AWS re:Invent 2023
Experience a Simulated Ransomware Event Learn Now to Prevail Later Sec104

Title

AWS re:Invent 2023 - Experience a simulated ransomware event: Learn now to prevail later (SEC104)

Summary

  • Joe Drozdki acts as the MC and CIO, with other participants playing various roles in a simulated ransomware attack scenario.
  • The e-commerce website goes down, and the tier two analyst discovers ransomware encryption and a ransom note.
  • A major incident management (MIM) call is convened, including the CIO, IT operations, application support, business continuity, and information security.
  • Application support finds all servers compromised, and point-of-sale systems in physical stores are unusable due to the attack.
  • The CISO declares a cyber incident, and legal and HR are brought in, emphasizing confidentiality.
  • Restoration efforts from backups begin, but the release library for point-of-sale systems is also compromised.
  • Business continuity plans for manual sales transactions in stores are discussed as a temporary solution.
  • External security consultants are engaged, and the Platypus gang is suspected to be behind the attack.
  • Ransom demand is set at $1 million, later increased to $1.5 million, and the board considers paying the ransom.
  • Restoration efforts continue, but backups are found encrypted, and a set of uncompromised backups is identified.
  • Legal prepares for potential data breach notifications and GDPR implications.
  • CIO faces pressure and doubts, with the situation potentially being a career-defining event.
  • The transcript ends with a cliffhanger, leaving the outcome of the ransomware event unresolved.

Insights

  • Ransomware attacks can be sophisticated and target both online and physical store operations, causing significant financial and operational damage.
  • Communication and role clarity are crucial during a cyber incident, with different team members responsible for various aspects of the response.
  • Backup and restoration strategies are critical, but they must be secure and capable of identifying clean recovery points to avoid reinfection.
  • Legal and regulatory considerations play a significant role in the aftermath of a cyber incident, especially concerning data breach notifications and potential fines.
  • Cyber resilience and incident response plans need to be tested and updated regularly to ensure effectiveness against evolving ransomware tactics.
  • External security consultants can provide valuable insights and assistance, but internal teams must be equipped with the right tools and knowledge for threat hunting and recovery.
  • The cost of recovery and potential losses from a ransomware attack can be substantial, and decisions made during the incident can have long-term implications for the organization and individuals involved.
Expect the Unexpected and Build Resilience with Aws Pex116Explore Amazon Titan for Language Tasks Aim331