Jeff Chan
October 21, 2021

Minimizing the Impact: How Cloud-Based Services Could Reduce the Stress of Recovery

With an increasing number of cloud-based services, organizations are aiming to move their existing services from on-premises to the cloud. Email services, Enterprise Resource Planning (ERP) systems, and Customer Relationship Management (CRM) platforms are just a handful of solutions out there where organizations are migrating from on-premises to the cloud. While there are many benefits of moving to the cloud, one of the biggest and most notable benefits is that the security risk and IT management gets transferred to the vendor. Organizations can significantly reduce the amount of time they spend managing infrastructure, updating software, and upgrading hardware by transferring these tasks to their vendor, who is then responsible for ensuring that services are up, systems are updated, and Service License agreements (SLAs) are met.  

In addition to the day-to-day benefits mentioned above, there’s another time where cloud-based services can provide a significant benefit -- when dealing with a ransomware incident. Typically, these systems tend to be unaffected, since these services and the servers hosting them are not running on your domain/network. Out of all the organizations that we have dealt with in the past couple of years, only a few have been able to largely continue operating even after being hit by ransomware or have been able to quickly get services back online within a matter of a couple of hours/days -- for those few, a common pattern we identified was due to the number of cloud-based services they were using.  

To illustrate how cloud services could cause a significant impact to a business recovering from ransomware, let me share a couple of similar incidents we were involved in over the last year. In 2020, we assisted a law firm in restoring their impacted environment, which contained a couple of on-premises Exchange servers (email) and a document management system. Unfortunately, their backups were targeted by the threat actor and these backups were impacted in such a way that trying to recover data from them required an extensive amount of time. For this law firm, their email servers and document management system were extremely critical as their core business relies on email communications and contracts stored on those systems. It took us approximately 7-10 days to restore their email servers to a functioning level where they could access partial historical data and yet still be able to use their email to communicate with their clients. As we were getting their critical mailboxes recovered, the client was extremely stressed given that they were unable to operate for those days and had to resort to other methods in order to reach out to their clients.

Fast forward to a few weeks ago, when we were assisting another law firm of relatively the same size. Fortunately for them, they recently migrated their email services from on-premises to Microsoft 365, so when they were impacted by ransomware, they were able to continue operating as usual. Roughly 80% of their business was up and running immediately after the incident happened, and only a handful of non-critical systems were impacted by the ransomware. Having these cloud-based solutions minimized their business impact, which allowed the law firm to keep calm throughout the response efforts knowing that they would still be able to operate and run their business.  

While it’s clear that cloud-based services have their benefits, it remains important to secure the data in those services. These services are still vulnerable to attacks and threat actors can log into these services and get creative with the information and services they are exposed to (e.g., data extortion, wire fraud, etc.). So, when you’re considering going to a cloud-based service, make sure to implement the following:

  • Enforce a strong password policy.
  • Set up Multi-Factor Authentication (MFA) using a software or hardware token.  
  • Enhance logging capabilities and regularly monitor logs.
  • Limit the number users with administrative roles.
  • Implement IP whitelisting, if possible.
  • Implement geo-blocking, if possible.

When you consider making a move to a cloud-based service, it’s important to understand why you are doing it and if it makes sense for your organization. In most cases, it’s simple: you let someone else manage your services so that you don’t have to, it makes it easier to scale as needed, and allows your organization to focus on what matters. And if you ever get impacted by ransomware, you can more confidently trust that these applications will keep functioning, which minimizes the stress of recovery. Make sure that you work with your IT team and a trusted advisor to see what makes sense and how you can get started.

If you have questions about incident management or need help with a current incident, you can contact a MOXFIVE Technical Advisor at ask@moxfive.com or use our Contact form.

Jeff Chan

Jeff is a technical cyber security leader that has helped build incident response teams and has led a large number of digital forensics and incident response investigations. As a technical advisor at MOXFIVE, Jeff has assisted clients in managing incidents and recovering their networks from cyber security attacks.

Experts predict there will be a ransomware
attack every 11
seconds in 2021.
from Cybercrime Magazine

HOW WE CAN HELP

Our mission is to minimize the business impact of cyber attacks. 

Incident Management

MOXFIVE provides the clarity and peace of mind needed for attack victims during the incident response process. Our platform approach enables victims of attacks to work with a Technical Advisor who provides the expertise and guidance needed in a time of crisis, and facilitates the delivery of all technical needs required, consistently and efficiently.

Learn More

Business Resilience

With experience on the front lines responding to incidents daily, MOXFIVE Technical Advisors have the unique ability to connect the dots between business, information technology, and security objectives to help you quickly identify the gaps and build a more resilient environment.

Learn More