Chapter 1, Part 2: All on Board in the C-suite Ransomware Response | Item
Following the events that triggered a double extortion ransomware attack, the CEO of fictional utility company Vulnerable Electric mobilizes her cyber incident response team to begin assessing the way forward to deal with the cybercriminal(s).
WARNING: This case study describes a fictional cyber incident based on real scenarios described by interviewed experts, media reports and other publicly available resources. While the details surrounding the characters, the company, and the ransomware attack are imagined, the business concerns and legal issues raised are plausible and based on real cases.
It’s half past seven in the morning. The Chief Executive Officer (CEO) of Vulnerable Electric (VE) has just finished a workout at her home gym when she hears the persistent trill of her cellphone in her sweatshirt pocket. She’s used to hearing her phone ring at all hours (she has teenage daughters), but it’s a little unorthodox for her general counsel to call so early. Curious, she picks up.
He tells her what happened without preamble. The news traveled a circuitous route in less than 20 minutes. An employee named Betsy reported a suspicious splash screen to the VP of Human Resources, who in turn alerted the Managed Security Service Provider (MSSP).
VE uses an MSSP as the first line of defense. The MSSP provides outsourced monitoring and management of security devices and systems, including intrusion detection, vulnerability scanning, and incident response as a service. The Advocate General reports that the MSSP conducted an initial investigation and declared a cyber incident, specifically a ransomware attack.
“Has the CIRT Steering Committee confirmed this? asks the CEO. His tone suggests that the question is a foregone conclusion. CIRT is an acronym for Cyber Incident Response Team, and the steering committee includes senior executives like the Chief Information Security Officer (CISO) and General Counsel, to whom it caters. The fact that he calls her suggests that the incident has already been declared material.
The Advocate General gladly confirms the CEO’s hypothesis. It provides details on the level of severity of the incident according to the known impact on the information (i.e. the type of data accessed, encrypted and/or exfiltrated); the functional impact on VE’s ability to provide services to users; and recovery time. This scheme is consistent with the Cybersecurity and Infrastructure Security Agency (CISA) National Cyber Incident Rating System. Certainly, the situation is still evolving, so the level of seriousness of this incident could increase.