“They’re back…they hit us again…”. These words are ones you never want to hear after you just finished recovering from the worst experience in your organization’s history — a ransomware attack that halted your business operations. Unfortunately, MOXFIVE is seeing an alarming trend where we are engaged to secure environments after an organization is reinfected with ransomware a second, or sometimes even a third time. Our observation is that this occurs when organizations tackle the response efforts unguided and assume that recovery is complete when their last backup finishes restoring. As every forensic investigator will tell you, there is a reason that those systems were encrypted in the first place. A successful recovery hinges on understanding that story.
In the MOXFIVE blog post The Key to Successful Business Recovery, we outlined the approach to a successful recovery process. Spoiler alert: the key was the approach of Assess, Contain, Recover, and Reinforce. At first glance, many may think that the reinfection of environments is due to limited follow through on the Reinforce stage, that focuses on enhancing the security and resiliency of the environment to better protect against future attacks. While we do see reinfections occur due to limited follow-through, the reality is even more terrifying. Not only are an increasing number of ransomware response efforts shortchanging critical containment and cleanup activities to securely restore the environment — they are failing to first remove the attacker’s access to the environment. In other words, the attacker never left the building — they only switched rooms.
In this blog post, we expand on the idea of Containment and the role it plays in not only ransomware cases but in any cyber incident.
Like many things in the security industry, if you ask five different security experts to define “containment”, you will likely get five very different answers. At MOXFIVE, we view containment as a set of activities designed to remove an attacker’s ability to operate in the environment. When flawlessly executed, this results in the total eradication of the attacker from the environment. It should come as no surprise that containment is seldomly executed perfectly during the chaos of incident response. To increase the chances of full eradication, we need to understand what the attacker has done in the environment. This starts with understanding the following:
Obtaining insight to the areas above and building a clear understanding of the attack through a forensic investigation takes time. Unfortunately, victims of cyber attacks don’t have the luxury of time. That is why MOXFIVE recommends a targeted and phased containment strategy with the mindset of “less is more”. Put away the laundry list and focus your limited time and energy on the key set of activities that will provide you the greatest return on the investment of your precious time.
At the outset, you have limited information on the attack vector or what occurred after the threat actors gained access into the environment. At this stage, focus on creating a safe way to restore systems and on laying the foundation to have better information when you get to Stage 2. This commonly includes the following:
As the forensic investigation progresses it will provide an increasing amount of insight into what the threat actors did in the environment and what tools they used. Based on this information organizations should begin more focused containment activities. These efforts typically include:
Congratulations! When you reach the third stage, you have likely resumed business operations and are now in the best position to begin further securing the environment. MOXFIVE recommends continuing or expanding monitoring of the environment after the incident to continue to look for evidence of the attacker attempting reentry. This can include:
Take a deep breath, you survived the recovery process but that doesn’t mean things are over. Now that the frenzy of activities associated with the recovery has subsided, your team can begin to focus on forward-looking strategies to further secure the environment and build resiliency. Don’t leave the next one to chance. Take this opportunity to critically examine your security posture to be ready for the next time lightning strikes.
There are no guarantees in love, life, or ransomware — but that does not mean you have to succumb to the chaos that ransomware brings in its wake. An effective containment strategy is a cornerstone of a successful recovery operation following a ransomware attack. To increase your chances of a successful recovery effort and minimize the likelihood of a recompromise of your environment, you must balance the recovery operations with an effective containment strategy.
Less is more.
Jason was born and raised in incident response, having helped over a thousand companies who were victims of cyber-attacks. He spent over a decade conducting investigations into APT threat actors, financial / organized crime, and hacktivists that targeted the SMB space and Fortune 100 companies. As a founding member of MOXFIVE, Jason now supports organizations in mitigating the impact of cyber-attacks through building a more secure and resilient infrastructure and assisting ransomware victims in securely restoring business operations following ransomware attacks.
MOXFIVE provides the clarity and peace of mind needed for attack victims during the incident response process. Our Technical Advisors serve as an Incident Coordinator to clearly define the incident, the action plan to be executed, and manage the incident response efforts.Learn More
With experience on the front lines responding to incidents daily, MOXFIVE Technical Advisors have the unique ability to connect the dots between business, information technology, and security objectives to help you quickly identify the gaps and build a more resilient environment.Learn More