How to Manage Ransomware Risk: (NIST Framework Part 4: RESPOND)

How to Manage Ransomware Risk: (NIST Framework Part 4: RESPOND)

img-jed-fearon

Jed Fearon

Solution Advisor, 17+ years of experience in MSP Solution Development, Sales and Marketing Communications

Welcome to part four in a series of five blogs created to help you manage ransomware risk with the NIST framework.

Feel free to jump to related articles if you want to start at the very beginning: NIST Framework Part One NIST Framework Part Two NIST Framework Part Three

NIST is short for National Institute of Standards and Technology. In a world of infinite hardware, software, and cloud options (and opinions), this non-regulatory agency and their Information Technology Laboratory (ITL) produce a never-ending and iterative catalog of compliance-friendly publications (blueprints) to guide your IT journey.

NIST’s technical leadership fuels the U.S. economy and public welfare with measurement and standards recommendations (based on extensive testing and analysis) to advance the development and productive use of information technology.

Why should this matter to you? NIST continuously develops management, administrative, technical, and physical standards, along with guidelines to inform and prioritize cost-effective security and privacy initiatives for your business.

They’re doing most of the heavy lifting, so you don’t have to! And your burden will be even lighter if you allow your MSP (and their vCIOs) to play a commanding role in guiding your journey.

The Ransomware Problem

As per NIST, “Ransomware is a type of malicious attack where attackers encrypt an organization’s data and demand payment to restore access. In some instances, attackers may also steal an organization’s information and demand additional payment in return for not disclosing the information to authorities, competitors, or the public.”

Learn More: NISTIR 8374 Draft

While managing risk always involves new budgetary considerations, your costs will be offset if your organization harnesses thoughtfully planned and architected technology to grow your business AND to avoid being torpedoed by ransomware attacks and legal episodes.

The outcomes you wish to avoid are almost always much more expensive than preventative measures!

Learn More: Ransomware Costs Besides the Ransom

NIST Framework Part 4: RESPOND

Calling it a problem is an understatement considering what is unfolding as I compose this blog. On Friday, July 2nd, Kaseya, an enterprise IT firm serving MSPs with remote monitoring and management tools, was the target of a sophisticated zero-day attack.

“Zero-Day” means it’s so new no one saw it coming.

Since all sixty of the affected MSPs have direct access to their clients’ IT systems via Kaseya’s VSA product, roughly 800-1,500 businesses worldwide were affected as a result.

Among other challenges, the cyber attackers (a Russian-speaking ransomware syndicate) are demanding a $70,000,000.00 payment from Kaseya for a universal decryption key! And this giant ransom was negotiated down.

I was fortunate to attend a webinar on July 6th with first responders Mike Puglia, CMO of Kaseya, Jon Murchison, CEO of Blackpoint Cyber, and Chris Loehr, EVP of Solis Security.

Each panelist provided updates and insights closely conforming to the following NIST guidelines:

1 - Response Planning

Kaseya responded immediately with a predetermined checklist of processes and procedures with no hedging or delays.

The attack only affected their on-premise VSA servers so these machines were immediately taken down, and their MSP customers were advised to do the same.

As an extra-added precaution, the company followed the same drill with their Software as a Service (SaaS) version of VSA to reduce all potential attack surfaces.

These actions saved a lot of additional businesses from getting hit.

Learn More: The Kaseya Zero-Day Attack

2 - Communications

Response activities were coordinated with clients, security vendors, and law enforcement agencies.

Kaseya also engaged with industry peer groups, journalists, LinkedIn, Reddit, The Dutch Institute for Vulnerability Disclosure, and more. The international security community banded together in solidarity.

All VSA users (both MSPs and their clients) were advised to stay tuned for developing updates.

Learn More: July 4th Notice from Kaseya

One of the affected MSP owners was on the call and was adamant about immediate and transparent outreach: “Overcommunicate and don’t let your clients hear about the breach on CNN!”

(He was in surprisingly good spirits considering he hadn’t slept in four days.)

3 - Analysis

The company is actively collaborating with the FBI, CISA, FireEye, Mandiant, Huntress, and other cybersecurity forensics firms to conduct detailed investigations.

According to Charlie Osborne of ZDNet, “Huntress has tracked thirty MSPs involved in the breach and believes with "high confidence" that the attack was triggered via an authentication bypass vulnerability in the Kaseya VSA web interface.”

She continued, “This allowed the attackers to circumvent authentication controls, gain an authenticated session, upload a malicious payload, and execute commands via SQL injection, achieving code execution in the process.”

4 - Mitigation

The following mitigation activities (just to name a few) are being implemented to resolve the incident:

  • On July 3rd a compromise detection tool was delivered to approximately 900 Kaseya customers.
  • On July 5th Kaseya CEO Fred Voccola announced a fix had been developed.

"We are developing the new patch for on-premises clients in parallel with the SaaS Data Center restoration," the company said. "We are deploying in SaaS first as we control every aspect of that environment. Once that has begun, we will publish the schedule for distributing the patch for on-premises customers."

Learn More: The Kaseya Attack & What We Know So Far

5 - Improvements

While the resolution is still underway, organizational response activities and lessons learned are being refined for future detection and response initiatives.

We’re living in a constant state of cyber crisis so unfortunately, none of us have the luxury of being complacent. It’s either evolve or get breached again!

Kaseya believes their restoration plan will make them the most secure Remote Monitoring and Management (RMM) solution in the marketplace.

Their upgraded solution will be multi-layered with enhanced web application firewalls.

What’s Next?

You know our digital world is under assault when reputable IT management companies and their clients are being compromised so quickly and on such a massive scale.

The argument for basing everything you do on a business risk analysis has never been more valid.

Like I mentioned in my three previous installments, I hope you get more comfortable with the NIST ransomware management basics.

(And I regret I was given such a depressing real-world example to support my argument.)

The final blog covering the fifth pillar of the NIST Framework (Recover) is on the way.

Learn More: Everyone is Vulnerable

If you enjoyed this article, you might also like some of the related content in our free eBook.