In today’s cybersecurity landscape, it’s pretty widely accepted that almost every company with any digital capabilities will be hacked - it’s not an ‘if’, it's a ‘when’.
That doesn’t mean an attack has to be devastating though, even if it is successful - and this is where firms like Semperis come in.
TechRadar Pro joined Semperis at InfoSecurity Europe recently to discuss ransomware preparations, and then experience this first-hand in a ransomware tabletop simulation which showed off the kind of tactics red and blue teams use in these scenarios.
Infrastructure under fire
“It's unfortunately not so hard to capture and compromise a tenant,” Semperis' principal technologist EMEA Guido Grillenmeier explains; “it’s a scenario that nobody wants to be in, but the reality is it does happen. Even as we speak, somebody is being breached and taken out. What do you do then? You have to have your disaster recovery plan in place.”
In the tabletop simulation, industry experts were split into two separate teams - a red team (the ransomware group) and a blue team (the defenders) who, in this case, were a cybersecurity team protecting a water facility.
Using a water facility was an important aspect of the simulation - critical infrastructure has suffered an unprecedented number of cyberattacks in recent times, and restrictive red tape, as well as a lack of funds and skills make the public sector particularly vulnerable, Grillenmeier explains;
“So the public sector, they're over bureaucratic, so they are able, by producing all sorts of documents, to check off the boxes that they take off, but that doesn't make them well prepared for the true disaster. We've been involved in quite a few incident response cases also in the public sector where there's just a lack of technical skill.”
The security of public facilities like water treatment plants or reservoirs can quite literally mean life or death for the people they serve, so the response from security teams is important - and readiness, learning how to monitor your systems, and knowing weaknesses is key, Grillenmeier says.
“One thing is to understand vulnerabilities, the other thing is to understand an ongoing attack. You have to find that needle in the haystack, like what's different from the norm," he explains.
During this exercise, the red team explored their motivations, drawing from the real-world experience of those in the room, and eventually demanded a hefty ransom from the water company (one that matched the insurance payout!). The blue team refused to pay the ransom in the end, but both teams were definitely kept on their toes.
Bring order into chaos
Ransomware attacks are unpredictable, so Semperis threw a few wildcards at both teams, but the beauty of this exercise is that both teams have to try and stay one step ahead of the other, and think creatively about what their next move could be.
Semperis specialises in these situations, and offers tools to help companies prepare and recover.
“We're called often for clients to support them in such scenarios to get back on their feet,” Grillenmeier says. “If a company has been completely wiped out, nothing's there. All on-prem systems have been wiped out, gone, and that happens in reality.”
Semperis recently launched its Ready1 tool, a secure platform that ensures ‘seamless crisis response through preparation, collaboration and enterprise-wide communications’.
When (not if!) your organization experiences an attack, and is cut off from systems and data, Ready1 holds your organization's critical information, incident response plan, and cyber preparedness plans - reducing the risk of downtime, regulatory fines, and data exposure.
“In a true disaster, you need a pro on your side,” argues Grillenmeier. “The pro is the guy that helps you prepare. Then you have Ready One, which is the central platform for you to store that knowledge, to store the processes, to then kick them off when you need them.”
“A fool with a tool is still a fool”
But, good tools are just a small part of the equation - as Grillenmeier jokes; “A fool with a tool is still a fool”.
Research from Semperis found 96% of companies have a cyber response plan, which is great - but 71% also experienced at least one ‘high-impact’ cyber event that ‘halted critical business functions’ in just the last year - so clearly response plans alone are not enough.
There are a few reasons for this. Obviously, one of the primary aims of a cyberattack is to cause downtime, so it shouldn’t be too surprising that they sometimes succeed.
However, security teams report that cross-team communication gaps (48%), unclear roles and responsibilities (41%), and too many disparate tools (40%) factor into downtime, and these can be avoided with good preparation.
This is a big part of why the EU’s DORA regulation mandates operational resilience testing as part of its core requirements. Testing must be conducted by an independent entity, whether that be internal or external, so tabletops like this are important for the financial industry (and beyond).
“Dora requires you to first of all be prepared to prove that you are prepared - and then also during a disaster to prove what you've done. It does all of that and it reminds you that you have these tasks to do,” Grillenmeier confirms.
The teams in this exercise have plenty of real-world experience in defending against ransomware and cyberattacks, and this kind of simulation helps them engage critically with all of the different sides of an attack in a much more relaxed environment than they’re perhaps used to, and they can explore different avenues of defence and attack more freely.
- Take a look at our picks for the best endpoint protection tools around
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.