CISO Guide - Ransomware Attack Test
As a Chief Information Security Officer (CISO) you are expected to prepare for and manage security incidents. In this article I outline a hypothetical ransomware attack scenario and how the incident might unfold at your organisation. This is a scenario that has taken some inspiration from incidents that have happened to a number of different organisations (not my current employer) over the last couple of years. The aim of this article is to help you to determine how your organisation might react.
It’s prudent to park your ego at the door before continuing.
0:00 hour
Via a phishing campaign the threat actor (TA) has obtained the details of a system administrator at the target organisation. The TA spends a number of hours reading through the employees mailbox and eventually obtains additional credentials.
4:00 hours
Using the credentials, the TA has gained access to a physical server within one of the organisation’s legacy data centres. The situation is going to get a lot worse, as the TA determines that the credentials they are using grant Admin level access. Unfortunately there is no privileged account management in place and the poorly configured anti-virus solution is easily disabled.
The physical server is within the core corporate network and creating connections via a modern and efficient firewall. At some point in the last 6 months a junior administrator added a priority rule that effectively bypasses all of the carefully tuned rules. The server is commonly creating connections to numerous back office systems.
The TA runs a number of low and slow scripts to map out systems from the compromised server.
18:00 hours
The TA has now found 42 databases which appear to contain confidential data. Rather than using an off-the-shelf, self replicating ransomware, the TA has unpacked a bespoke piece of ransomware on each database server. The TA tidies up any traces they have left and finally disconnects from the victims (your) systems.
The activated ransomware is designed for stealth rather than speed. Thus it minimises the possibility of detection at this stage. The ransomware is also designed to maximise the impact on the victim by corrupting any backup files it comes across.
24:00 hours
The internal Cyber Security and Incident Response (CSIRT) begin investigating unusual logins to a number of employee accounts. As the employees are not using any form of Multi Factor Authentication (MFA) the security team are concerned it’s another Business Email Compromise (BEC) attack. The security team starts working their way through the log files for [redacted number] corporate accounts.
28:00 hours
The first line of business database goes offline. An alert is raised but it is in the queue for the core infrastructure team.
The Security Operations Centre (SOC) has also received the alert, but it’s not viewed as a priority as the SOC analyst can see the alert is also in the queue for the core infrastructure team. The log correlation based Security Information and Event Management (SIEM) tool records the alert but there is not enough related events or alerts to trigger the escalation conditions.
28:30 hours
A large number of employees have contacted the Service Desk to complain about system failures.
Client account managers have started to escalate urgent enquiries from clients who are complaining about system failures.
At this point the Service Desk and Corporate Infrastructure team think they are dealing with some sort of catastrophic hardware or network failure related to their data centres.
28:45 hours
Now one piece of good fortune… a system administrator (Sys Admin) makes a voice call to the 24 hour cyber security incident number. The Sys Admin is following the cyber security protocol that she was taught as part of her induction and reports that when she logs into a server, all she can see is a screen stating that a ransom needs to be paid. The Sys Admin also mentions that it looks like all of the database backups for the last 27 days have been corrupted.
The Cyber Security and Incident Response Team (CIRST) is asked to investigate. Within 15 minutes CSIRT have determined that there is ransomware on at least one database server.
The Chief Information Security Officer (CISO) is informed.
29:00 hours
The CISO reviews the evidence and decides that a major incident needs to be declared.
The CISO informs the Chief Executive Officer (CEO), Chief Financial Officer (CFO) and General Counsel (GC). The CISO states that numerous corporate and client facing systems are offline as ransomware has been used. The CISO also states that a ransom of $7M is being demanded by the TA or they will start releasing some of the sensitive information that they have obtained.
29:30 hours
The CISO contacts an approved Critical Incident Response (CIR) company and requests that they analyse the ransomware that has been used.
32:00 hours
The CIR refuses to be responsible for negotiations with the TA and the CISO contacts the TA. The TA supplies a sample of the confidential data and threatens to disclose more of the confidential information to security researchers and popular news outlets. The TA grants 6 hours to allow the payments to be authorised and transferred.
36:00 hours
The CSIRT report that the ransomware has a specific set of Indicators of Compromise (IOC) and that these have been verified by the CIR.
37:00 hours
The TA contacts the CISO and threatens to publish some of the sensitive information that they have obtained. Payment is due within 1 hour.
37:15 hours
The CEO informs the management board that employees and clients should be informed of the attack. The comms team and legal create a carefully worded email explaining that a ransomware attack is in progress and that internal systems have been affected. As a precaution clients are asked to check their systems using the IOCs.
38:00 hours
A security researcher tweets that your organisation has been targeted by ransomware and that they have been given some data as proof.
38:15 hours
Clients are made aware of the ransomware attack and encouraged to use the IOCs to ensure that they have not been affected. Some clients do not react well and threaten to sue for any damages or loss of service. Other (more enlightened) clients inform their security teams who immediately request some actionable intelligence regarding the incident.
38:30 hours
The CISO issues a communication to the 250,000 employees informing them that your organisation is the target of a sophisticated ransomware attack.
42:00 hours
The mainstream IT and Cybersecurity news outlets lead with the ransomware attack story including wild and imaginative speculations as to how much it will cost and which APT or OCG is responsible. Cybersecurity experts around the globe remind everyone to be careful.
44:00 hours
The CEO and CISO record a message where they apologise for the issue and offer insights and background into the attack. All clients are encouraged to use the IOCs purely as a precaution. The message is made available to clients with restrictions on further distribution.
45:00 hours
A small number of security researchers and cybersecurity news outlets tweet some of the content from the recorded message.
46:00 hours
Clients start to report back that they have used the IOCs and appear to be clear of any cross contamination.
96:00 hours
The CEO and CISO record a second message where they reveal the progress that has been made with the investigation and they thank clients for checking their systems and for assisting with the investigation. A representative from CIR adds their comments on the investigation and comments on the usefulness of the IOCs.
192:00 hours
The CEO and CISO record a third and final message where they discuss the root cause of the issue, how they responded and the changes that are going to be made. The message is quite clear that the situation has been resolved.
Reality check
Congratulations if you believe you have this scenario covered. For most CISOs it should hopefully encourage the review of some areas and maybe a slightly different approach to the problem. The biggest issue that we all face, is that we work at dynamic, fast moving organisations where the environment and people is always changing.
Multi-layered defences, machine learning based detection methods and well rehearsed response procedures are likely to give you a better chance of detecting and dealing with this sort of scenario. You can find a useful checklist in this malware / ransomware guide from the NCSC.
Cyber Security is a collective responsibility
I’m George Mudie the Chief Information Security Officer @ ASOS. Outside of the office I enjoy box sets of nordic noir crime thrillers, Mexican cuisine and the works of Iain M. Banks.
Photo by Wout Vanacker on Unsplash