Incident Response: Best Practices in the Age of RansomwareStay Focused on Business Resilience, Says Rocco Grillo of Alvarez & Marsal
Good news on the breach prevention and incident response front: More businesses are getting more mature practices in place, although as attackers continue to improve their efforts, so too must defenders, says incident response expert Rocco Grillo of consultancy Alvarez & Marsal.
See Also: Case Study: The Road to Zero Trust
What does having a mature incident response program in place look like? For starters, Grillo says it will include prioritizing the pursuit of not just cyber resilience, but business resilience, backed by widespread use of security awareness programs and mock cyberattack drills, aka tabletop exercises.
"Better monitoring, better detection and then response" remain crucial, he says. "The response plan isn't there to stop it from happening. You know, in some instances it can, for the basic attacks. But if someone gets into your environment, it's critical to identify it, understand what's going on," and then to focus on "containing it, eliminating the damage, being able to recover and restore and hopefully get back to normal business operations."
In a video interview with Information Security Media Group, Grillo discusses:
- Attackers' propensity to strike on nights, weekends or holidays, and how defenders must prepare;
- Ransomware and online extortion attack trends;
- Essential data breach prevention and incident detection and response best practices.
Grillo is a managing director with Alvarez & Marsal's disputes and investigations global cyber risk services practice. Previously, he held leadership positions at professional services organizations, including Stroz Friedberg (bought by Aon Cyber Solutions), where he served as the global leader of the firm's cybersecurity services. Prior to Aon, he was a founding member of Protiviti's cybersecurity practice. He also served at RedSiren Technologies and with Lucent Technologies and Bell companies.
Mathew Schwartz: What are incident response best practices, especially in the age of ransomware? To help me answer that question, it's my pleasure to welcome back to the ISMG studio Rocco Grillo, managing director of global cyber risk and incident response investigations and Alvarez & Marsal.
Rocco Grillo: Mathew, thanks for having me, always a pleasure and always pleased to be able to work with the ISMG group, and especially yourself.
Mathew Schwartz: Thank you very much. Incident response: we've spoken about this in the past. And I find it fascinating that for years now, with data breaches, and more recently with ransomware, amongst other types of cybercrime, or cybersecurity incidents, there's long been a list of best practices that organizations should be pursuing. But as we've seen this year, in particular, via joint alerts from the likes of CISA, and the FBI, calling on organizations to make sure they have the best practices in place, basic things seemingly, such as MFA, having a breach response plan, having a communication strategy that works in the event that their systems have been crypto-locked, it seems that a lot of organizations haven't yet gotten this message. I want to turn to you, I wanted to ask you about what you've been seeing from your incident response investigations. It's a general question. But are you seeing greater awareness, at least of what organizations should be doing on the heels of some of these alerts from the U.S. government?
Rocco Grillo: I would say there's absolutely greater awareness. The piece we'd like to see more of is better cyber hygiene. And as much as you mentioned CISA, the FBI, you know, [ransomware is] not one of those extraordinary attacks, it's become mainstream, and it doesn't matter, the size of the company. It's really along the lines of the attackers don't discriminate, regardless of the size, the geography, the industry, if you're plugged into the network. More importantly, if you have critical assets - which, who doesn't? And at the same time … this is where things have evolved: it's not just, Hey, we can get the data. Companies that are in a position where, if their business is disrupted, there's the larger ones who have backups or have contingency planning. But I think even more so - as much as [small and midsize] companies used to take the position of, 'We're not a Wall Street bank … we don't invest in those kinds of controls, we don't have this, that and … those are the ones that are lower-hanging fruit, Mathew. And you and I have discussed this in the past, the attackers really like them. While it may not be as lucrative as hitting that proverbial Wall Street bank, the bigger piece is ... it's a lot easier to get after them.
