One of the greatest boxers of all time, Sugar Ray Leonard, once said “If you never know failure, you will never know success.” As a security guy, this has stuck with me as cyberattacks evolve and increase in severity and frequency. I’ve spent years doing recoveries across a wide variety of industries from the small-to-medium business (SMB) space to very large enterprises, and reviewed the recoveries of other teams, seeing a lot of leadership changes, diverse technical challenges, and taking note of what has worked and what hasn’t. By understanding real-world failures and successes, we can better prepare organizations for recovery even if they’ve never experienced it first-hand.
There are a number of pitfalls to successful ransomware recovery and not all of them are technical. Well-prepared leadership teams can make a huge impact in preparing their organization for an attack and taking the appropriate steps to successfully recover. It starts with setting expectations and identifying goals, which requires a realistic view of the situation. These expectations and goals set the stage for recovery, enabling the recovery team to follow an effective strategy based on actionable intelligence. But let’s take a step back because you can’t set the appropriate expectations or strategy without first calculating risk.
Take an eight count
To truly dig into tackling the problem in the most efficient, quick, and cost-effective manner possible, while bringing things back up safely, we need to calculate risk. Unfortunately for many, the tendency is to err on the side of caution, which may be an effort to protect themselves, but could also grind the recovery process to a halt. The goal is to understand the actual risk in a given situation, and there is no denying that there will always be risk. Particularly after suffering an attack, everyone is on high alert and can be incredibly risk averse. At the same time, people usually do not want to be the one to say something is safe or okay to do when it is not the safest choice – and they may not be skilled enough to make the right call, something leadership should keep in mind. This can all lead to “an abundance of caution,” in which those involved default to certain decisions in order to protect themselves. This may be the best decision for them, but it depends on the level of effort, cost, and impact it will have on the entire recovery process.
Yes, there are a couple solid endpoint detection and response (EDR) options out there, among other things, but if your recovery expert starts by advising they replace all your hard drives or do a full rebuild of your environment just to be safe…talk to someone else. The same goes for a forensics provider telling you they need to do full disk forensics on dozens or even hundreds of systems to investigate. Yes, risk can be lowered by having multiple levels of mitigations in place (defense in depth), but good calculated risk recommendations require a great deal of experience with ransomware attacks, malware, security, incident response, and recovery – and are incredibly impactful.
The truth is, accurate decisions require an examination of the actual risk to an environment. Making business decisions based on calculated risk routinely saves millions of dollars in recovery costs. When calculating risk, you need to take into consideration a variety of factors, including any experience with that particular threat actor and malware, your unique environment, knowledge of your exact incident, ease of exploitability of any vulnerabilities, and potential impact.
Don’t backpedal, cover-up
Before greenlighting your new recovery strategy, you need to know a few things to avoid making million-dollar mistakes. It’s crucial to understand your coverage, including any policy limitations, and not make insurance claim submissions and afterthought. After an incident, when you make a claim to your insurance provider, you’ll fill out a detailed Proof of Loss that includes extensive information about the environment, the incident, detailed invoices from all expenditures, justification for business interruption loss, and more. That submission will be thoroughly reviewed to ensure it’s in-line with your policy, and you are obligated to provide sufficient supporting documentation to show that all recovery and investigation costs were both reasonable and necessary. If you want to leverage your policy effectively, you cannot make your claim submission an afterthought.
Working with a recovery expert who is trained in flagging these improvements at the engineer-level will help develop a compatible recovery strategy to save you a lot of unexpected surprises come claims time. You should also work closely with your claims manager, letting them know of any strategic decisions or other major issues so they can be involved, ask questions if necessary, and know what to expect. And throughout all of this, prepare your claim submission by gathering the right documentation, instead of trying to extract something sufficient from various service providers a year down the road.
To bring it back to Sugar Ray, we can find the path to success through failure. You don’t necessarily have to make all these mistakes yourself in order to learn from them. Hopefully learning from others will give your organization a puncher’s chance to respond to and recover from an attack, should the worst occur.