Unexpected downtime? Many organizations see security incidents as an ideal time to execute upgrades or migrations that have already been on the IT department’s roadmap. While this may seem ideal for multiple reasons, the decision to upgrade during an incident is typically a pitfall in disguise.
Ransomware and other disruptive incidents typically stop business or bring it to a crawl, either due to the ransomware itself or as a side effect of containment measures while expelling the threat actor. Simultaneously, organizations tend to open up the piggybank with less scrutiny than during normal operations. When free-flowing money meets accepted downtime, IT leadership often spots an opportunity to push through a project that’s been planned but delayed by any number of constraints.
Your mileage may vary – but MOXFIVE recommends substantially recovering the environment prior to executing migrations or upgrades. We have assisted with successful migrations that were fully planned prior to the time of the incident, but we have also seen some ineffective migrations that would have benefited from more planning. We push to bring client’s environments backup to a safe and stable condition before jumping into changes. This is largely because migrations, such as moving from on-premises Exchange to Office 365, need well thought out budgetary, security, and operational planning prior to technical implementation.
In the rare cases where an upgrade or migration was set to be completed around the time of the incident, with all planning completed, it may be faster to push forward with the migration. But those tend to be the exception, not the rule.
Consider the following before planning to bootstrap a project into an in-progress recovery effort:
Have all logical and technical diagrams previously been documented?
o Effective documentation, reviewed fully by internal architects and network administrators, is required to ensure a plan of action is followed and can be verified prior to being implemented in production.
o What is the possible business impact of a difficult and lengthy or failed migration? Is there a rollback plan already in place? System upgrades and migrations don’t always work as expected, especially when an environment is not in full working order. Having a bailout plan is always required.
Have all possible technical constraints or edge cases been properly thought out and mitigated?
o Asking the right questions and querying the opinions of all administrators and engineers can bring to light important edge cases. There may be certain use cases or minor integrations/dependencies that were unknown to or overlooked by the lead architect. Slowly planning and implementing changes is quite often the better approach.
Have CAPEX and OPEX budgets been accounted for the current and upcoming quarters/years?
o During ransomware recovery situations the business end of an organization breaks open the piggybank to ensure operations are brought back online quickly and safely. A new technology being added into the environment can often include yearly subscription licenses or require specialized training and services assistance. Downstream costs need to be kept in mind otherwise the implementation will be short lived once next year’s budget is examined.
What is the true benefit of performing this migration during the recovery process versus normal operations?
o During a recovery effort the affected organization is under a lot of stress and scrutiny, doubly so for the IT staff. Unless an upgrade or migration will have a drastic impact on the security posture, business continuity should be prioritized over enhancements.
The true goal of a ransomware recovery plan is just that, recovery. At MOXFIVE, our mission starting from the first interaction with the client is to determine a path for getting business operations back up and running in a safe and secure manner. We love to see our clients actively working to elevate their security posture, but those projects need to be scheduled and planned properly.
Thomas brings a combination of operational and defensive security expertise in a wide range of environments, both in a consulting and internal capacity, to the MOXFIVE team. Thomas has supported companies ranging from Fortune 100 to small, privately-owned businesses and his history understanding complex technical problems and creating agile solutions is an asset to any organization’s team assisting their organizational capabilities.
MOXFIVE provides the clarity and peace of mind needed for attack victims during the incident response process. Our Technical Advisors serve as an Incident Coordinator to clearly define the incident, the action plan to be executed, and manage the incident response efforts.Learn More
With experience on the front lines responding to incidents daily, MOXFIVE Technical Advisors have the unique ability to connect the dots between business, information technology, and security objectives to help you quickly identify the gaps and build a more resilient environment.Learn More