Backups are not sexy, but they are necessary. A Cohesity resiliency advocate stated this during a ransomware simulation that highlighted how backups should not be overlooked and instead be optimized for security-IT critical alignment that helps businesses achieve continuity and resiliency.

Cohesity, a data management specialist that aims to support cybersecurity initiatives, recently hosted an Escape Room Challenge for members of the media from Singapore and Malaysia. James Blake, head of global cyber resilience strategy at Cohesity, had created the scenario based on his vast experience in building security operations centers (SOCs), and executing incident responses for large companies like Shell, Microsoft, Sony, Apple, and many more.

Members of the media adopted different management roles, as well as worked with each other and tech experts. The objective was to try contain a simulated ransomware attack upon a fictional doughnut chain store called ‘Dan’s Doughnuts’ while navigating real-world security challenges like how to restore ability to communicate within the organization, how to protect franchisees of the doughnut business and get their operations running again, all while remaining compliant to potential sanctions, and even maintaining access to critical documents like crisis plans and much more,

Three stages of response

James outlined three buckets of actions – initiate, investigate, and mitigate – as the responses undertaken by IT and security teams towards a ransomware attack. “Initiate” could involve talking to insurers, law enforcement, the ransomware operator, customers, and the press. Other factors, which also need to be addressed at this stage are backups of communications and security.

The global cyber resiliency expert also pointed out the all-important question that would be playing on the minds of every security and IT operations teams – how to restore security tooling (which is on the endpoint and which has just been ‘owned’) to a state that can be trusted?

Investigating an attack can also face major hurdles when networks have been disconnected. A network that is disabled can help to contain the ransomware and limit its impact. But, edge security tools that require network connectivity, may not function and this will hamper incident response efforts that depend on tools to have visibility of the environment, and to ‘communicate’.

The final phase, “mitigation” is about recovering and rebuilding systems, which includes rebuilding the security environment for the security team to respond. James highlighted that sometimes the case is such where the system is so badly corrupted and it needs to be reinstalled from the ground up.

Critical alignment

“Cohesity can help because we can hold trusted golden master images and trusted configurations, make them available to IT systems and rebuild platforms,” said James who also pointed out that the approach (to recover systems) depends on the incident and the IT team.

Failing to incorporate investigation into the response process can lead to prolonged issues, if system recovery reintroduces vulnerabilities and risks into the environment.

And therein lies another conundrum because investigations are done by the security team and its findings are not necessarily visible to the IT team. IT teams are often tasked with ensuring business continuity, while security teams prioritize resiliency – understanding incidents before recovering production systems.

Immediate recovery might be necessary in some ransomware cases like it was for Dan’s Doughnuts. The pressure was mounting as thousands of franchisees around the country were unable to open for business, reputational damage was hurting a major deal in the works, and agitated boardroom members were demanding immediate resolution.

Even though this was a simulated scenario, this is often how attacks and the ensuing consequences will pan out for victim businesses, their operations, supply chains, customers, board rooms, and more.

And failing to incorporate investigation into the response process can lead to prolonged issues, if system recovery reintroduces vulnerabilities and risks into the environment.

So, simply recovering the system is not enough – security teams need to investigate how the attack happened in order to understand what vulnerabilities were exploited and what mitigation steps need to be taken, be it patching, removing accounts, or emails.

Cohesity’s key point is that both aspects of security and IT are important and need to be coordinated effectively to ensure a comprehensive response to ransomware attacks.

Recover and investigate – the clean room initiative

Backups play a crucial role in forensic analysis within the clean room. The “clean room” refers to an environment that Cohesity can help organizations build in advance of a security incident. The vendor will provide workflows, architecture, and blueprints to build a clean room in advance so there is a trusted environment ready to respond in the event of an attack.

James described, “With it, you can classify, hunt, and do forensics.” Best of all, these can be done without risk of reinfection.

Cohesity also shared findings of a survey they conducted across Malaysia and Singapore. One of the main results served to highlight the high confidence that respondents had in their resilience, but the eventual decision to pay ransomware demands when attacks happen.

This suggests a gap between perceived and actual preparedness, and possibly also board-level pressure to give in to ransom demands. The ransomware simulation workshop by Cohesity however has demonstrated that many elements are in play, and there has to be better education for executives about the complexities and risks of paying ransoms.