Skip to the main content.

2 min read

Just Remember, "E" Comes Before "R"

Just Remember,

In the race to get systems back online after a ransomware incident, organizations tend to “jump the gun.” But remember, Eradication comes before Recovery in the SANS Incident Response (IR) Framework.

sans ir framework

Figure 1: SANS Incident Response Framework


The Danger of Rushing Recovery

In the aftermath of a ransomware attack, the instinct to quickly restore systems and resume operations can lead to severe consequences.

InfoSecurity Magazine reported earlier this year that nearly four out of five organizations were hit with a second ransomware attack several months after a first attack – sometimes by the same threat actor.

The root cause was typically a failure to eliminate persistence methods (backdoors, credentials, processes, etc.) created by the attacker during the initial incursion.

Commonly, these methods were not successfully identified and eradicated during the incident response (IR) process, and/or they were restored from infected backups used during the recovery process.

The key to preventing this recurrence is prioritizing eradicating threats before rushing into recovery.

The Importance of Forensic Investigations

In today’s world, performing a forensic investigation is a must.

A repeat ransomware failure may arise from the tension between the business’ need to get back up and running, and the need for an experienced IR team to complete a forensic investigation to uncover the extent of what really happened during the attack. This includes understanding how the attacker gained access to the environment in the first place and whether they have left persistence mechanisms to get back in.

Ransomware may even be a deception hiding a more serious incursion. A thorough forensic investigation is essential for developing a full narrative of the attack.

The legal team also needs this thorough understanding to advise the business on its legal, regulatory, and contractual obligations.

Why Premature Restoration Fails

  • Potentially Destroying Valuable Evidence

    Restoring systems too soon risks restoring access methods hidden by the attackers and destroying the ability to identify the extent of the attacker’s activities.
    The desire to invoke automated DRaaS services quickly (although critical to have available) may result in unintended consequences such as destroying critical logs, erasing ephemeral storage, and deleting artifacts.
  • Poor Team Coordination

    The IT team commonly restores systems, while the Security team manages the incident response. In many organizations, those are two different reporting structures.

    Close coordination and collaboration between the two are key.
    Rehearsing communication and decision-making is also a successful habit, such as conducting table-top exercises.
  • Not Enough Incident Response Experience

    You also want a highly experienced, professional IR team leading the investigation (not necessarily the cheapest one your insurer could find).

    A professional IR team leader, collaborating with the legal team, will help the business’ leadership manage the process to arrive at the right balance of expediency and security.

Rebuilding Versus Restoring

During a “regular” disaster or infrastructure failure, DRaaS services are necessary, making recovery speedy and effective.

However, following a ransomware event, we’ve observed it can often be better to rebuild the operating system and applications for affected systems from scratch and restore just the data from the backups because spinning up the same images from impacted systems may restore attacker access.

Knowing which systems were impacted is a key part of the investigation.

We’ve had to watch clients struggle with recovery because they were not properly prepared.

Invest in DRaaS Now, Rather than Later

Invest the time now in coordinating actions between your DRaaS vendor and your IR team.

We’ve had excellent experience collaborating with companies like Expedient to ensure a smooth post-incident recovery process. Waiting until you have an incident is too late.

draas expedient

Chuck Matthews is the CEO of PacketWatch, a cybersecurity firm specializing in Managed Detection and Response (MDR) and incident response, leveraging their proprietary network monitoring platform. With over 35 years of executive experience, Matthews excels in aligning technology with strategic business goals and is a recognized leader in cybersecurity. Chuck has contributed to numerous publications and media outlets, focusing on topics like cybersecurity legislation and best practices.