And when we talk about ransomware attacks, I thought we had ... really got into this with both feet three plus years ago, maybe even five years ago, when you know that some of the investigations I was involved with really started bringing this to the forefront. But if anything, the last six to 12 months, it's exploded into an epidemic. We've gone from encrypted networks - call it the proverbial single extortion - to now the attackers, let's say six to 12 months ago, exfiltrating data first, and on the way out, we'll encrypt your network for good measure. And it's a double extortion. Further taking it to extorting the victims, customers, clients, business partners. And even further now, some of the things we're seeing is going after employees, whether it's by incenting them, or trying to find disgruntled employees. There's a lot of different moving parts. We've heard [from a disgruntled standpoint] of the great resignation. We've heard people that are going back to the office, vaccinations, political platforms, the list goes on. And that turns into an incubator for attackers to go after. There's so many different threat vectors, including going after the individual employee. The insider threat didn't just happen today.
So back to your earlier question: What are some of the things that we're seeing? Companies know. I mean, and you know, at the same time, you can just see what's going on in cyber insurance. Five years ago, not so many people were jumping into cyber insurance. Three years ago, more and more. A couple years ago, it's like, 'Well, hey, with all these ransomware, and cyberattacks and extortion, we absolutely need to have cyber insurance.' But what's going on this past year with the payouts that have gone on, we're talking to a lot of companies that are not necessarily up in arms, but at the same time, their premiums have doubled, tripled. I tell them: You're some of the luckier ones. Because there's other companies that don't have the maturity in their cybersecurity. Don't have the cyber hygiene. They're getting exclusions, and in some instances, they can't get cyber insurance.
So I don't want to harp too much on cyber insurance. But I like to tell clients while cyber insurance is important, … I have fire insurance on my home, that doesn't mean I don't need the smoke detectors [and] if the house burns … we have … fire insurance. So ... the advisory that CISA/FBI just issued recently, it seems like more of the same: more best practices, more patching, more awareness and training. But I think we really need the industry to drive those points home. Because ultimately, we can't stop attacks from happening. But risk mitigation is the key being better prepared.
Mathew Schwartz: And presumably detecting these attacks as quickly as possible to help shut down the damage. I mean, with ransomware attacks in particular, I hear that the first 70%, maybe 80% of the attack isn't even technically about the ransomware. It's about the attackers getting in. So you've got your timeline there, I suppose for responding in a way that helps you lock things down before things get really bad.
Rocco Grillo: No doubt. And I think even to that extent, locking down before it gets really bad, as you mentioned, there's a number of measures. While we talk about multi-factor authentication, while we talk about patching, CISA's done a very nice job, not just with the holiday advisory that they put out. But even in the past in response to ransomware, in response to best practices, in response to helping companies build a ransomware playbook. There's so much that's out there. The FBI has done outreach programs.
But I think companies, while taking those best practices, the patching, the MFA. Now we're coming back out of completely remote hybrid and employees half the time in the office, half the time at home. But really getting into the internet, the inner operations of our networks: let's get to backups, let's get to air gaps for our backups. There's a lot of companies that we work with, they've got the backups, [but] not necessarily air gapped. ... Once they get in, are your backups segmented? Because again, just having backups? That doesn't solve anything. It's a start, it's better than not having backups. Having the air gaps makes it even better. Having the segmentation limits the damage, like you talked about. And while I talked about the sophistication and attacks evolving from single extortion, to double extortion, to triple extortion, the attackers are even out there trying to recruit SMEs in disaster recovery backup systems ... not that they want to build their own. But trying to find ways that - while we continue to put countermeasures in place to try to block these attacks or limit the damage - the attackers are trying to find ways to circumvent controls and prevention measures that companies have put in place to safeguard their critical assets.
Mathew Schwartz: You build it, attackers try to break it. And to one of your earlier points: We've seen, I believe, a lot of automated scanning, like you said, looking for that low-hanging fruit, attackers will get in and then come back in an opportune moment to unleash their attack. So multiple times this year, we've seen the FBI and CISA warning that holidays in particular, weekends typically, but especially holidays, can be amongst the most likely times for attackers to strike with the organizations that you work with. Are they putting a kind of heightened awareness or some kind of holiday roster in place? As a "just in case," basically, what do you recommend organizations do given the elevated threat posed by holidays like Memorial Day and such?
Rocco Grillo: I think we touched on some of those, Mathew, but I think it's been well known. And I've helped some of the largest retailers at this time of the year, and they've garnered the media attention, responding to some of the largest cyberattacks, but it's not just the retail industry.
