness programs to reinforce security best practices and prevent future incidents.
·?????? Implement additional security measures, such as endpoint detection and response (EDR) solutions, to enhance detection and response capabilities.
Legal and Regulatory Compliance:
·?????? Ensure compliance with data protection regulations, such as GDPR or HIPAA, when handling ransomware incidents involving sensitive data.
·?????? Notify regulatory authorities and affected individuals in accordance with legal requirements.
·?????? Work closely with legal counsel to navigate legal and regulatory implications of ransomware attacks.
·?????? Cooperate with law enforcement agencies in the investigation and prosecution of ransomware operators.
As your Chief Information Security Officer, I will ensure your organization stays ahead of cyber threats, achieves compliance, and operates with resilience. I’m committed to driving the strategic vision that will empower your business to thrive in a secure and continuously evolving environment.