close
close

Le-verdict

News with a Local Lens

How to run a ransomware simulation
minsta

How to run a ransomware simulation

Colleagues during a business meeting in the conference room

For cyberattackers, ransomware is a gift that keeps on giving. Blocking access to a company’s critical data puts organizations that fail to mitigate attacks in a difficult position. They can either pay a potentially large ransom or lose days or even weeks of business continuity.

Six in ten organizations (59%) were victims of ransomware attempts in 2024, according to cyber publisher Sophos. State of Ransomware Report. Organizations with annual revenues above $5bn (£3.85bn) have been hit hardest, with 67% of them hit by ransomware in one capacity or another. This means that most businesses can expect to be the target of a ransomware attack at some point.

The financial and reputational impacts on businesses can be devastating. On an individual level, security personnel also suffered PTSD-like symptoms after facing the consequences of such incidents.

Well-kept data backups, security systems, and robust perimeter defense are all essential to weathering the ransomware storm. It is equally important to keep a cool head in a crisis, demonstrate confidence in decision-making, and work calmly to resolve the situation.

This means ensuring that all stakeholders, not just security teams, are prepared. But what types of training exercises can help? And how can security managers ensure their effectiveness?

Ransomware Simulations: Can Red Teams Help?

Ambushing employees with fake cyberattacks was once a popular method. This often involved sending fake phishing emails to test whether employees would click on a questionable link. However, these techniques are increasingly being neglected in favor of more open and transparent training.

One method is to hire so-called red teams (often from outside the organization) to blind test the cyber defense of blue teams, the cyber defenders within an organization. Here, the red team plays the role of an attacker, simulating the types of malware or ransomware used by cybercriminals. The blue team must surface these threats, protect against them, and repair any damage caused.

These simulated attacks take place on fragmented parts of a network using unwanted synthetic data, so as not to put the business at risk.

The goal of these exercises is to reveal gaps in cyber defense. This could involve differentiating between false alerts and real threats, being able to detect these threats in the first place, or coordinating an effective response once an incident is underway.

Given the necessary expertise, organizations could create their own internal red-team versus blue-team showdowns. Alternatively, there are red team providers, who offer “blind” red team services, with little or no knowledge on the part of the defending side. These vendors say such exercises create an effective environment for testing the real-world capabilities of cybersecurity teams.

Red teaming can be “a great opportunity to test a company’s preparedness, detection and response processes and technologies in a way that mimics real-world conditions,” says Lorenzo Grillo, head of cyber services. -risk of Alvarez & Marsal. In effect, they assess the “entire control environment” to simulate how skilled and motivated cybercriminals would target an organization.

However, he adds, surprise attacks can put too much pressure on staff and risk making them feel like they are constantly being monitored. This can lead to trust issues between stakeholders. “If you run an exercise without telling anyone, it can actually be just as disruptive as a real attack,” says Alan Woodward, professor of cybersecurity at the University of Surrey. “And it doesn’t make sense for the company.”

According to Woodward, blind testing is a bit like blowing smoke canisters around the office and yelling “fire” during a drill. Such an approach can exhaust or panic staff and lead to lower productivity.

While red teams can fix some issues or expose some vulnerabilities, if you don’t trust your teams to perform in a crisis, it “says more about your hiring processes than anything else,” adds -he.

Ransomware Simulations: How Tabletop Exercises Can Help

Woodward instead recommends an open and transparent approach to cyber exercises. He suggests regular tabletop exercises – typically a 1.5-hour role-playing session that presents cyber scenarios for teams and leaders to work through. THE National Cybercrime Center and the US government LPCC The website provides some useful examples.

These games usually involve a “facilitator,” who will lead the exercise, inform participants of what is happening, and ask them to make decisions. Ultimately, the goal is to create a plausible and realistic scenario and test responses to it, allowing participants to audit their current decision-making processes, technical defenses and continuity plans.

IT teams, cyber experts, and senior management typically participate in these exercises. Companies should include representatives from each of the “gold, silver and bronze” categories. command structure (strategists, tacticians and operational staff), at a minimum.

Properly defined and managed tabletop exercises can help test a company’s ability to respond to cyber crises, says Grillo. Companies need to find the right balance between these two approaches, he adds: “Red teams can reveal gaps and improve defensive skills, while tabletop exercises provide space for safe practice and learning without constant stress. »

Why executive buy-in is essential for cyber readiness

During a real-life ransomware attack, an organization’s leadership must make difficult business decisions. It will be up to them to decide whether to pay the ransom, issue a statement, and find a way to ensure business continuity while restoring systems. This means that it is extremely important that leaders are informed correctly and in a language they understand.

“Executives don’t need to know how you do log analysis or reverse-engineer malware,” says Dan Potter, senior director of operational resilience at cyberattack preparedness provider Immersive Labs. “They need to know that the teams at their disposal have the ability to do this and can show that they are improving over time.”

In the past, he adds, security teams have managed to terrify executives with details of cyber disasters and briefings on advanced persistent threat groups, but they have been less effective at engaging the business. The facilitator of any theoretical exercise should prioritize inclusiveness and encourage participants to speak a common language.

However, the goal should actually be lifelong learning, Potter believes. “One big exercise per year with the same 20 leaders is not enough. This does not provide the steady cadence or process validation that organizations need.

Given the busy schedules of senior executives, it can be difficult to find a time slot for multiple tabletop exercises. It is therefore the responsibility of security managers to keep teams up to date. Potter suggests frequent, smaller exercises for front-line responders. This could include hands-on labs, technical skills development training, or small team simulations.

Security teams can then use these activities to inform senior management of progress, while preventing executive fatigue. This can open conversations with leadership about concerns and priorities. Ongoing exercises will provide cyber teams with the data needed to inform leaders of their progress or areas where there is room for improvement, thereby building trust in the team.

Ethical considerations of ransomware simulations

Successful training exercises require building a safety culture rooted in collaboration and improvement rather than shame or ridicule.

Employees need to understand the need for rehearsals and be clear that the exercises are not intended to surprise people, criticize teams or blame systems, says Jason Nurse, reader in cybersecurity at the University of Kent. The goal is to determine areas where there is room for improvement.

Organizations should carefully consider the targets, timing, and nature of ransomware attacks in their simulations. They must be careful not to unfairly target certain groups and recognize the state of the business every time they do something.

“For example, is this the last day of the exercise? asks the nurse. “Or is the simulation planned for the day the new software is installed in the company? While there are certainly benefits to running simulations at these times – and ransomware groups themselves may find these target times ideal – they can cause significant additional stress for employees.

Finally, anyone setting up a simulation should consider whether the content is appropriate. There have been cases where organizations have conducted simulated attacks in poor taste and do not take into account the context of employees or customers.

“We’ve seen simulated attacks that offer bonuses or alerts in the event of an Ebola outbreak,” says Nurse. “There is a balance to maintain in carrying out and testing security processes without compromising employee morale. »

Running role-playing sessions about cyberattacks can feel like corporate work Dungeons and Dragonsbut the benefits can be significant. By discussing the actions needed to deal with these imaginary attacks, organizations can identify weaknesses in their security systems and skills gaps. When ransomware can destroy businesses, running simulations can make all the difference.

LEAVE A RESPONSE

Your email address will not be published. Required fields are marked *