Guest Post: POV of Two Companies During and After a Cyberattack

Nick Stello of the GlobalCyberConsortium shares scenarios and cyber-readiness tips for businesses.

October is Cybersecurity Awareness Month, and the Security Industry Association (SIA) Cybersecurity Advisory Board is marking the occasion with a series of helpful content, tips and guidance on key cybersecurity topics. As part of the advisory board’s work with stakeholders and efforts to increase cybersecurity awareness across our industry, we reached out to the GlobalCyberConsortium to highlight some of the group’s guidance. In this guest post on behalf of the GlobalCyberConsortium, Nick Stello, senior vice president of information technology at Vornado Realty Trust and consortium member, shares shares two potential scenarios for companies targeted by cyberattacks and tips for cyber-readiness.

The Infection

It’s a typical early morning at the office. People trickling into work, cups of coffee being brewed and the occasional water cooler talk about how the New York Jets are going to be better this year than last. Hope springs eternal.

Although the day is starting out like many others, it will take a turn of events that will bring a mix of concern, frustration, and outright fear to many who work at this publicly traded company. The concern will be felt throughout the organization, but by none more so than the executives who now realize the potential harm (both monetarily and reputationally) that this event can inflict.

The first call comes into the IT help desk…

“Good morning, this is Anthony from the Help Desk. How may I help you?”

“Hello Anthony, this is Laura. My PC is acting up. It seems that I can’t access my files or really do anything on my PC at all. It appears to be completely frozen.”

“Ok, let me remote into your computer to see what’s going on.”

Anthony is having difficulty accessing Laura’s PC.

 “Something isn’t right,” Anthony states softly aloud as he gazes at his screen trying to understand the issue.

Laura continues: “I also had a strange request earlier from my dual-factor authenticator to approve access for an application that I am not currently trying to access, so I just ignored it.”

Anthony, still focused on accessing Laura’s PC, has yet to connect the dots until the end user gives him the fait accompli…..

“Oh, and I have a popup message that says all of my files have been encrypted and data has been stolen.”

Patient zero has just been identified.

Two Companies/Two Outcomes

There are two fictitious companies who will face the same attack. Company Alpha has realized the importance of having a sound cyber defense and, towards that end, has focused their attention on achieving and maintaining a sensible defensive plan and response. They have worked with multiple external vendors in various engagements for both defensive and offensive purposes and have also engaged senior leadership regarding their involvement on the subject.

Company Beta believes their defenses are adequate primarily based off a false narrative that they’re too small or unimportant to be a target of ransomware. They have an array of seemingly viable, yet basic and waning, defenses they believe will protect them from an attack. Their plans on how to respond to an attack are improvised and informal and assume a breach would be promptly remediated. They have had no discussions with senior leadership on the business impact of what a potential ransomware attack could cause or how to handle the myriad of potential issues they’d face.

Cyber-Readiness: Company Alpha

• Advanced end point detection and response (EDR)
• Outsourced managed detection and response (MDR) service
• Outsourced ransomware negotiation team
• Established cybersecurity incident response plan including senior executives
• Annual penetration and red team testing
• Vulnerability reporting and patching
• Consistent software patching
• Dual-factor access (DFA)
• Employee cyber training

Cyber-Readiness: Company Beta

• Antivirus software
• Occasional penetration testing
• Vulnerability reporting
• Software patching

While there are no assurances that even the best cyber defense can stop all attacks, Company Alpha is clearly better prepared for both an attack and response. Let’s see how each handles the attack.

First stage: Delivery

Company Alpha

Just earlier in the day, access to the company’s network was compromised by an unsuspecting user who opened a malicious email and downloaded its payload.

Company Alpha’s advanced EDR immediately detects virus activity on a PC. Since their MDR service is tightly integrated with Alpha’s EDR product via an API for detailed system surveillance, the MDR follows Company Alpha’s playbook and immediately isolates the PC and contacts Alpha’s internal IT person. Further investigation and close collaboration between the two parties commence.

Company Beta

Months earlier, access to the company’s network was compromised by an unsuspecting user who opened a malicious email and downloaded its payload.

Company Beta’s outdated EDR program is no match for the evasiveness of today’s viruses. The EDR’s inability to detect this initial foothold allows the virus to flourish throughout the network.

Second stage: Command and Control

Company Alpha

An attempt to establish a communication line back to the attacker was prevented as the MDR shut down the PC. No other actions are available to the hacker.

