While the term “incident management” has traditionally been viewed by many in InfoSec circles as synonymous with “incident response”, at MOXFIVE we see them as increasingly differentiated. The origins of Incident Response were Advanced Persistent Threats (“APTs”) attempting to steal intellectual property or state secrets, followed closely by financially motivated groups targeting payment information. These types of attacks required InfoSec and IT personnel to identify or be notified of discreet attacks, pinpoint all areas of access and persistence, and expel the threat actors to nullify or limit the amount of exposure to sensitive information. These events had an impact on brand reputation, financial implications by loss of payment card access and direct fraudulent statements, or if intellectual property was stolen, but had minimal immediate impact on business operations. Nearly all impact to the business or organization could be handled post-remediation, most often by external legal teams or financial consultants, without the day-to-day operations facing any real impact.
Enter ransomware, the technological impediment at the crossroads of InfoSec and IT Operations. This evolution of attacks from threat actors started slowly and at such a small scale that the successful nature of these incidents was not truly appreciated. The early days of ransomware were predominately opportunistic strikes against a small subset of servers, usually connected directly to the internet, e.g., web servers, RDP bastions, etc. Today’s ransomware threat actors employ advanced tactics, constantly evolving malicious tools & persistence mechanisms, and aim to cripple entire organizations. The larger impact of ransomware is that the impact to organizations has become real-time through business interruption.
Recovery vs Forensics – What’s Involved?
Let’s lay out some definitions for those that are not dealing with these situations on a daily basis. The following are distinct but intertwined workstreams that need to be performed during any malicious intrusion, adding ransomware intertwines these even further.
Incident Management Objectives
There are two primary objectives for the strategic lead responding to an incident – Forensics and Recovery – and both are working toward the same goal - minimizing business interruption. While the traditional model of having a single service provider handle forensics, containment & remediation once sufficed, it has gone the way of the dinosaur. As environments have grown in complexity, so have the requests from forensic providers, causing a “forensics” problem to become an IT problem - for example, widely and rapidly deploying an EDR solution or forensic collection scripts.
Organizations are increasingly approaching MOXFIVE having already engaged a forensic provider and yet critically needing assistance that is beyond the scope, and often the capabilities, of that provider. They need someone who will take charge of the entirety of the incident and bridge the gap between forensic assistance and IT requests. The Incident Management approach we have developed allows us to take that ownership of the overall process to ensure forensics, containment, remediation, and restoration are happening in a parallel, orchestrated manner so that the client can minimize business interruption in a secure manner. We have learned that the blurred lines between these workstreams require an oversight layer that has visibility and can advise on or assist with each vertical.
The Evolution of Incident Management
MOXFIVE is re-writing the IR playbook. Ransomware’s business interruption impact necessitates an approach where parallel workstreams fire on all cylinders. We have created an approach that delivers both Recovery and Forensics, ensuring coordination between the two workstreams, internal shareholders, and other service providers. Enabling us to get our clients back online quickly, this methodology has increasingly proven to reduce unintended miscommunications, roadblocks, and delays.
Thomas brings a combination of operational and defensive security expertise in a wide range of environments, both in a consulting and internal capacity, to the MOXFIVE team. Thomas has supported companies ranging from Fortune 100 to small, privately-owned businesses and his history understanding complex technical problems and creating agile solutions is an asset to any organization’s team assisting their organizational capabilities.
MOXFIVE provides the clarity and peace of mind needed for attack victims during the incident response process. Our Technical Advisors serve as an Incident Coordinator to clearly define the incident, the action plan to be executed, and manage the incident response efforts.Learn More
With experience on the front lines responding to incidents daily, MOXFIVE Technical Advisors have the unique ability to connect the dots between business, information technology, and security objectives to help you quickly identify the gaps and build a more resilient environment.Learn More