Let’s run through a scenario.
It's a Friday and the end of a busy week. The clock strikes midnight and you do a little victory dance because you have finally completed your quarter end TPS report. But just as you are about to log off, you receive an alert from either your anti-virus, other prevention technology, or end-user. There’s been a ransomware breach.
You have the good fortune of early detection. That’s a win. With this knowledge, you spring into action. But to do what?
In this post, we will break down the key remediation steps to take after a breach.
Just before we dive in, understand that you can accomplish a lot internally. However, certain aspects may require expert help. ActZero’s intelligent MDR is primed to either enhance your existing security strategy or serve as your organization's primary line of defense. To see how you stack up when it comes to Ransomware from the DarkWeb, compared to external help from us, try our Ransomware Readiness Assessment (for free), today.
With that, let’s get started.
The 5 Ws can be used to explore and identify.
Who? We want to know the account user(s) that has been compromised.
What? It is important that we know what devices have been affected.
Where? If we can trace where the hack occurred, then it will also disclose ‘how’, giving you the information needed to harden your security systems.
When? A timeline will come in handy when reviewing your logs and during reporting.
Why? This one we know. To attack your entire network, gain access and control of critical business assets, and use it as leverage for extortion.
Containment is a matter of being proactive in blocking and eliminating anything suspicious. To be clear, the goal is to kill all the identified malicious processes (some anti-malware programs do this automatically), delete the infected files and block the compromised user(s).
If you are unable to stop the attack, disconnect immediately. Cut the power, pull the LAN cable—whatever is necessary to stop a spread. If you’ve picked up on the note of urgency, good. This is critical to preventing the insidious spread of malware.
Unfortunately, without an in-depth briefing on your network and the type of cyberattack, it is difficult to give tailored advice on this process. So, you must lean on the knowledge you have on your organization’s systems to isolate what’s been infected, and pinpoint what seems out of place.
The best way to respond to a ransomware attack is with maximum force. ActZero’s Threat Hunters leverage end-to-end visibility propelled by our renowned AI and ML capabilities to mitigate the risk exposure of your business operations, data, people, and brand, to attacks. Request a demo to see how we diligently watch over your assets with real-time monitoring, multiple sensors and a well-honed threat detection and response strategy.
After successful containment, the next step is to perform a Root Cause Analysis. We want to know how the threat actor gained access (root cause), to avoid a repeat occurrence. Learn more in your complimentary ebook, Foundations for Incident Response Readiness.
A key tenet of this phase is extracting the logs from your prevention technologies for review. It also helps to interview the user of the compromised account in case they were active at the time of the attack. Note that it is possible that their credentials were septic long before an active breach.
The massive number of logs generated from a single antivirus or firewall can quickly become cumbersome. In which case a Log Management solution or Security Information and Event Management (SIEM) technology used to be the established way to go - for more on how that may have changed, check out Zombie SIEM: Dead, But Lingering and Eating Your Brain.
However, despite being the standard platform for many Security Operations Centers (SOCs), its propensity to balloon in costs makes it difficult for small to medium-size businesses (SMB) to maintain.
ActZero’s ML-driven 24/7/365 MDR service is a more effective and less complicated way to contact trace, and accomplish the same goals of log collection, data prioritization and interpretation, detection, investigation of, and response to, indicators of compromise (IOCs) and worse. Download our eBook, Foundations for Incident Response Readiness for efficacious insights on how to respond to an incident with minimal disruption to business processes.
Now that you have identified the root cause, use this information to reinforce your security systems. Consider this step an extension of containment, but with long-term optimization in mind.
First things first, block all the malicious IP addresses identified by your firewall. But remain alert as there is a risk of the threat actor using multiple IP addresses to get through. In some cases, systems determined to be a high-risk threat must be quarantined or removed from the enterprise network to mitigate the risk of a compromised endpoint falling through the cracks.
Another option is to temporarily disable vulnerable services such as web servers, ftp servers, or databases like SQL to prevent the adversary from propagating more malicious actions. This is a straightforward process that can be done quickly in Windows. That is unless said adversary has implemented measures to prevent you from doing so.
Finally, if you have invested in Next Generation Firewall (NGFW), be sure to tailor its offerings to application-specific capabilities that address the advanced and persistent threats relevant to your organization. In other words, configure your settings by customizing rules to ensure that the right action (blocking, discarding, alerting) is taken under the right circumstance. Utilize our free eBook, Foundations for Incident Response Readiness to guide you through this process.
Most of the steps listed above are repeated during remediation. But this methodical approach is beneficial in enhancing your security capabilities. So, don’t skip steps. While immediate prevention aims to ‘stop the bleeding’, remediation focuses on addressing the core issues.
Patching is necessary to remediate vulnerabilities. However, the patches you prioritize depend on the nature of the hack. As a business, you should strive to keep patches up to date. But with multiple updates, and potential impact on the parallel systems that interact with them, companies understandably withhold certain patches until they can validate that they are low risk.
A vulnerability scanner is a great tool that helps identify ‘open doors’ across various components within your network. Not all vulnerabilities are equal. When faced with thousands (or, tens of thousands), we recommend isolating those related to your root cause first, then by severity. For ActZero MDR clients, this process has been streamlined. A detailed and prioritized list of your vulnerabilities can be viewed in your customer dashboard, along with steps to remediate.
In the case of deleted data, unstable systems, malware removal, or a ransomware attack, the best option is to restore your systems from backups. If you carry out a DIY system restore, beware that there may be traces of malware buried within the file you are trying to restore. This is why having a backup strategy for continuous data protection is important.
When a security breach occurs, it is important to honor the trust relationship built with the customer, and adhere to regulatory compliance controls that necessitate responsible disclosure. Be proactive. Have a list of internal and external parties that will need to be notified in case of a cyber incident. For the sake of efficiency, even amid initial panic, this list should be updated regularly. We cannot counsel enough on the importance of following all the necessary regulations to avoid compliance violations down the line. Let’s make things a little easier. Download your complimentary eBook, Foundations for Incident Response Readiness, to access more information on creating a robust communication plan.
The bottom-line is continuous improvement. What knowledge, resource and security gaps did the hack highlight? Perhaps management’s prioritization efforts are not sufficiently risk-sensitive? Maybe the IT team is overworked and as a result was unable to promptly respond to the alerts from your prevention technology? Could it be that there are internal delays in deploying patches? There is growth and evolution waiting to happen if time is taken to learn from mistakes and mishaps. What we are saying is, schedule a cross-functional debrief, and do not miss it. Not taking the time to build collective awareness in the security matters relevant to your business is at a great cost to its operations.
It's no secret that navigating incident response can be complicated, and even unmanageable for small IT teams. At ActZero we are only about evolving your cybersecurity strategy with the demonstrated value of our intelligent AI-driven MDR. Schedule your Ransomware Readiness Assessment today, to improve your security posture and preserve your peace of mind.