Blog / How good is your ransomware plan?
In case you haven’t heard about it, the Colonial pipeline was recently shut down by a ransomware attack. The Colonial is a massive pipeline that stretches from Texas, over to the east coast of US, and then heads north up to Jersey. Details are sparse. Other than the fact that the pipeline has been shutdown to prevent further spread of the ransomware, the only other detail that’s been released is that the hacker group DarkSide was behind it.
It sounds weird coming from a group of malicious hackers, but DarkSide has actually issued an apology (of sorts) on their website. Apparently they’re only goal is to make money, not cause problems for society. They promised to do a better job of evaluating their targets, and the targets of their affiliate program (yes, these people actually rent out their software and infrastructure). They are a business after all, and they plan to be in business for the long haul.
That’s the situation anyway, for better or worse. Now the thing is, DarkSide was able to get into the network of Colonial and cause a great deal of disruption, but they also did it without being detected. Clearly they’re an advanced and savvy organization, so the immediate question you should be asking yourself in this situation is “how good do you think your defenses are in comparison to what Colonial had?”
DarkSide has made it clear that they’re not aiming for targets that will cause problems for people, so hopefully hospitals and health care organizations, big governments offices (but maybe not small ones), and places that would impact a lot of other people if they were taken offline to deal with a Ransomware issue won’t be hit in the future. Those limits are fairly loose and open to interpretation, but at the end of the day most organizations are still reasonable targets. So how easily could your own defenses be bypassed, and would you have any real chance of detecting an attack like this?
Unfortunately, details about how the attack was accomplished have not been released. This is why I strongly advocate that ransomware victims should be honest and open about what happened. Making information like that public helps other organizations strengthen their own defenses against ransomware, and only hinders the attackers.
So, what exactly is your plan for dealing with ransomware? Do you even have one?
Most of the organizations I’ve performed security audits on didn’t have any formal (or even informal) ransomware infection plan, and very few have ever bothered to do a business impact analysis (BIA). This means that in the event of a ransomware outbreak, no one would really know what the potential impact could actually be on the organization. That’s not a very good position to be in if you ask me.
I recommend two things:
#1) Create a Business Impact Analysis
A BIA is just a report where you go through your entire business and infrastructure to determine how your assets are connected and interconnected, and what would happen if specific items failed. A good impact analysis gives you an accurate picture of how various parts of your organization work together.
#2) Create a ransomware disaster recovery plan
Come up with a specific plan for dealing with a serious ransomware infection in your organization. Assume a total-infection scenario and build your recovery plan to deal with it in phases. In the event of an actual infection, you’ll not only be ready but will allow you to use only the portions of the plan that are necessary and appropriate to the situation.
With a BIA you can setup useful and appropriate safeguards for the truly critical aspects of your organization. Combined with a disaster recovery plan, you can allocate appropriate resources to the problem. Being aware of you weaknesses is an important step in protecting yourself. Ransomware is a very real threat so having a plan for dealing with it is a must.
To close out this week’s letter, I’ll take a line from Shakespeare’s play ‘The Tempest’ in Act 2 scene 1 where we learn that “What’s past is prologue.” Don’t let what happened to Colonial be an omen of what’s to come for you.
If you have any questions about ransomware defenses, please reach out to your TRINUS Account Manager for some stress-free IT.
By Kind, Courtesy of Your Friendly Neighbourhood Cyber-Man.