In the last edition of Housing Technology, we looked at the growing threat of ransomware to housing providers, the importance of preparing for a breach and why paying a ransom isn’t the answer.
Following best practice and maintaining good cyber-hygiene is critical to reducing your ‘attack surface’. Yet frustratingly, even if an organisation has these mitigations in place, there’s no guarantee that threats won’t still slip through. Criminals have become highly skilled in understanding human behaviour; for example, delivering sophisticated phishing attacks capable of convincing even highly-trained IT staff.
It’s not just small organisations that are vulnerable. Just look at recent headlines about cyberattacks on large US corporations, such as Colonial Pipeline – fuel supplies were interrupted, leading the company to pay ‘darkweb’ hackers a hefty $4.4 million ransom in Bitcoin.
Closer to home, in 2020, Redcar & Cleveland Council suffered an incident resembling a ransomware attack, taking its computers offline and affecting all of its online systems. These included systems involved with housing complaints, social care provision and online appointments. To date, it has cost the council over £8.7 million. The financial impact to organisations keeps on rising; according to our annual ‘State of Ransomware’ report, the average cost of recovery from a breach has more than doubled in a year.
Threat scenarios
What do you do if there is a breach? Ideally, you will already have an incident response plan that identifies your highest priority assets and the key stakeholders within your organisation who need to be involved. You would have also (I hope…) role-played various threat scenarios as ‘tabletop’ exercises so that your IT teams, technical staff and senior management all know how to respond. The NCSC’s ‘Exercise in a Box’ simulation is an excellent place to start if you haven’t.
When a threat is detected, time is of the essence and IT teams should notify the key stakeholders about the breach as soon as possible. It’s worth bearing in mind that when this happens, internal messaging systems might be compromised. You don’t want to tip off cybercriminals that you know they are active on your network, so it’s wise to use telephones or alternative messaging platforms.
Isolation and evidence
Locating the source, type and scale of the problem is critical. If it’s just affecting a handful of computers, you may be able to isolate them from the network quickly, together with any non-essential endpoints. Before you do this, ensure that any evidence, such as the ransom note and other suspicious files, has been retrieved because you will need it for internal investigations and to pass to the authorities. Technical staff will also need to scour reports and logs from across your whole IT estate before restoring from offline backups. If you have investigation tools, such as Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR), these will help you detect indicators of compromise or attack.
However, the pace at which a ransomware attack can unfold and spread across a network can be daunting for the IT teams of smaller housing providers. Cybercriminals thrive on knowing that panic drives people to pay ransoms. At this point, it’s wise to hire the services of an organisation familiar with adversaries’ methods that will confidently hunt down and neutralise threats.
Immediate expert access
In an emergency, a call to Sophos gives you immediate access to our expert-staffed Rapid Response service, which provides 24/7 crisis support for a fixed fee and term (45 days), and because the team operates remotely, you won’t have to wait for help to arrive. After the initial contact, we launch a four-stage counterattack within hours, starting with the onboarding phase. We deploy software and define response plans during this time, and most threats are triaged within 48 hours. Once the team neutralises the attack and removes any ‘threat actor’ persistence, customers transition to Sophos’ Managed Threat Response (MTR) service for the remainder of the term.
Having experienced the peace of mind that MTR brings, many customers choose to continue with this service once their initial Rapid Response licence expires. With MTR, you are retaining a specialist team of threat hunters who proactively look for suspicious behaviour across your network around-the-clock. And prevention is always better than cure; MTR helps catch criminals at a stage when their activities might fly under the radar of a busy IT team, thereby preventing attacks before they can take hold and avoiding the crippling costs of recovery.
If you feel that your team needs extra help, you are far from alone; this doesn’t just apply to the housing sector but to other sectors as well. In our recent survey, ‘The IT security team: 2021 and beyond’, over half the respondents said that cyberattacks were now too advanced for their IT teams to deal with and they expect that their use of outsourced IT staff would increase within the next two years.
Combining your in-house IT team with their knowledge of your organisation’s infrastructure, together with external threat hunting and incident response capabilities is often the perfect arrangement for housing providers facing today’s IT challenges. IT teams can focus on digital transformation and tenant experience while proactively stopping and responding to potential threats.
Jonathan Lee is the public-sector director at Sophos.