You may have noticed ransomware attacks and information security incidents, such as personal data breaches, have been growing rapidly and gaining frequent space in the media. With each passing week, one or more events of this nature becomes the subject of articles in newspapers, magazines, radio and television.
After helping several organizations (from a legal perspective) respond to security incidents and manage the crises generated by these events, I realized some central aspects to properly deal with these situations that, in my opinion, must be taken into consideration.
Below are five critical tips for organizations that have just experienced a cyberattack or a security incident, or for organizations that want to better prepare for when they have to face situations of this nature.
Do not be fooled by the "this will never happen to our company" speech. A security incident is not a matter of “if;” it is a matter of “when.”
1. Time is of the essence
For a proper response to a ransomware attack or a security incident, every second counts. The more time passes without certain actions being taken, the more difficult it becomes to solve the problem effectively. Time is money. Time is of the essence.
It is not uncommon to receive calls from clients saying they had an incident about 30 days ago and they didn't think it was anything relevant, so until that moment little had been done beyond an initial assessment by the organization's own information security team. But that now the event has been reported on some blog and people on the team start to worry.
There are two central reasons why time is of the essence in cases like this:
- The deadlines for sending notifications to third parties (such as Brazil’s data protection authority, the Autoridade Nacional de Proteção de Dados, are generally short — just over a few days — and the delay in communication can be considered an aggravating factor of a possible violation of current regulations or as justification for the adoption of more energetic measures by the respective third parties.
- In ransomware attacks, threat actors typically press their victims with urgent triggers such as “if you don’t pay the ransom within two days, the price will double” or “if you don’t contact us by tomorrow, we will leak some of the data that we got from your organization on our blog.”
In any of these scenarios, every second lost means remediation costs in practice for fixing the problem.
Therefore, as soon as a ransomware attack (or a security incident) is detected, it is essential to inform the company officers (and the board of directors when applicable) about the event, as well as to reach out to external advisors who will assist the organization during the response.
2. Get external assistance
No matter the size of your organization or the proficiency of your internal teams, when a ransomware attack happens, it is essential to have the support of external advisors, both legal and technical.
That is because unless your organization has experienced an incident before, outside advisors will have more hands-on experience in such events. And experience, at that time, counts a lot.
Imagine the following scenario: You are a renowned ophthalmologist. If you feel sudden and intense pain in the chest region, will you self-medicate or see a cardiologist? The answer seems obvious. As much as you are also a doctor, it is important to count on the expertise of a third party, with expertise in that specific topic and experience in solving that problem.
Furthermore, the truth is that organizations' internal teams are in the eye of the storm in crisis situations. There are so many steps that need to be taken that teams often get lost, are exhausted from the enormous pressure of the incident and are unlikely to have a cool head to make critical decisions. In the heat of the moment, a bad choice like “let me talk to the attacker myself” can ruin everything.
More than that, the support of external consultants guarantees greater independence for the conclusions that will be necessary during the incident response. In particular, the forensic investigation of the event is one of the crucial steps for the adequate solution and, if conducted internally, may be surrounded by questions about its impartiality. In many scenarios, the organization's internal team does not even know what to look for during the attack investigation, missing elements that would be easily noticed by third parties specialized in conducting forensic investigations.
Yes, there is an additional cost in hiring external advisors, which is likely to be significant. Even so, this cost is normally much lower than the damage that can be caused when the organization decides to take matters into its own hands.
Another relevant aspect is having already mapped out which external consultants will be called upon in the event of a ransomware attack or a security incident. Wasting time bidding for a contract or going through procurement bureaucracy during the incident inevitably results in a loss of response efficiency.
If you still do not know which technical and legal advisors you will call when a ransomware attack is announced, I strongly advise you to stop reading this article right now and find whom you are going to include in your speed dial right now.
3. The start line is not the beginning
Anyone who thinks a ransomware attack starts when files are encrypted and one of the organization's employees finds a ransom note with information on how to regain access to data would probably be wrong.
In general, the attack starts long before this “initial” moment of detection. In some cases I have worked on, evidence was found that demonstrated attackers had already gained access to an organization's networks several months before encrypting the files.
In attacks that involve data exfiltration, this aspect is even more common. Attackers spend weeks or months looking for ways to gain access to more information or more relevant data, using lateral movement and privilege escalation techniques.
After obtaining system administrator privileges, external transfers are carried out gradually, in volumes that do not attract attention and are able to go unnoticed, as they are within the average volume of data routinely transferred from the organization to external addresses.
In order for an attack to be properly investigated, it is critical that the organization retain logs properly and for reasonable periods. The adoption of security information and event management can be an extremely beneficial measure in this regard.
