
Ransomware Is Changing: How We Respond To It Should Change, Too
In 2023, a record-breaking $1 billion was paid out in ransomware attacks, marking a significant escalation in the trend of unchecked SaaS growth. As we move forward, it’s essential to recognize that this isn’t just an issue for security teams – it’s a business imperative.
In order to effectively respond to these evolving threats, organizations must revisit and champion basic security hygiene practices. The era of un-checked SaaS growth is over; now is the time to prioritize incident response and risk management.
Understanding the Ransom: A Shift in Approach
When an attack occurs, our initial approach often focuses on containing the spread of malware while trying to recover lost data. However, we must adapt this mindset to ensure that ransomware response extends beyond the security team. The critical step is to involve relevant business departments in the preparation and active incident response process.
For example, if malware was deployed in the payroll system, it’s crucial to include HR and legal teams in the planning and decision-making process. This proactive approach ensures that all stakeholders are aligned and prepared to mitigate the impact of an attack.
Risk Assessment and Management
Ransomware attacks no longer solely affect IT departments; they now pose a significant threat to business continuity. It is essential to prioritize risk management by understanding the level of danger our organizations are facing. A risk register can be a valuable tool in identifying potential vulnerabilities and determining which threats align with our company’s understanding of what it is susceptible to.
By having this information, security teams can better assess the situation and make necessary adjustments to prevent future attacks. It is crucial to have this data readily available to inform decision-making during an incident.
Retrospective Action
It’s not enough to simply respond to a ransomware attack; we must also take steps to drive retrospective action and identify the root causes of the incident. By collecting previously unknown information about our organization’s security capabilities, we can pinpoint areas where there are gaps in the environment.
This proactive approach allows investigators to gather tangible evidence that is critical to sharing within the organization to prevent a similar incident from occurring again.
Key Elements of Response
In order to optimize incident response without compromising a thorough review of data, it’s essential to prioritize five key elements:
1. Containment: Focusing on bolstering containment capabilities is crucial in the event of an incident. This allows for continued evaluation of core evidence such as blast radius, damage scope, liability, and risk of recurrence.
2. Investigation: Conduct a comprehensive investigation to understand the adversary’s goal and discover what went wrong within your network that allowed the incident to occur.
3. Prioritization: Identify areas within our network that are at high risk of impact and prioritize accordingly.
4. Communication: Involve members of your business beyond the security team in the decision-making process, ensuring transparency about potential impacts and how they can assist in mitigating those effects.
5. Evaluation: Analyze all collected evidence to support a decision on whether or not to act on the ransom.
Implementing these steps enables organizations to optimize incident response without sacrificing thoroughness. By expanding our definition of ransomware response, we can better manage risk and improve overall hygiene within our company.
The time has come for us to adapt our approach to ransomware attacks. It’s no longer sufficient to solely focus on security; we must prioritize business continuity and risk management.
Source: www.forbes.com