There's a lot that's going on, especially this year that we're just getting back and getting back into [work]. There was a study that online purchases are going go up another 10%. And if you just look at the way that people are, i's the combination of the convenience, or I don't want to be in the crowds with the whole pandemic and COVID continuing. ... But the attackers know: this is primetime for retailers, it's primetime for travel, hospitalities, hotels, everything across the board. And, you know, I don't want to have the crystal ball or think I have the crystal ball. But we already saw the spike. I had a couple of clients that just called in; we had to deploy people just this weekend.
It continues to evolve, and I think with the distractions that are going on, more and more companies are reliant on their systems. They find themselves in the peril of: If our business is disrupted right now, the impact not only to our customers, brand and reputation, the revenue, it puts us in a very difficult situation.
When you talk about ransomware, you mentioned CISA and the FBI, and it's a balancing act. Because again, looking at where the elements that come into play in cyber extortion are, [paying a ransom is] not necessarily a best practice on the FBI list, by any means. But at the same time, companies have a business to run. And I will make that understatement. I don't advocate to pay or not to pay. That ultimately comes down to a business decision.
What we've seen a lot of companies do, as much as they've got the controls, as much as they've got the IT security and operations in place, is conducting vulnerability assessments, looking for unpatched systems, looking for areas that could be exploited. The one piece that we've seen spike is the not only the awareness, but the cyber resilience and tabletops. We've been doing those for the last decade for companies. Disaster recovery fire drills. I mean ... we've been doing that since we were children in elementary school. But the piece that companies have really upped their game on, the more mature ones, not only at the security operations, but I can't tell you how many executive-level, executive teams, including CEOs of major companies, across all industries, that are part of those exercises now. Even to the extent where, after that we're doing them for their boards of directors. Let's not forget the boards of directors have the fiduciary responsibilities, and there's SEC requirements for the public companies. That is somewhere where I think we've really seen companies up their game.
And we've talked about that idea of cyber resilience and referenced it a couple times, but really seen it evolve into part of business resilience. Because while data is important and data being exfiltrated and companies being extorted - that it's going to be released - the business disruption, the business resilience is something that we're really seeing. Not only seeing but helping companies, in preparation.
You mentioned this earlier, Mathew, that while we can't stop the attacks from happening, [we need] better monitoring, better detection, and then response. The response plan isn't there to stop it from happening. You know, in some instances it can, for the basic attacks. But if someone gets into your environment, it's critical to identify it, understand what's going on, [then] containing it, in eliminating the damage, being able to recover and restore and hopefully get back to normal business operations.
Mathew Schwartz: Fantastic. It's actually excellent to hear that more businesses are not just thinking cyber resilience, but business resilience and getting that maturity. We've spoken about it in the past. So it's nice to hear that it's finally coming to greater fruition, at least as you say, with some of the more mature organizations.
Rocco Grillo: I think in many instances, Mathew, as much as it's the mature organizations, there's either companies that know about it, and are doing something about it, or they're finding out the hard way. And after that, I think it's one of those pieces that for executives' teams, they don't have to be at a behemoth public company. It's more or less if you or I as an individual, I have a home computer, I do online banking, I do all types of different things. That doesn't mean I have a weak password, or I don't use MFA.
So bring it up at a business level. If you are running a business, or you're an officer of the company, I think even more so the officers that are in companies' boards. That's something that we've really seen: that [security has] been finally elevated to that level. There's a lot of times even in [our] conversation, if a CISO were sitting here with us, they'd agree with us, with violent agreement. And they say that they've been doing it for years and trying to do it. The big piece is, CISOs finally have the attention of their executive teams and boards. And it's not the just the attention. There's a seat at the table. And they're part of the overall process, and part of that playbook.
Mathew Schwartz: That's a great memo: "Don't find out the hard way." And I think I'm going to sign us off there because this has been wonderful advice and [about] giving us … a look at the state of incident response and preparation and where organizations need to be getting to. So Rocco, thank you so much as ever for your time and insights today.
Rocco Grillo: Mathew, thank you so much. It's always a pleasure.
Mathew Schwartz: I've been speaking with Rocco Grillo of Alvarez & Marsal. I'm Mathew Schwartz with Information Security Media Group. Thank you for joining us.