Flipping the Asymmetry with Attackers: An Interactive Ransomware Attack Exercise

Preparing for a cyber crisis is imperative for any organisation to thrive in today’s cyber-threat landscape. The extent of an organisation’s preparation can determine whether a cyber-attack becomes a major catastrophe or a manageable incident. 

Gartner research shows that cybersecurity incidents are no longer a matter of ‘if,’ but ‘when’. It is therefore crucial that CISOs are well-informed about the immediate steps they must take in the first hours of a highly disruptive incident, as well as the common pitfalls they are likely to encounter whilst defending their organisations. 

At a recent Evanta Summit, CISOs from the DACH region gathered to explore cyber-crisis management in an interactive incident simulation, hosted by Sygnia. Leading this session, Sharon Isaaci, VP of Cyber Security Services, Europe, Yotam Meitar, Incident Response Manager, and David Gray, Director of Cyber Services EMEA simulated a destructive and extortive cyber-attacked, based on a real-life incident. 

In this interactive and adaptive ransomware attack exercise, decisions made by executives influenced the narrative of the incident, shaping the victim organisation’s future. Leveraging the collective wisdom of the participants, Sharon, Yotam and David explored how organisations can tackle complex challenges and get ahead of the attackers. Here, executives discussed the key pitfalls commonly overlooked by security teams, helping to develop a deeper understanding of how technology and stakeholder management decisions can impact their organisations. 

The key dilemmas raised in the exercise were ones often faced by organisations handling heavyweight ransomware attacks:

• Should the company release a public statement immediately after learning about the potential attack? If so, should this statement acknowledge a ransomware attack or only refer to a technical issue at this time?
• Should the company engage in communication with the threat actor? If so, should this engagement be managed with the intent of paying and decrypting ASAP or with the intent of buying time and gathering information?
• Should the company pay the ransom demand, given partial recovery from backup and potential leak of semi-sensitive data?

Here, Sharon, Yotam and David share their key takeaways from the session:

Sharon: “The diverse answers of the DACH CISOs to these questions, and the heated debate that they ignited, stress the importance of organisations strategising and deciding many of these questions in advance. While every incident is different, CISOs and businesses who start deliberating these dilemmas for the first time during an incident may waste valuable time and potentially impede effective response. General guidelines created by executive management and boards of directors in advance go a long way in ensuring effective Incident Response. An especially important area to pre-plan is the approach towards attacker engagement. While often conflated with a decision on payment, deciding to engage early can benefit the technical response operation and buy valuable time before the attacker’s deadline, and is strongly recommended in cases of heavyweight ransomware.”

Yotam: “It was a close call from the audience as to whether to release a statement upon the initial notification of the ransomware scenario. However, the DACH CISOs were in favour of posting a statement about there being a technical issue, rather than outright acknowledging that a ransomware attack was underway. As the scenario developed, the Sygnia team gave the audience the option to engage with the threat actor. At first, the audience was very reserved regarding this option, but as the debate unfolded, the predispositions of the audience changed, and many recognised the tactical advantages of engaging.”

David: “As to the question of whether to pay the ransom demand or not – here the discussion became even more animated, with the CISOs making strong cases for diametrically opposing options, and we shared some tried-and-tested “street-smart” tactics. The audience itself was made up of CISOs from across all industry verticals as well as various government/public organisations. The answers to the polls showed the diverse approaches that are taken from a public and private perspective which was reinforced in the room with a lively debate from the audience.”

This session was attended by CISOs and security leaders from various organisations, including Siemens Mobility GmbH, Swiss Re, DHL, Roche, Linde Plc, and Allianz. Evanta creates an open space for executives to share their experiences with each other. Connect with like-minded peers who share your priorities and find your local community – apply to join here.
 

Content adapted from the DACH CISO Executive Summt. Special thanks to all participating companies.

by CISOs, for CISOs

Join the conversation with peers in your local CISO community.