• Note: Since this company was alerted of the virus’ presence, it took immediate action to stop further infection and spread. For the purposes of illustration, we will consider that the virus continues to propagate faster than Alpha’s ability to detect and respond so that we may observe the actions of their cyber readiness and response.

Company Beta

A communication line back to the attacker was then established with additional malware being downloaded.

Third stage: Credential Access

Still operational, the malware continues to set the stage for its attack by stealing credentials and gaining access to more accounts across the network to perform data exfiltration.

Fourth stage: Search and Encrypt

The virus searches for files to encrypt both locally and on any network it has access to.

Fifth stage: Extortion

Data exfiltration and further encryption are progressing. The ransomware group demands payment for the decryption keys.

Meanwhile, back at the help desk…

Anthony fails to remote into Laura’s computer while a cascade of calls envelopes the IT call center. The second and third call come in, all in quick succession, and all report similar complaints of file access.

Anthony immediately contacts his supervisor, who is already fielding direct calls for the same. The IT manager knows that this is a serious issue and contacts his supervisor, the vice president of IT. The VP gets the information and quickly attempts to browse the network only to confirm her worst fears. It’s a ransomware attack.

Gathering the team

Company Alpha

Team members are called to gather, and the cybersecurity incident response plan (“CSIRP”) is set in motion. The members, made up of IT, legal, marketing and specific department heads, are quickly assembled in the large conference room and their assembly, existence for that matter, is to bring a coherent and measured response to the apparent breach. They share responsibility for directing the preparation, detection, analyzation, containment, eradication and recovery of this attack. They also contact their local FBI cyber agent to alert them of the attack.

Company Beta

Their IT VP gathers her team to discuss what is known about the infection. While all are familiar with the devastating effects of a ransomware attack, none have ever trained for one nor faced a real-life situation such as this. As the team meets, they discuss the belief that acting quickly to quarantine the known PC and other additional infected resources may subvert the virus’ attack. They’ll come to realize that they’ve already been infected with this virus for several months and all the encryption, data exfiltration and account compromise has long been done. In their immediate window, there is nothing from an IT operations point of view they can do to avert disaster – they just don’t know it yet.

Understanding the infection

Company Alpha

The CSIRP team needs to understand the current virus and its potential effects so that they can better manage the issue. Towards that end, they patch in their MDR team to the conference room’s audio to discuss what updates they have on degree of infection, spread and potential data exfiltration. Their initial findings show that further infection and lateral spread have occurred but at the moment, they don’t have definitive results as to the operational impact of systems.

They know several PCs have their local files encrypted and will continue to work closely and reconvene with updated information.

Alpha adds in their outside partner to the call. Their specialty is identifying both the group behind the attack and details about the specific virus. They’re charged with a similar sort of data exfiltration from the hackers themselves. They will communicate and “negotiate” with the hackers to bide time while the IT and MDR staffs continue to assess the current state of infection. For the trained eye, the ransomware pop-up message itself has tell-tale clues if you know what to look for which expose the hacker’s wares. These messages leave clues as to what virus it is that you’ve been infected with, the likelihood they would provide a decryption key if the ransom was ever paid, and the approximate “discount” of that potential payment. While paying ransom is not something they plan to do, they continue to play along with the demands of the hackers while their internal review continues. The investigation and subsequent communication begin as the negotiation team reaches out as instructed by the popup message and pretends to be an Alpha employee.

Meanwhile Alpha’s CSIRP team is quietly confident that their in-place safeguards will mitigate major damage. Their implementation of dual-factor access for both remote network access and on-network access to sensitive systems (data backups, payroll, et al.) and users who possess elevated network rights will prove invaluable for limiting the effects of this breach. While little else is currently known, an initial system review has shown that critical systems are operational and seemingly safe from this infection while more detailed examinations are ongoing. While encouraging, they know from previous training exercises that there are more landmines they must unearth and navigate before they can rest.

They also perform detailed review of logs with their MDR in order to ensure containment of the virus. All remote access to the network is temporarily disabled.

