Anyone invested in cybersecurity and business continuity for their organisations can clearly see the importance of Cyber Attack Tabletop Exercises.
Rehearsing the right Cyber Incident Response Tabletop Scenarios, however, is as critical as the exercise itself. The cyber tabletop exercise scenario should be relevant to the business and reflect the emerging threats in cybersecurity. The risks are always changing.
Simulating a Ransomware Attack on a Cloud Native Environment is one such cyber tabletop exercise example that we’ll be discussing today.
Topics covered in the blog:
1. Types of Ransomware Attacks on the Cloud
2. Why Rehearse Ransomware Attack Scenarios
3. What makes Ransomware Attacks on Cloud Environments significant?
4. How to Simulate a Ransomware Attack on a Cloud Native Environment?
But before we jump in, let's quickly go over the benefits of cybersecurity incident simulation drills:
Availability: Traditionally ransomware attackers have made data unavailable by 'locking' or encrypting data with a special key. They would not share the 'unlock' or decryption key until the victim agrees to pay the ransom.
Confidentiality: This is where criminals copy digital data and then extort a ransom in exchange for not 'dumping' or exposing the data on the Internet. In an availability attack one can always restore their data from a clean backup and avoid paying a ransom. However, a confidentiality attack is probably more painful and impactful as one can never be certain if the attacker has deleted all digital copies on receipt of a ransomware payment.
Ransomware attacks are the #1 problem that the cybersecurity community faces today. This problem can become more pronounced when the attack happens on a cloud-native environment. Practising Ransomware response drills are useful in the followings ways:
So what exactly is a Ransomware Attack on a Cloud Native Environment and what makes this type of attack such a compelling cyber tabletop exercise scenario?
Important Note: There are three types of Cloud services. Infrastructure, Platform and Software as a Service (IaaS, PaaS and SaaS). Our focus here is on SaaS. However, you can apply most of the logic and attacks for the other two types of Cloud Services.
Most often, businesses use cloud infrastructure of third-party service providers. This eliminates the need for them to buy and maintain high-level computing resources and hardware. This means that a single cloud service provider could store vast volumes of data for hundreds of organisations.
There are several ways in which your data on Cloud could be attacked:
An attack on a cloud environment, in such cases, can be huge, complicated and very often executed by highly sophisticated threat actors. Cloud service providers assure their clients of iron-clad security. This is why breaching them isn’t something a rookie will easily be able to pull off.
The data stored on the cloud could be vital to day-to-day operations of many businesses. This makes a ransomware attack all the more damaging and disruptive.
Let’s say, you have sufficient backups and are able to restore the business critical data, there is always the threat of serious data breaches in which the cyber criminal could leak or even sell your stolen data on the dark web.
This is always followed by a Public Relations crisis for the business. Regulatory fines and customer lawsuits follow closely when sensitive information of individuals is compromised.
Spread of Infection is another major concern with ransomware attacks on cloud infrastructure. Due to the interconnected nature of cloud environments, an attack on your third-party service provider could quickly trickle into your systems.
The ransomware infection can thus propagate with agility, making response and recovery efforts twice as complicated.
Let’s now build on the Cyber Tabletop Exercise Example that centres on a ransomware attack on a cloud environment. We will focus on important elements to make this Incident Response Tabletop Scenario as relevant and compelling for participants as possible.
Which brings us to the question - who should participate in an exercise centred on such cyber tabletop exercise scenarios. The answer includes IT, legal teams, Human Resources, Public Relations and Communications. Of course, senior management participation is important. They’ll be the ones answerable to customers, investors and external stakeholders.
Scenario Preparation: In this phase, the first step obviously is to determine what kind of cloud environment your organisation operates in - public, private or hybrid. Next, keep in mind an attacker’s information-gathering tactics. Define the most critical vulnerabilities or assets on the cloud that are likely on top of the attacker’s radar. Identify the information they’re seeking and/or the assets they are after.
The Scenario: The ransomware attack scenario can be based on any of the three attack methods we discussed earlier - Malicious Intent, Insider Threat and/or Misconfiguration. While building the cyber tabletop exercise scenario, focus on what files and/or systems the attacker is most likely to encrypt. The crux of this incident response tabletop scenario is usually exfiltration of data leading to a damaging breach of sensitive information.
Injects: A ransomware tabletop exercise scenario is always made more realistic through the use of injects. Cyber crime is never a one-time event and it’s usually dynamic and evolving.
Make sure your attack simulation exercise reflects this. In this case it could mean, introducing elements such as lateral movements after the initial detection of a compromise. You could then move on to privilege escalation with the criminal gaining access to more sensitive information and assets.
To make the cyber tabletop exercise example more comprehensive, you can also offer details to participants on who the threat actor might be. In this case, it could be a Nation State actor attacking a public cloud service. It might also be a sophisticated ransomware gang out to extort large sums of money by compromising your organisation’s hybrid cloud environment.
With the rise in ransomware attacks, especially supply chain attacks, this cyber crisis tabletop exercise scenario should be high on your priority list.
Simulating a ransomware attack on a cloud environment is not straightforward. It has to include diverse aspects like your network security, application security, endpoint security.
It also evaluates your Identity and Access Management systems and policies and takes a critical view of your Data Encryption and Backup capabilities. This is why it is strongly recommended to bring onboard a deeply experienced ransomware tabletop exercise facilitator to conduct the simulation drill for you.
Not only does an external facilitator bring unparalleled expertise to the table. They also give you objective and completely unbiased feedback on your organisation's cloud security and ransomware response protocols. They work with your team to build a ransomware tabletop scenario that will hit home with your participants and senior management.
If, however, hiring an external facilitator isn’t on your radar at the moment, our experts have created some really useful tools that you can use. These resources are easily customisable to your organisation’s threat context and its cloud environment. They’re crisp, brief and focus on helping you simulate a highly effective ransomware attack on a cloud-native environment: