The mainstream media focused on eastern U.S. drivers in a panic, as gas station after gas station went dry last week.
This was fallout from the Colonial Pipeline shutdown due to a ransomware attack—a legitimate story, for sure.
But our SecureWorld editorial team wondered something else: what is it like right now inside the walls of Colonial Pipeline? What kind of pressure hits an organization as it conducts incident response to a devastating ransomware attack?
For the answer, we went live on LinkedIn with Shawn Tuma. Tuma often finds himself in the middle of ransomware incident response as Co-Chair of the Data Privacy & Cybersecurity Practice at law firm Spencer Fane.
Tuma describes his role as a "breach quarterback" or "incident response coach."
Watch the recorded livestream or keep reading for his explanation of what organizations and security teams face during ransomware incident response.
For context, here is where Tuma fits into the ransomware incident response process. This is what informs his perspective:
"My role in practical terms is to be somewhat like the conductor of the symphony that comes in when there's this issue to work with cyber insurance providers, to work with forensics firms, to work with PR firms, to work with data decryption negotiation firms, all of this. And to do so with a view towards the legal issues and the practical business issues. And then obviously, the technical issues, which everyone appreciates and understands.
And so in that role, I don't put fingers on keyboards, if you will. But I help make sure that the right people are at the table, that the right approvals are needed, that the right claims are made, that we have the right professionals who understand in a ransomware case, no, we don't need a call Monday, we need a call in 15 minutes, we need to be moving within the next hour."
Ransomware incident response, phase 1: 'shock'
Tuma describes that moment where your IT or security team thinks it is experiencing a ransomware attack:
"So at first, it's a shock. It's like, 'We don't believe this is really happening. No, surely it's something else. Restart the servers, did you make sure it's plugged in, all of those kind of things. Because it is a surreal experience. This is worst-case scenario.
And far too many companies still think it can't happen to them. Because they're investing in cybersecurity, they're doing a pretty decent job, and there are all these reasons they think it can't happen to them.
So the first step is going to be a shock; they're going to be absolutely floored by the notion that this literally just happened to us."
Ransomware incident response, phase 2: 'panic and blame'
In phase 2, Tuma says reality hits hard and can easily turn to blame.
"The next step is they're going to realize this is a ransomware attack, they're going to probably see the note from the threat actor, saying, 'You must now contact us to negotiate so we can help you through this.'
And sadly, at that point, many times they turn to the internal team. And they start blaming and pointing fingers and scaring the hell out of everybody, which then makes everybody tense up and they're not thinking rationally.
They're now panicking because they haven't prepared for this moment."
And then reality hits again when many organizations realize their backups are "out" as an option:
"And then you see your internal team say, 'Oh, well, let's hurry up. We've got backups. Let's wipe our servers. Let's wipe our network. Let's get our backups going. It's Friday. If we start right now, we can get it done by Monday.'
Then they discover they don't have backups because the threat actors know backups are the kryptonite here. So they get in and they infect or forensically delete your backups before you ever get hit."
Ransomware incident response, phase 3: 'fear'
Tuma says when it comes to the next phase of incident response, there is a fork in the road: do you have an IR plan for ransomware, and have you practiced it? This will determine what happens next:
"And sadly, most people haven't practiced this, they haven't put a plan in place for this. So from here, they start trying to fix it themselves. And they create a lot of problems and cause damage that can't be undone later.
And there's more fear than anything else.
And that's what I wish people would do as they're sitting here listening to this, is project yourself into that position. Say, 'What would it really feel like?' And then let's start today by doing some things to keep us from ever getting there."
At this point, as the process breaks down just a short time after IR starts, outside partners like Tuma are called in to help organizations push past the fear and blame—and take the appropriate actions.
Monday morning quarterbacking can come later.
The next stages are covered in the SecureWorld Sessions podcast on the ransomware lifecycle.
Ransomware: one of your organization's top risks
Now, here is a crucial question: does your organization treat cyber risk like it is business risk?
Based on what he sees in his work, Tuma says ransomware should be at the top of your business risk considerations:
"I believe cybersecurity and especially ransomware is the single greatest threat that companies face. As we sit here today, more than the COVID shut down, more than all fluctuating currency, all these other things.
This is the biggest issue, because this is literally the one scenario, short of maybe nuclear war, where you go to bed tonight, your company's doing great, finances are doing great, operations, etc., then you wake up tomorrow morning with a call from your CISO saying we are now shut down. Our company is out of business until we get this resolved. That's big."
If you need confirmation of this assessment, just ask Colonial Pipeline or drivers up and down the east coast. And many, many victims of ransomware around the globe.