In the race to get systems back online after a ransomware incident, organizations tend to “jump the gun.” But remember, Eradication comes before Recovery in the SANS Incident Response (IR) Framework.
In the aftermath of a ransomware attack, the instinct to quickly restore systems and resume operations can lead to severe consequences.
InfoSecurity Magazine reported earlier this year that nearly four out of five organizations were hit with a second ransomware attack several months after a first attack – sometimes by the same threat actor.
The root cause was typically a failure to eliminate persistence methods (backdoors, credentials, processes, etc.) created by the attacker during the initial incursion.
Commonly, these methods were not successfully identified and eradicated during the incident response (IR) process, and/or they were restored from infected backups used during the recovery process.
The key to preventing this recurrence is prioritizing eradicating threats before rushing into recovery.
In today’s world, performing a forensic investigation is a must.
A repeat ransomware failure may arise from the tension between the business’ need to get back up and running, and the need for an experienced IR team to complete a forensic investigation to uncover the extent of what really happened during the attack. This includes understanding how the attacker gained access to the environment in the first place and whether they have left persistence mechanisms to get back in.
Ransomware may even be a deception hiding a more serious incursion. A thorough forensic investigation is essential for developing a full narrative of the attack.
The legal team also needs this thorough understanding to advise the business on its legal, regulatory, and contractual obligations.
The IT team commonly restores systems, while the Security team manages the incident response. In many organizations, those are two different reporting structures.
Close coordination and collaboration between the two are key.You also want a highly experienced, professional IR team leading the investigation (not necessarily the cheapest one your insurer could find).
A professional IR team leader, collaborating with the legal team, will help the business’ leadership manage the process to arrive at the right balance of expediency and security.During a “regular” disaster or infrastructure failure, DRaaS services are necessary, making recovery speedy and effective.
However, following a ransomware event, we’ve observed it can often be better to rebuild the operating system and applications for affected systems from scratch and restore just the data from the backups because spinning up the same images from impacted systems may restore attacker access.
Knowing which systems were impacted is a key part of the investigation.
We’ve had to watch clients struggle with recovery because they were not properly prepared.
Invest the time now in coordinating actions between your DRaaS vendor and your IR team.
We’ve had excellent experience collaborating with companies like Expedient to ensure a smooth post-incident recovery process. Waiting until you have an incident is too late.
Chuck Matthews is the CEO of PacketWatch, a cybersecurity firm specializing in Managed Detection and Response (MDR) and incident response, leveraging their proprietary network monitoring platform. With over 35 years of executive experience, Matthews excels in aligning technology with strategic business goals and is a recognized leader in cybersecurity. Chuck has contributed to numerous publications and media outlets, focusing on topics like cybersecurity legislation and best practices.