Thomas Aneiro
September 30, 2021

Incident Management Chronicles: Recovery vs Forensics

While the term “incident management” has traditionally been viewed by many in InfoSec circles as synonymous with “incident response”, at MOXFIVE we see them as increasingly differentiated. The origins of Incident Response were Advanced Persistent Threats (“APTs”) attempting to steal intellectual property or state secrets, followed closely by financially motivated groups targeting payment information. These types of attacks required InfoSec and IT personnel to identify or be notified of discreet attacks, pinpoint all areas of access and persistence, and expel the threat actors to nullify or limit the amount of exposure to sensitive information. These events had an impact on brand reputation, financial implications by loss of payment card access and direct fraudulent statements, or if intellectual property was stolen, but had minimal immediate impact on business operations. Nearly all impact to the business or organization could be handled post-remediation, most often by external legal teams or financial consultants, without the day-to-day operations facing any real impact.  

Enter ransomware, the technological impediment at the crossroads of InfoSec and IT Operations. This evolution of attacks from threat actors started slowly and at such a small scale that the successful nature of these incidents was not truly appreciated. The early days of ransomware were predominately opportunistic strikes against a small subset of servers, usually connected directly to the internet, e.g., web servers, RDP bastions, etc. Today’s ransomware threat actors employ advanced tactics, constantly evolving malicious tools & persistence mechanisms, and aim to cripple entire organizations. The larger impact of ransomware is that the impact to organizations has become real-time through business interruption.

Recovery vs Forensics – What’s Involved?

Let’s lay out some definitions for those that are not dealing with these situations on a daily basis. The following are distinct but intertwined workstreams that need to be performed during any malicious intrusion, adding ransomware intertwines these even further.

  • Recovery: Completely neutralizing and expelling intrusive entities, their toolsets, and returning to normal business operations. This term is somewhat an oversimplification and encompasses many of the following definitions but is widely used in the insurance realm which is a large driver of the Incident Management industry.
  • Forensics: Analysis of system artifacts, logs, and network telemetry data in order to determine the full scope and status of access and actions by a threat actor. The “who, what, where, & how” traditionally associated with forensic work.
  • Containment: Preventing any ongoing threat from spreading to other portions of the network by isolating known or suspected infected systems and accounts from communicating with internal or external resources. Historically this has been done by network segmentation, either completely taking the system offline or placing it in a “quarantine” subnet. Newer approaches include isolation via endpoint detection and response (EDR) tools or creating policies using micro-segmentation to only allow “clean” systems to communicate with each other.
  • Remediation: The process of systematically removing malware, malicious persistence mechanisms, and any threat actor created artifacts, whether malicious or simply a byproduct of the threat actor activity. This process can be done manually, through a scripted approach, or increasingly more commonplace, by leveraging EDR (e.g., as Crowdstrike’s Endpoint Recovery Services leverages Falcon).
  • Restoration: Bringing systems and services back online and back to a fully operational, production state. Prior to the days of ransomware this was primarily reversing any containment measures and ensuring services were functional after remediation steps. In the case of ransomware, this is typically done through three different possible paths: recover from viable backups, rebuild from scratch, or decrypt the data if a decryption utility is procured and restore any impacted services.
  • Business Interruption: Costs associated with downtime caused by disruptions to the IT environment or services. These costs are often the largest portion of cyber insurance claims post-incident.

Incident Management Objectives

There are two primary objectives for the strategic lead responding to an incident – Forensics and Recovery – and both are working toward the same goal - minimizing business interruption. While the traditional model of having a single service provider handle forensics, containment & remediation once sufficed, it has gone the way of the dinosaur. As environments have grown in complexity, so have the requests from forensic providers, causing a “forensics” problem to become an IT problem -  for example, widely and rapidly deploying an EDR solution or forensic collection scripts.

Organizations are increasingly approaching MOXFIVE having already engaged a forensic provider and yet critically needing assistance that is beyond the scope, and often the capabilities, of that provider. They need someone who will take charge of the entirety of the incident and bridge the gap between forensic assistance and IT requests. The Incident Management approach we have developed allows us to take that ownership of the overall process to ensure forensics, containment, remediation, and restoration are happening in a parallel, orchestrated manner so that the client can minimize business interruption in a secure manner. We have learned that the blurred lines between these workstreams require an oversight layer that has visibility and can advise on or assist with each vertical.

The Evolution of Incident Management

MOXFIVE is re-writing the IR playbook. Ransomware’s business interruption impact necessitates an approach where parallel workstreams fire on all cylinders. We have created an approach that delivers both Recovery and Forensics, ensuring coordination between the two workstreams, internal shareholders, and other service providers. Enabling us to get our clients back online quickly, this methodology has increasingly proven to reduce unintended miscommunications, roadblocks, and delays.

If you have questions about incident management or need help with a current incident, you can contact a MOXFIVE Technical Advisor at ask@moxfive.com or use our Contact form.

Thomas Aneiro

Thomas brings a combination of operational and defensive security expertise in a wide range of environments, both in a consulting and internal capacity, to the MOXFIVE team. Thomas has supported companies ranging from Fortune 100 to small, privately-owned businesses and his history understanding complex technical problems and creating agile solutions is an asset to any organization’s team assisting their organizational capabilities.

Experts predict there will be a ransomware
attack every 11
seconds in 2021.
from Cybercrime Magazine

HOW WE CAN HELP

Our mission is to minimize the business impact of cyber attacks. 

Incident Management

MOXFIVE provides the clarity and peace of mind needed for attack victims during the incident response process. Our Technical Advisors serve as an Incident Coordinator to clearly define the incident, the action plan to be executed, and manage the incident response efforts.

Learn More

Business Resilience

With experience on the front lines responding to incidents daily, MOXFIVE Technical Advisors have the unique ability to connect the dots between business, information technology, and security objectives to help you quickly identify the gaps and build a more resilient environment.

Learn More