Introduction
The rampant increase in ransomware attacks has put critical-infrastructure providers on notice. A $10 billion electric utility, which provides electric power production, transmission and retail distribution operations to the south-eastern US, decided it wouldn’t wait until it was victimised. It invested in a prescriptive programme to strengthen its cyber readiness and resilience.
The challenge
With the well-publicised attack against Colonial Pipeline in May 2021 fresh in their minds, the utility’s Board of Directors was becoming increasingly concerned about how prepared their company was to identify and effectively respond to such an attack, and mitigate its potential impact. Incident response (IR) plans were in place at both a technical and executive level, and the company had an IR retainer with a well-known digital forensics and incident response (DFIR) firm.
However, the Board wasn’t confident that those plans or the DFIR partner were adequately prepared to address the unique nature of a ransomware attack. The Security Incident Response Committee turned to Quorum Cyber to understand how to best analyse the nuances of ransomware attacks, evaluate how well their IR plans were positioned for identifying and responding to an event, and determine if there were additional areas of improvement that could help limit the impact of an attack when it happened.
Quorum Cyber’s response and solution
To fully evaluate the effectiveness of the utility’s IR plans and ability to respond to a ransomware event, Quorum Cyber proposed a two-phased approach comprising:
- An IR Plan Assessment
- A technical and executive-level Ransomware Tabletop sessions.
In the first phase, Quorum Cyber evaluated the customer’s technical and executive IR plans against NIST 800-61, with a specific view toward use of incident-handling best practices related to ransomware.
In the second phase, Quorum Cyber collaborated with multiple individuals from across the organisation to develop a customised and environment-plausible ransomware attack scenario for field-testing during the two tabletop exercises. By leveraging this two-phased approach, Quorum Cyber was able to evaluate the efficacy of the company’s procedures as well as IR personnel’s knowledge and ability to respond to a realistic ransomware attack.
Outcome
By gaining insight into how well-positioned its people and procedures were to effectively respond to a ransomware event, the utility:
- Increased Board of Directors’ confidence in limiting the operational and financial impact of a ransomware event
- Prepared the executive team for evaluating the pay/ no-pay decision in a ransomware event, to limit financial exposure
- Enabled re-prioritisation of cyber investments to yield greater return on investment (ROI) in ransomware protection.
