Test Your Backups, Test Your Incident Response Plan, Test Your Business Ecosystem

Amidst all of the ransomware attacks, it is evident that organizations need to believe that it is not an if they will be subject to such threats, but when.

Tabletop testing is certainly necessary, though more comprehensive testing would be prudent as well.

Ransomware & Incident Response: Thoughts from WannaCry, WannaCry2, & WannaCrypt0r

Lots of content has been created for detecting & dealing with ransomware; however, these past few days have seen a flurry of different attacks & thus require some specific after-action reports (AAR).

So, here are some observations / thoughts / notes:

• Many orgs do not have the budget to ward off ransomware, including: 
• Advanced threat protection (ATP) via: EDR, UBA / UEBA, UTM / NGFW / NGIPS / NGIDS
• Virtualization to segment legacy tech: SDN, SDS, hyperconvergence
• SIEM & TI
• SETA & CSIRT awareness notifications were slow & ineffective
• Close the patching gap....no more excuses
• We'll see this level of pandemic / infestation again...this is just a start.

So, folks will see this level of attack again & its up to them to be proactive & respond accordingly.

Ransomware Response: A Service Continuity Challenge

While many security solutions (e.g., CASB, ATP, MTD, DMARC/SPF, EDR) look to catch malware / ransomware threats before they are experienced, isn't the response to a ransomware incident a service continuity challenge?

 With proper RPO terms, as well as tested BCP/DR procedures, ransomware response should be relatively painless.  The real concern is your ecosystem, as many third parties wont have the same governance regarding BCP/DR as a large enterprise.