Fri, Mar 19, 2021

The 2021 Ransomware Landscape for Risk Managers (Q&A)

David Klopp, who served as a managing director in Kroll’s Cyber Risk practice from 2018 to 2022, spoke at the Pan-Asia Risk & Insurance Management Association’s Confident Response Series 2021. The series aims to fine-tune incident response preparedness and help risk managers understand the latest tactics, techniques and procedures from the most successful cybercriminals, leading to deeper collaboration with business partners and mitigation of technical, legal and reputational risks. 

The first session titled, “Ransomware Untangled,” dove into the realities of responding to a ransomware attack and was held in collaboration with cyber insurance expert Andrew Taylor from Chubb. Together, David and Andrew covered the ramifications from data theft and extortion schemes, the challenges of a third-party attack reaching a firm, and the efficacy of ransomware preparedness assessments. 

The full session is available to PARIMA members, but we have captured some of the crucial Q&A from the session here:

Q: What are some of the most appalling mistakes that you've seen clients make after ransomware incidents and things that risk managers should look to avoid doing?

David: Right after a ransomware event happens, businesses generally think about how to restore the data immediately, by doing so, they generally lose valuable digital evidence. Incident responders should get engaged straight away in order to start preserving digital evidence that will help understand how the attack was executed. Evidence is often lost in the process of restoring. 

The other part is when the crisis management team is unable to remain calm, they end up creating another crisis. Finally, when it comes to regulatory reporting, ensure you are reporting at the right time. If clients report too early, they unnecessarily start a very strict timeline to adhere to, which adds to the crisis.

Q: So, when you talk about remaining calm, I guess that's also incredibly important in these situations, do you think that comes down to the preparedness in the organization? 

David: Preparing, doing simulations and tabletop exercises are extremely helpful in remaining calm. When we test policies, procedures, the escalation call tree, what we’re really checking is, whether it is going to work, and if the right messaging is getting across to all the parties. When an incident happens, it’s not just an IT problem, it’s a business problem. This then boils over to involve the executive level team, legal team, communications team, etc. Risk managers are generally better suited to take the central lead for understanding the overall incident risk as IT or the internal cyber security team would primarily look at the incident with a more technical lens. 

Andrew: From an insurer’s perspective, we’re seeing a shift in mindset among companies - from perceiving cyber incidents as only an IT issue to wanting to create a framework around cyber incidents and response. Organizations that do not have a centralized response process are generally less prepared to respond, which can lead to internal chaos. It is also important to take a stance upfront about making ransom payments as it helps create a more focused and immediate mitigation response, which is typically better and more cost efficient.

Q: Regarding attacks that gain entry through VPN, if we use a third party, how do we ensure their controls are safe, or do we demand more pen testing or risk control reports?

David: If you're in the early stages of engaging a third party, require them to allow you to do a cyber risk assessment as part of your due diligence. Part of that risk assessment would be looking at their current controls. It may also involve an external vulnerability scan of the third party’s environment to see if they have any glaring gaps in their security at this point. And then when crafting this contract with a third party, you’re able to factor in the risk exposure and ensuring that the third party will keep up the security controls as well as cooperate with any incident investigation.

Q: Over the last 12 months, of course, it goes without saying that pretty much everyone's been working from home and relying on more technology. So, have you seen any differences or any increase in cyber events, etc.? Have you seen a shift in any way, given obviously, the increase in reliance on technology?

Andrew: Looking at the various reports from cyber security firms, the cyber events seem to be always increasing and so is the threat We are seeing governments changing legislation to force organizations around the world to make public when they've been breached or have lost confidential information. Even with increased legislation, there's still a sense of reluctance or embarrassment among organizations that have been compromised to disclose the incident openly and quickly.

David: And I think from an attack vector perspective, I mean, we continue to see phishing as the number one attack vector, which will mean the next part of your series about email controls is going to be very appropriate to trying to reduce that risk. But definitely within the last year, we saw a shift to focusing a lot on remote access technologies as more and more workers were forced to work from home. So, yes there was a bit of a shift there.

Q: Do you think that as an industry, whether it's risk managers, insurers, etc., we've done a better job of closing that gap over the last couple of years? Or do you think that gap is still there and we're always just sort of trying to run towards it?

David: The attackers continue to adapt. They find new holes that aren't patched yet, and they exploit them immediately. So, it’s always a moving target. A key change has been—there's a lot more attention on this now. 

Andrew: I would agree. I think we've seen some very large movements towards greater cyber resilience, but we're still not seeing the shift completely for organizations to build an internal governance structure, and actually owning this enterprise-wide issue. To David's point, we're seeing attackers constantly evolve and look for new ways to compromise networks or gain more money out of the attacks. While the industry is playing a little bit of a catch-up game, I think it’s no different from many other risks that we face. As technology advances, we need to also change the way we apply risk management principles to manage those exposures. So, we're getting better and we are slowly catching up, but sometimes it feels like we are playing whack-a-mole with threat actors as we continue to uncover new compromises and new attack strategies.

Untangling Ransomware

As threat actors continue to attack businesses with ransomware at an alarming rate, the increasing value of having a solid incident response (IR) plan that’s periodically tested cannot be overstated. Companies must be ready to act swiftly and decisively to detect the threat, respond and recover while limiting business impact and reputational risk. A third-party assessment of your IR plan can ensure all necessary roles, responsibilities, protocols, communication plans and documentation have been accounted for, and regular tabletop exercises not only test if the plan works, but also give your teams the practice necessary to be comfortable during a real crisis. In addition, deploying security solutions in your environment such as a managed detection and response (MDR) service can greatly reduce the risk of ransomware by identifying an attack in early stages before data encryption begins.

In the unfortunate event you are faced with a ransomware incident, Kroll has outlined best practices for ransomware recovery, including details on system isolation, evidence preservation, backup restoration and law enforcement reporting.

This article was originally published by PARIMA.

24x7 Incident Response

Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.

Incident Response Tabletop Exercises

Kroll’s field-proven incident response tabletop exercise scenarios are customized to test all aspects of your response plan and mature your program.

Incident Response Plan Development

You learn today that your organization is facing some kind of cyber incident. Could be ransomware, highjacked O365 email account, PII or PHI exfiltrated, misconfigured network settings exposing data, etc. What do you do first?