The United States Secret Service Chicago Electronic Crimes Task Force (USSS CECTF) aims to increase the resources, skills and vision by which state, local, and federal law enforcement agencies team with prosecutors, private industry and academia to fully maximize what each has to offer in an effort to combat criminal activity. The common purpose is the prevention, detection, mitigation, and aggressive investigation of attacks on the nation’s financial and critical infrastructures. To learn more about the task force click here.
This past November, as part of West Monroe’s cybersecurity community involvement efforts, we participated in a table top simulation alongside industry partners CME Group, Argonne National Lab, BCS Financial, and Perkins Coie. The group partnered with the CECTF to facilitate a half day workshop where over 120 business leaders from various industries walked through a moderated cybersecurity incident scenario to identify and discuss effective practices to ensure swift and effective actions are taken in the event of a security incident. Additionally, subject matter experts from management consulting, threat intelligence, academia, law enforcement, cyber insurance, and legal counsel provided real world examples of appropriate steps to take to secure your organization and potential pitfalls that may hinder response and recovery attempts.
The simulation was developed to highlight the human factor to the response efforts that is often-times overlooked.
Incident Notification and Initial Triage
We started the morning through the eyes of an HR representative. She had just awoken to a snowy Monday morning drinking her coffee, when coworkers in her department started reporting “weird” computer glitches and credentials not working. She was worried because payroll had to be processed that day. What should she do? How does she escalate? How does she know if this is a cybersecurity incident or perhaps an infrastructure issue?
Many incidents are identified primarily by end users, making it important for everyone in your organization to understand the importance and way by which to submit suspicious activity. Your ability to quickly gather relevant facts combined with an in-place channel of communication and decision making will save precious time and allow you to quickly and effectively respond to incidents.
At this point, the situation is only a security event. An understanding of the technical gravity of the situation combined with potential impact should provide enough information for identified leaders to either declare the event as a cybersecurity incident or leave it as an infrastructure or IT issue. This key inflection point should not be taken lightly as a misclassification may lead to a security incident running rampant in your environment or too many false positives leading to lack of trust.
Declaration of Incident, Communication Escalation, and Containment
During initial triage, the team discovered that the event was a ransomware event that quickly spread from HR to the rest of the environment. At this point the business was crippled and it was decided this event was in fact a security incident. Think how prepared your organization would be for a scenario such as this one. How would you respond?
Once an event is considered an incident, triage procedures should drastically expand, and communication quickly escalated to the appropriate parties. Without proper preparation and planning chaos may ensue and sound decisions are not always made. Having certain resources, such as alternate communication methods, war rooms for congregating response teams, accurate asset inventory, and access to third-party experts will significantly aid in containment.
Remediation and Recovery
It is important to distinguish containment from recovery. Often, a situation can be contained to “stop the bleeding” but that does not mean that critical damage was not already done. In our scenario, the ransomware was contained at 75% of all workstations and servers. Can your organization operate with only 25% of users having access to 25% of your back-office resources? A solid business continuity plan may be a sufficient crutch for the short term, but how can you get back to normal business and at what point do you feel safe that your environment is clean.
According to Tammy Kocher, Director of Cyber Underwriting at BCS Financial, recovery is a factor often overlooked. “This event was second-to-none, and I was so glad to see West Monroe highlight remediation and recovery,” said Kocher. “The aftermath of an incident can be a critical component, and contacting your insurance carrier early can make an impact. In the scenario, participants were hesitant to contact their carrier until they had contained the situation, but we are here to help you quarterback. We can engage a remediation team including Breach Coaches, forensics, public relations, legal teams, call centers, and more. The sooner we are involved, the sooner we can help to cut costs, lessen reputational harm, and help you deploy needed resources.”
At the onset of an incident, organizations tend to focus on the short term, tactical tasks that are required to combat attackers. A well-defined incident response plan and associated playbooks will aid in an effective response, but once an attack is sufficiently contained there should be a shift in focus towards thinking about the longer-term ramifications of the attack. In our example, 75% of endpoints were encrypted. Do you have backups for the machines? Do you rebuild the machines? Do you have a golden-image you can trust in the rebuilding? If the network is compromised can you trust there won’t be re-infection attempts? These are decisions you might be faced with during an incident. These and many other decisions need to be made while planning for the longer term to make sure you not only contain the attack but can also successfully recover from it.
The goal of the event was to help companies mature their cybersecurity organization by fostering communication and collaboration between industry, law enforcement, and subject matter experts. As a result of our discussions, the CECTF participants determined the below recommendations should be considered to improve any company’s cybersecurity posture.
Recommendations for Improvement
- Create, improve, and practice your incident response plan
- Know your external partners and continue to develop relationships
- Encourage business representative to be involved in IR planning
- Understand the threat landscape and how it applies to your organization
- Implement a risk-based approach when prioritizing initiatives
West Monroe is proud to support the US Secret Service and related organizations via the CECTF now and into the future as we collaborate against common threats and adversaries. We are stronger as a team and teamwork is key in this arena. The more intelligence sharing, learning from experience, and thought leadership we can all share, the better to reduce risk within our respective organizations and communities both in the physical and digital worlds. Keep awareness top of mind and have a great holiday season!