Cyberattacks are evolving rapidly, with increasing complexity and sophistication.
In response, it is key for your organization to understand what steps you need to take and whether to engage with a threat actor that has already breached your organization's network using any form of malware.
While ransomware is a common tactic that organizations are familiar with, threat actors may also exfiltrate data and subsequently threaten to release it (on the dark web or elsewhere) without using ransomware specifically.
How can your organization prepare and respond? Let's explore data breach responses.
Preparedness: The importance of a cyber incident response plan
First principles in cyber response have evolved from a focus on preventing attacks to preparing to respond resiliently to the now-ubiquitous attacks experienced by organizations in all sectors.
If your organization does not have a cyber incident response plan, you should develop one. This will provide not only structure to your incident response, but help to ensure everyone in the organization is working according to the same protocol. Items within your response plan may include:
- System back-ups
- Threat containment
- Remediation and reporting
- Communications protocols
Enabling collaboration amongst privacy, information and operations stakeholders is essential to ensure your plan is comprehensive and can be readily implemented.
Depending on the risk to your organization, purchasing cyber security insurance may be worthwhile. Insurers may also help to identify potential weaknesses in your network through undertaking a rigorous risk assessment to confirm your eligibility for insurance and the appropriate premiums.
As we discuss further below, engaging a negotiator can provide significant value in the event of a malware attack. While you will not need to engage a negotiator at the preparation stage, maintaining a shortlist of negotiators is helpful to ensure your team knows exactly who to contact in the event of a cyberattack, which reduces your incident response time. The same logic applies to engaging an external forensics team and legal counsel. If you have cyber security insurance, be sure to check with your insurer as they may already have a shortlist of approved professionals.
Preparing your rules of engagement
1. Assemble your internal team
Your IT team should start immediately on containing and/or eradicating the threat. Every second counts.
Engage all necessary internal parties within your incident response plan, including counsel and, where applicable, other corporate affiliates.
2. Determine the necessary reporting steps
If required, provide notification to your insurance company.
While specific details are outside the scope of this article, organizations should generally report all cybercrime incidents to law enforcement.
Down the road, your organization will also need to consider providing notification of a data breach to regulators (e.g. privacy and securities).
3. Assemble your external team
Retain external counsel to provide advice and support on items such as notifications to regulators and forensic reports. Involving experienced data breach counsel makes for a quicker and smoother response, and the possibility of maintaining privilege over sensitive communications.
Hire a forensic investigator to determine the source of the threat and provide support on containment and remediation. Remember: information technology and cyber security are different disciplines with different skillsets. An external investigator is crucial if you want an objective assessment of your organization's state of preparedness, pre- and post-attack.
Consider hiring a professional negotiator to engage with the threat actor. Experienced negotiators can provide invaluable insight about the particular threat actor you're facing, which is crucial to decisions such as whether to pay the attacker.
Consider hiring a professional communications company for handling items such as media inquiries and drafting communications to affected stakeholders such as customers and employees.
Remember: If you have cyber insurance, your insurance company may recommend these experts or provide an approved list.
4. Prepare for first contact with the threat actor
First contact may occur even before the organization learns of the data breach, so it is possible this step will occur before the organization has had a chance to complete the preceding steps.
First contact may happen through several forms, including an email, video or even a telephone call. Further, the threat actor may contact anyone in your organization. Do not assume they will necessarily contact the representative with actual knowledge of the threat.
Stay calm and obtain as much information during first contact as possible. If the contact comes from audio or video, record or retain the message. Try to understand exactly what breach has occurred and whether data has been exfiltrated. During this process, ensure you understand exactly what the threat actor's demands are (i.e. monetary compensation or otherwise).
5. Determine if you should engage or ignore
An organization's response to a threat actor's demands will depend on several criteria, including the nature of the data accessed (and possibly exfiltrated), its sensitivity, the organization's ability to recover that data from other sources (e.g. backups), potential reputational harm and of course, ability to pay.
Forensic investigations should help the organization determine the extent of the threat posed by the cyberattack. It is possible that threat actors have accessed or even exfiltrated data, but the data is obsolete or otherwise not valuable, or is encrypted and therefore unusable. In such cases, the threat may prove to be an empty one.
Regardless of whether an organization pays the ransom amount (see below), engaging with the threat actor through a negotiator may help achieve other organizational goals such as:
- Confirming the extent of the threat where forensic analysis is inconclusive.
- Obtaining proof and location of exfiltrated data.
- Buying more time for coordinating next steps.
- Enabling the organization to learn more about the nature of the cyberattack to contain the threat, secure its network, remediate the harm and/or prevent future attacks.
- Creating a single line of communication between the organization and the threat actor, as opposed to employees and other stakeholders who may create further risk through their involvement.
Engaging a skilled negotiator may also help an organization keep its cool during the course of negotiations. Stakeholders within an organization will understandably be in a state of considerable stress, frustration, agitation and likely exhaustion. Negotiators, while having an inherently stressful and high-stakes role, are specifically trained to deal with crises.
Skilled negotiators are also good at keeping threat actors cool while negotiations are ongoing, thereby reducing the risk associated with subsequent attacks and/or other hostile actions.
6. To pay or not to pay?
Where the loss of data may result in severe consequences for the organization, an organization may determine its best option is to pay the ransom amount. Using a negotiator in such circumstances can help with negotiating the payment amount and terms of payment.
If your organization decides to pay a ransom, it is critical that you engage legal counsel to determine whether the payment would violate any applicable sanctions.
For example, Canada has sanctions in place against a number of countries, as well as sanctions against specific individuals and entities. The United States, the European Union and the United Kingdom also have sanctions against certain countries, individuals and entities, including cyber-specific sanctions.
Even where an organization determines it will not pay the ransom amount (for principled reasons or otherwise), it can still benefit from engaging with the threat actor for the reasons described above.
Seeking legal counsel for your cyber incident response
As we mentioned throughout the article, engaging with legal counsel is an important step for developing your cyber incident response.
To learn more, contact the authors or a member of Gowling WLG's Cyber Security & Data Protection Law team.