Therefore, limiting the investigation of the incident to the day the attack was announced, or just a few days before that date, may be unwise and can lead to wrong conclusions.
4. “If we do not notify the regulator, nothing will happen”
It is obvious that no organization likes to notify the DPA or other regulatory bodies about the occurrence of a security incident or ransomware attack.
The notification, naturally, will result in the opening of an administrative process within the scope of the ANPD where it will probably be necessary to provide information and documents requested by the DPA and which later may later culminate in the issuance of a penalty notice.
Even so, thinking it would be better not to notify, especially where the requirements provided for in Article 48 of Brazil’s General Data Protection Law have been triggered, would be plain wrong.
Nowadays, it is rare a ransomware attack is not reported in any media, whether in major newspapers or in specialized blogs. From the moment the attack becomes public it has been customary for the ANPD to send a letter to the affected organization, asking about the attack and for explanations on the reasons why the incident was not communicated to the DPA.
In these scenarios, if the organization decides not to promptly notify the regulator, the possibility of arguing that the organization acted in good faith and with a spirit of cooperation is lost. Those are mitigating aspects of the eventual penalty that could be imposed according to Section 1 of Article 52 of the LGPD.
On the contrary, the lack of cooperation and good faith on the part of the offender are criteria that will certainly be considered by the DPA and other regulatory bodies when evaluating the specific case and deciding on the imposition of a sanction (and the level of the penalty).
Therefore, when it is found that the requirements of Article 48 of the LGPD are fulfilled, failing to communicate to the ANPD and the data subjects involved will only cause greater damage to the organization.
It is worth remembering that it is not only the ANPD and the data subjects that usually need to be notified about any security incident, including ransomware attacks. Many of the contracts your organization enters into with third parties possibly contain data protection clauses that impose obligations to report security incidents within tight deadlines, under penalty of possible contractual termination.
5. Document, document, document
In cases where the organization's decision is not to communicate the event to the ANPD and the data subjects, as it understands that no relevant risk or damage was identified to the data subjects, it is essential that the respective decision is documented, including the rationale that led to this judgment.
Due to the principle of accountability provided for in Article 6, X, of the LGPD, it is the duty of the organization to adopt measures to demonstrate its compliance with the legislation.
In this sense, it is not enough to stop reporting the attack on the premise that there was no relevant risk or damage to the data subjects. It is fundamental to document that the organization has seriously reflected on the issue, evaluating the characteristics of the attack and the related risks, making a thoughtful decision about the event and the need for communication to the ANPD and data subjects.
If the incident comes to the attention of the ANPD, the DPA will certainly demand explanations as to why it was not previously communicated, requesting that documentary records be presented about the decision that was made and the reasons supporting it.
The suggestion to produce a paper trail is not only for the decision about whether to report the event to the DPA. All relevant decisions made in relation to the event (such as filing a police report or whether to pay a ransom demand) should also be documented, especially when the organization is a publicly listed company, whose officers and board of directors need to prove they made a disinterested, thoughtful and informed decision, in the best interest of the company and its shareholders.
Finally, think about the worst-case scenario
A ransomware attack these days is far from limited to encrypting an organization's files and preventing them from being accessed without the cryptographic key, which is only delivered upon payment of a ransom.
As a rule, current attacks involve several different forms of extortion. It was common that, before encrypting files, threat actors made copies of all (or a good part) of the files they were able to access and threatened to leak or sell this information on the dark web if the ransom was not paid.
Other increasingly common forms of extortion are threatening to tip off the press so that the event gets coverage, or threatening to contact business partners, suppliers and customers, all in the sense of increasing pressure on the victim to get the ransom paid.
So, before you fall victim to a ransomware attack, it is crucial to do a mental exercise and imagine what the worst-case scenario would be for your organization if an attack happened today.
Consider the following variables, among many others that may exist depending on the specific case: (i) if all our files are encrypted, do we have recent backups, which have been tested, and which would certainly not be affected by being segregated, which makes it possible to recover the encrypted files?; (ii) if working backups exist, how long would it take us to restore all our systems and devices? Are we able to survive if we are unable to operate during this period?; (iii) if the data we have stored is leaked, what would be the impact on our operation?; (iv) what has the biggest impact on our organization: not being able to recover all the data we had due to the attack or having information leaked/sold?
Thinking about the worst-case scenario helps to visualize what conduct should be taken as a precaution, even before an attack happens, and to draw up plans for the future. It is no use thinking about this issue only after the attack has taken place, when it is too late to remedy some weaknesses and decisions become less flexible.
Photo by Michael Geiger on Unsplash