Blog

A Phoenix Rises: The Story of Atlanta’s Transformation from a Ransomware Firestorm

Ellen Sundra | February 27, 2020

In March 2018, the City of Atlanta faced a maelstrom of ransomware and other attacks that shuttered resources and sent the IT team into a complex tailspin. According to a recent Wall Street Journal article that featured the attack, the recovery cost the City $7M and took over a year. The City rallied and brought on a courageous CIO, who led a transformation that now places Atlanta among the South’s top Smart Cities . I sat with the CIO, Gary Brantley, at the RSA Conference and discussed the whirlwind of events that occurred during and after the attack and asked him to share his most poignant lessons learned and the advice he has for others.

A spark ignites

The news was grim. The City of Atlanta was under attack and news outlets around the country were broadcasting the details. As expected during a massive ransomware attack, panic and fear ensued. The City chose not to pay the ransomware, which in retrospect, Gary refers to as the best decision made. Paying bad actors allows the behavior to continue. When Atlanta’s newly elected mayor called, the City’s digital infrastructure had been stabilized, but Gary knew a structured effort was needed to regain a secure footing. Gary Brantley has been transforming businesses and a local school district for over 19 years. The City of Atlanta hosts one of the world’s busiest passenger airports and a world-renowned public transportation system. The City’s IT staff maintains 27 city departments. With over 5.6 million metropolitan residents relying on this solid infrastructure, prolonged downtime could be catastrophic.

Emerging from the ashes – organizational transformation

“From Day 1, I took a lot of time to understand the organization, to listen and to learn,” says Gary. His first goal was to put the right people in place to begin and to execute on the transformation. He worked hard to improve the skills of the team while inviting people to join who were willing to embrace change.

When an organization of any size experiences a cyberattack, the power of teamwork is always the strongest factor that drives resiliency and spurs recovery. As Gary mentioned, the City did a great job in responding swiftly and calling on its cyber responders – a team that was already in place before the attack. The Incident Response team, comprised of software and services vendors along with Homeland Security, were aligned and working together cohesively. This unified response management helped curb the attack and prevented it from spreading, allowing responders to more effectively remediate systems and restore services. Forescout had the privilege of serving as the hub for several vendors who were part of the response team. Everyone worked from the same source of data. “Forescout really cared; they weren’t trying to upsell us. They wanted to get Atlanta up and running and fully restored.” Core to the incident response was the fact that Forescout uses a variety of techniques to see devices. You cannot rely on just agent-based approaches or only one method. A practical solution must provide true resilience—if one aspect shuts down, the others will help.

New beginnings – A bright future

In reflecting on the lessons learned, Gary told the RSA audience, “One of the main learnings was to go back to operational basics, do the core things right and consistently.” He and his team used the NIST Cybersecurity Framework (CSF) to establish the foundation. The core function is Identify. “Knowing what is on the network and getting step 1 right is key,” insists Gary. Using Forescout to identify the City’s devices was vital to the transformation. He mentioned that many of the City’s devices were not being used or weren’t used properly. Then comes access control – ensuring that the right people have access to the right information.

So, what’s next for the City? Gary’s transformation team set a goal to build a contingency plan. They organized their program into projects that spanned several weeks. A total of 50 projects emerged. These projects are now ahead of schedule. Business continuity is a primary focus, as is disaster recovery, replicating environments and extending the City’s data center footprint. One positive that arose from the attack was that the City, holding fast to its stance of not paying a ransom, had to create systems from scratch, which allowed it to quickly replace legacy systems with newer, faster and more secure technology.

As the fire refined and strengthened the mythical phoenix, the City of Atlanta used the disaster to push initiatives that would drive innovation and resilience for the future. Awareness programs have gotten better. Technologies are being put in place to align with the skill sets of the new team and vice versa. After wrapping up a successful Super Bowl in 2019, the City tackled tough initiatives, including facial recognition, utilizing drones, exploring and implementing technologies that would take advantage of 5G and other innovations. With each innovation comes the need to wrap security around the project. “This fight is tough,” Gary says. “We are in a war where we get attacked, but you can’t attack back. Make progress. Move forward. The transformation never stops.”

Learn how Forescout 8.2 helps smart cities identify and act – faster!

With over 3,700 customers in more than 90 countries worldwide, Forescout knows city infrastructures and how to protect them. Our latest version helps you identify devices on critical infrastructure networks and respond much more quickly to incidents.

Learn more about Forescout 8.2.