Blog

You are currently viewing CISO Guide -How to Response Ransomware Attacks with Checklist
CISO-Checklist-on-ransomwarw-attack

CISO Guide -How to Response Ransomware Attacks with Checklist

Level: Expert

CISOs face the harsh reality that ransomware strikes are not a thing of if but when. CISOS must have a well-prepared ransomware response plan to combat this growing threat. Fortinet provides comprehensive steps to help CISOs develop an effective response plan with the below CISO Guide.

Developing a Practical Ransomware Response Checklist (The CISO Guide) :

First Step Don’t Panic:

  • Stay calm and composed during a ransomware attack.
  • Seek assistance from security vendors or report the incident to your insurance company for guidance and support.

Identifying Phase:

1. Identify the Ransomware Variant:

  • Determine the specific strain of ransomware to gain insights into its behaviour and explore potential decryption options.
  • This information helps formulate effective countermeasures and understand the attack’s extent.

2. Identify Initial Access:

  • Identify the entry point through which the ransomware gained access to your systems.
  • Consult digital forensics teams and incident response experts to investigate the attack and address security vulnerabilities.

3. Identify All Infected Systems and Accounts (Scope):

  • Thoroughly identify all systems and accounts infected by the ransomware.
  • Pay attention to communication with the command-and-control server to uncover active malware and persistent elements.

Immediate Actions Phase of CISO Guide:

1. Isolate Your Systems and Stop the Spread:

  • Determine the attack’s scope and implement network-level blocks or device-level isolation to contain the ransomware.
  • Utilise endpoint detection and response (EDR) technology to identify and halt the attack at the process level.

2. Sanitize Systems or Create New Builds:

  • Safely remove the ransomware and instances of persistence from affected systems.
  • Consider creating new, clean systems to eliminate any residual malware.
  • Implement security controls to prevent reinfection and strengthen overall defences.

3. Report the Incident:

  • Report the ransomware incident to relevant authorities and assess the need to involve law enforcement.
  • Comply with legal obligations regarding regulated data and privacy laws.

4. Activate Incident Response Plan:

  • Follow your organisation’s predefined incident response plan for a coordinated and structured response.
  • Assign roles, establish communication channels, and maintain documentation.

5. Preserve Evidence:

  • Preserve all evidence of the ransomware attack, including logs, network traffic captures, and malware samples.
  • This evidence aids investigations, potential legal actions, and future prevention measures.

6. Engage External Cybersecurity Experts:

  • Involve external cybersecurity experts specialising in ransomware incident response, if needed.
  • Gain valuable insights, guidance, and technical expertise to assist in containment and recovery efforts.

7. Communicate with Stakeholders:

  • Establish clear lines of communication with executive management, legal teams, public relations, and affected departments.
  • Provide regular updates on the incident, response actions, and progress towards resolution.

8. Paying the Ransom?

  • Law enforcement strongly advises against paying the ransom, as it offers no guarantee of recovery or prevention of future attacks.
  • If considering payment, seek specialised security assistance from reputable sources like BeforeCrypt Ltd.

Check the Damage:

1. Determine if any Data leakage or Tampered:

  • Look for signs of data tampered with, such as unusual communications or large data transfers.
  • Assess the potential impact of the attack and identify any data breaches.

Back Ups Checks and Plan:

1. Locate Your Backups and Determine Integrity:

  • Verify that your backup technology was not compromised.
  • Conduct integrity checks on backups to ensure reliability and readiness for restoration.

2. Backup and Disaster Recovery Testing:

  • Regularly test backups and disaster recovery plan to ensure effectiveness and reliability.
  • Conduct full system restores and validate data integrity for successful recovery.

3. Establish Offline Backups:

  • Maintain offline backups of critical data and systems to protect against ransomware encryption or deletion.
  • Offline backups provide an extra defence against attacks targeting online or network-connected backups.

Regular Action Plan:

1. Enhance Security Monitoring:

  • Strengthen security monitoring to detect further unauthorised access attempts or malicious activities.
  • Consider real-time intelligence feeds and proactive threat hunting to identify potential threats early.

2. Regularly Update and Patch Systems:

  • Keep all systems, applications, and firmware up to date with the latest security patches.
  • Timely patching is crucial to prevent the exploitation of vulnerabilities by ransomware attackers.

3. Regularly Assess and Update Response Plan:

  • Periodically review and update the ransomware response plan, considering lessons learned and changes in the threat landscape.
  • Stay proactive and adapt response strategies to counter evolving ransomware techniques.

4. Conduct User Awareness Training:

  • Reinforce cybersecurity hygiene and educate employees on ransomware attack risks.
  • Regularly conduct training sessions to raise awareness about phishing emails, suspicious links, and common attack vectors.

5. Implement Multi-Factor Authentication (MFA):

  • Enable MFA for critical systems and accounts to protect against unauthorised access.
  • Mitigate the risk of stolen or compromised credentials being used to propagate ransomware.

6. Share Threat Intelligence:

  • Collaborate with industry peers, cybersecurity communities, and government agencies to share threat intelligence.
  • Collective knowledge sharing helps organisations proactively prepare for potential attacks.

Conclusion:

Dealing with ransomware attacks requires a comprehensive plan, composure during incidents, and expert guidance. Preparedness is vital to mitigating the impact of and minimising disruptions. Panic response efforts, so it is crucial to stay vigilant, follow best practices, and rely on trusted sources for guidance in navigating these challenging situations.
Follow the CISO guide to create your own Strategy