Ransomware Impact: Suffolk County Ignored FBI Warnings

Date:

September 23, 2024

World map

A special legislative committee in Suffolk County, New York, released a report last week detailing how local officials repeatedly ignored warnings and failed to prepare for a significant ransomware attack in September 2022.  

This attack, which severely disrupted critical government services for months, highlighted a failure of leadership, with officials neglecting to develop an incident response plan and disregarding warnings from the FBI about potential security breaches., Cybersecurity Dive reports.

At the time of the attack, Suffolk County’s IT operations were fragmented, with multiple teams operating without central coordination. Crucially, the county lacked a Chief Information Security Officer (CISO), leaving it vulnerable to cyber threats.  

The aftermath of the attack has been costly, with more than $25 million spent on remediation efforts and other related expenses. The report traced the ransomware attack to the notorious BlackCat/ALPHV group, one of the most active cybercriminal organizations at the time.  

The hackers exploited a known vulnerability in the Log4j software, gaining access to the county’s systems. Once inside, they encrypted county data and demanded a ransom.  

The consequences were far-reaching: the county’s primary website remained offline for five months, 911 services were temporarily disrupted, and residents were unable to pay traffic fines.

Adding to the crisis, Suffolk County had no cyber insurance at the time of the attack, an issue that has plagued many local governments across the U.S.  

Officials are now in the process of hiring a CISO, with a decision expected soon to improve cybersecurity coordination and response for future threats.

Takeaway: Achieving cyber resilience goes beyond implementing strong cybersecurity measures; it demands a comprehensive approach that involves evaluating an organization’s preparedness to withstand and recover from cyber incidents.  

A key part of this preparedness is identifying, monitoring, and analyzing the right metrics that reflect the organization’s resilience. To ensure this, organizations must strategically select and track key performance indicators (KPIs) and metrics tailored to assess and improve their cyber resilience.

Among the critical metrics for enhancing cyber resilience, the following stand out:

Mean Time to Detect (MTTD): One essential metric for measuring an organization's ability to respond to cyber threats is the Mean Time to Detect (MTTD). MTTD refers to the average time it takes for a cyber threat or incident to be detected. A lower MTTD reflects the organization’s efficiency in identifying threats promptly, which helps in containing the potential damage. The faster a threat is detected, the lower the chances of lateral movement within the organization, which in turn helps minimize the overall impact of the breach. Organizations striving to enhance their detection capabilities should continuously work on improving this metric through investment in tools such as real-time monitoring, intrusion detection systems, and advanced analytics.

Mean Time to Respond (MTTR): Once a threat is detected, the Mean Time to Respond (MTTR) becomes crucial. This metric measures the time taken for an organization to respond to a threat after it has been identified. A lower MTTR means that an organization can mitigate the threat more quickly, reducing its overall impact. Incident response teams need to assess the efficiency of their responses and implement lessons learned from previous incidents and tabletop exercises to consistently improve this metric. Optimizing MTTR ensures that threats are neutralized before they escalate, safeguarding critical business functions.

Incident Response Plan Effectiveness: The effectiveness of an organization’s incident response plan is a critical factor in its overall cyber resilience. Measuring this involves evaluating how well the plan is executed during an actual cyber event, focusing on factors such as containment time, communication effectiveness, and team coordination. A well-structured incident response plan ensures that teams act swiftly and cohesively, preventing the situation from worsening. Regular reviews and updates of the plan, based on evolving threats, are necessary to maintain its relevance and effectiveness.

Cybersecurity Training and Awareness: Human error remains one of the leading causes of cybersecurity breaches. Therefore, the effectiveness of an organization’s cybersecurity training programs is an essential metric to monitor. This includes tracking employee awareness levels, completion rates of mandatory training modules, and performance in simulated phishing exercises. An organization must ensure that its training programs are tailored to the specific roles within the company. A "one size fits all" approach will not address the unique needs of employees in different positions, such as developers and financial officers, who require different focuses in training. Customized training programs can significantly reduce human vulnerabilities to cyber threats.

Cybersecurity Hygiene: Cybersecurity hygiene refers to the organization's practices for maintaining system security, such as regular patching, vulnerability scanning, and adherence to security policies. Tracking these activities is fundamental in reducing an organization’s attack surface. Despite being a basic requirement for cybersecurity, many organizations still struggle with maintaining consistent cybersecurity hygiene. Establishing a prioritized approach ensures that the most critical vulnerabilities are addressed promptly before moving on to more advanced cybersecurity solutions.

Cyber Risk Exposure: Understanding cyber risk exposure is essential for strategic resource allocation. Metrics that quantify risk exposure, such as the criticality of assets, vulnerability severity, and likelihood of threats, give organizations insight into their risk posture. Without this understanding, organizations cannot prioritize their resources effectively, making them more susceptible to cyber incidents. Regular assessments of risk exposure provide a roadmap for targeted improvements in resilience.

Third-Party Risk Management: As businesses become more interconnected, third-party risk management grows in importance. Organizations need to track metrics related to the cyber risks posed by third-party vendors, such as the number of assessments conducted, compliance levels, and incidents involving these vendors. Since third-party relationships can introduce vulnerabilities, monitoring this risk is crucial for ensuring overall resilience.

Security Controls Effectiveness: Monitoring the effectiveness of security controls is another vital metric. Metrics like intrusion detection/prevention system (IDS/IPS) alerts, firewall rule efficacy, and malware detection rates help organizations determine if their current controls are adequate. Measuring these controls allows organizations to allocate their resources effectively, ensuring they invest in areas that will provide the highest return on investment (ROI) in terms of security.

Backup and Recovery Metrics: Backup and recovery processes are vital components of cyber resilience, especially when dealing with incidents such as ransomware attacks. Key metrics in this area include backup success rates, recovery time objectives (RTO), and recovery point objectives (RPO). These metrics provide insight into how well an organization can restore critical data and operations following an incident. Regular testing of backup and recovery systems ensures that they function as expected during real incidents.

Business Continuity and Disaster Recovery (BCDR) Metrics: Measuring the effectiveness of business continuity and disaster recovery (BCDR) plans is essential for maintaining operations during and after a cyber incident. By tracking RTOs, RPOs, and the success rates of BCDR exercises, organizations can assess their ability to resume operations quickly and efficiently after an attack. Regular testing and adjustments to these plans ensure they remain relevant to the current threat landscape.

Lastly, achieving effective cyber resilience requires more than strong defense mechanisms—it requires a holistic approach that combines proactive detection, rapid response, and robust recovery capabilities.  

By monitoring and optimizing these key metrics, organizations can enhance their resilience, ensuring they are prepared to withstand cyber threats, protect critical assets, and maintain business continuity even in the face of adversity.  

Regular testing and updates to response and recovery plans are essential to ensure real-world effectiveness when disaster strikes.

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.