Company Beta

They now painfully realize the full scope of this infection. Critical systems are not operational, all PCs and servers are encrypted and deemed useless, and chatter is bubbling amongst employees of a debilitating ransomware attack. They make a call to an IT cyber company that did some work for them during the past year…and are placed on hold. They contact the chief financial officer (CFO) to inform him of the status and after the obligatory question of “how could something like this happen,” he then prepares to inform the chair and eventually the board as required by the U.S. Securities and Exchange Commission. While he knows the severity of the infection, he fails to understand the wide-ranging reputational effects something like this can produce.

While conversations with IT and the CFO continue, they’re rudderless with no clear direction as to what to do next. Panic and anxiety set in as they face the unknown. They eventually get in contact with their IT cyber partner and inform them of the breach. While Beta’s IT team continues to provide details of the attack and what they know, the partner makes plans to send over a team to help the investigation. They’re expected to be onsite in approximately 24 hours.

Meanwhile, the countdown for increasing the bitcoin ransom payment continues and decisions need to be made, many of which they are unaware of. Sensitive data has proven to be stolen, and the hackers are threatening to release it.

Communication

Company Alpha

Their outside firm contacts the hacker and asks for more time before any other further action is taken. They establish a dialogue of sorts in developing a camaraderie with the hacker by informing them of their (insincere) attempts in trying to secure the funds needed for payment. While Alpha is cautiously optimistic that the attack and its effects are limited, one can never have enough time to ensure, so the courting continues. The hackers communicate that they are also in possession of Alpha’s data and will release it if the ransom isn’t paid. The MDR service, working closely with the CSIRP team, is highly confident that the data exfiltrated was from a public network share that Alpha deemed innocuous.

Alpha’s policy of encrypting confidential / sensitive network data at rest was put into place several years ago and is paying enormous dividends. The data the hackers exfiltrated is considered neither sensitive nor nonpublic.

IT, with behind-the-scenes guidance from HR, sends out a companywide email and utilizes their SMS text message communication platform to confirm that a network virus has been reported and further investigation is currently taking place. Additional updates will be sent once more information about the issue is known. No other information is given at this time, and employees are urged to refrain from making any assumptions as to the issue’s severity.

Company Beta

They call their department heads into a conference room and hold a conference call as they have no effective way to quickly communicate with their employees en masse without the use of email. They inform the department heads of the current situation and state that it is not expected to change markedly in the foreseeable future. They advise many of their employees to go home for the remainder of the day. Employees have not only spoken about the devastating attack but have also taken to social media, and it is now public knowledge.

Wrapping Up/Just Beginning

Company Alpha

The CSIRP is reconvened, and the findings are encouraging. While a small number of PCs were infected, the quick response from the company’s MDR team most certainly limited the virus’ spread by immediately following the company’s playbook and blocking PC access to the network from the affected computers. Additionally, since backups, payroll and access to other critical systems all require DFA for administrative access, these systems were found to be

bypassed and unaffected. With the company’s file shares being cloud-based, the virus was not able to spread further within the cloud, as it does not have an executable environment in which to run. Furthermore, the cloud vendor was contacted and stated confidently that they can restore preinfected versions of PC files that were replicated to their instance relatively easily. It was further confirmed that the data on the PCs, even exfiltrated, posed no financial or reputational concern to the company.

Company Beta

They have a long and arduous road to recovery ahead of them. Their systems are rendered useless, and their business operations have come to a complete halt. After many painful weeks of operating with a skeleton crew and partial network, Beta is slowly recovering. They have partnered with the right resources to help dig them out of their crisis, but it will take much more time and money than they ever imagined. Their brand has also been tarnished, and their stock price, while initially dropping precipitously, has rebounded but is not yet to the preinfection level.

Conclusion

Company Alpha

The company’s committed approach to cybersecurity has proven its value. Their consistent focus and investment in technology and response have made this potential issue a very manageable one with no extended downtime, reputational harm or monetary loss. Having established communication with department heads and senior executives made their response to the breach very efficient and cohesive as all knew their role and responsibility. Beta will continue to review and refine their cyber readiness as the landscape for threats continually changes.

Company Beta

They have transformed and enhanced their internal defenses by implementing current technologies along with best practices for maintaining them. Beta has come to realize the value and importance of having a sound cyber defense and response plan. Senior executives are briefed on a regular basis with an annual overview of readiness to the board.

Beta’s late realization of the need to have a strong cyber defense and readiness program is identical to many of its infected predecessors who experienced this realization too late. With ransomware continuing to evolve, there exist other Betas who too will come to the same realization through a painful journey of their own.