After a ransomware attack, choose what data needs recovery first

Ransomware's prevalence over the last several years — graduating from a consumer to enterprise destructive attack technique — has been enough to influence corporate security strategies. CISOs have to argue for the stages of restoration. Not all data is treated equally.

Ransomware is considered destructive malware because it makes machines useless, said Mike Towers, CISO at Takeda Pharmaceuticals, while speaking on a panel during Druva's virtual Cloud Data Protection Summit on Tuesday.

Availability and continuity are the primary risk focuses at Takeda. "In biopharmaceuticals, historically, intellectual property protections have been the top issue," said Towers. "This shifts the goalposts a little bit to focus more on what can't go down from an operational perspective."

Before ransomware added data exfiltration to its repertoire, it was "you get encrypted, if you have a good backup, you recover from backup, and you move on with life," said Shaun Marion, CISO at Republic Services, on the panel. Reporting to watchdogs, adhering to payment card industry regulations, or potential fines are all added to the response plan.

If an outage does occur, companies need to understand what requires restoration first.

"The attacker is really only after data," said Marion. But "I'm not going to treat it all the same, I'm not going to use the same control subsystems I may not backup ever, because I don't care if I lose the data."

This year the CISO role in identifying where critical assets are was amplified, according to Jason Lee, CISO at Zoom, on the panel. It's preparation for worst-case scenarios.

Only 55% of organizations have offline backups in place, according to a Veritas survey. But organizations with three or more copies of their data are able to restore upwards of 90% of their lost information from a ransomware attack.

Backups, when done methodically, are a means for employees to resume working while core systems are still being restored. Production data relies on versioning, which can be "rolled back and immediately back online," followed by HED's support systems which will take longer to restore, said Marshall O'Keefe, Corporate Technology Leader at Harley Ellis Devereaux (HED), on the panel. It's an approach to prevent further unlawful intrusions.

What to fight for

Ransomware has a particularly strong influence on corporate global supply chains. "Organizations are more interconnected than they've ever been in the past and I think many organizations have taken a more insular approach to their security strategy," said Dave Estlick, VP & CISO at Chipotle, on the panel.

Manufacturers and service providers are hit the hardest by ransomware, according to Beazley Breach Response Services. "How are you adding that to your overall pyramid strategy, your third-party risk management platforms?" said Estlick. "We're starting to see third parties suffer impacts from ransomware, whether they're actually part of our digital supply chain or not."

Speaking with new companies and startups, Drew Daniels, CISO at Druva, found "they weren't paranoid enough" with their third-party vendor management, particularly with the cloud, he said during the panel. Organizations assume their partnership with their cloud provider offers more security than it actually does.

But Daniels tells these newer companies, cloud security management is still their responsibility.

When information sharing among peers, O'Keefe found breaking down the dwell time in a ransomware attack is an indicator of a strain's strategy that could change containment practices.

"Are they using your finely-tuned systems that you use for deployments against you? That would be the first place I look," he said. O'Keefe doesn't want to "start cleaning stuff" just to have it start "breaking behind me."

But CISOs aren't in the technology business, according to Towers. CISOs are in risk mitigation, which is meant to "force business leaders into tough priority decisions," he said. It's difficult for CISOs to argue for a triaged restoration plan or for technology best suited for prevention.

"I would far rather have something that's not as good capably if I had wider coverage," said Towers. "Don't be good at explaining what you could do if you had more resources. Become an expert explaining exactly what you can do with the resource you have."

Employee awareness is often a cheap alternative to adding technological solutions. During a post-mortem investigation, companies need to ensure they've turned on whatever their endpoint or malware protection solution has the logging turned on. "You're going to need it for patient zero epidemiology in your investigation," said Towers.

Estlick brings reports of ransomware campaigns into his organization as a self-inflicted phishing campaign. The practice is meant to "pre-sensitize" the organization for employees to know, "you may see this in another industry vertical, before it actually hits our vertical," he said.

If people "have seen the issue, and got the 'in the moment' training for that, they're less likely to fall for the real campaign that may follow in a week or two," said Estlick.

Correction: This article has been updated to reflect Drew Daniels is the CISO of Druva.