Targeted Containment — Less is More
“They’re back…they hit us again…”. These words are ones you never want to hear after you just finished recovering from the worst experience in your organization’s history — a ransomware attack that halted your business operations. Unfortunately, MOXFIVE is seeing an alarming trend where we are engaged to secure environments after an organization is reinfected with ransomware a second, or sometimes even a third time. Our observation is that this occurs when organizations tackle the response efforts unguided and assume that recovery is complete when their last backup finishes restoring. As every forensic investigator will tell you, there is a reason that those systems were encrypted in the first place. A successful recovery hinges on understanding that story.
In the MOXFIVE blog post The Key to Successful Business Recovery, we outlined the approach to a successful recovery process. Spoiler alert: the key was the approach of Assess, Contain, Recover, and Reinforce. At first glance, many may think that the reinfection of environments is due to limited follow through on the Reinforce stage, that focuses on enhancing the security and resiliency of the environment to better protect against future attacks. While we do see reinfections occur due to limited follow-through, the reality is even more terrifying. Not only are an increasing number of ransomware response efforts shortchanging critical containment and cleanup activities to securely restore the environment — they are failing to first remove the attacker’s access to the environment. In other words, the attacker never left the building — they only switched rooms.
In this blog post, we expand on the idea of Containment and the role it plays in not only ransomware cases but in any cyber incident.
Like many things in the security industry, if you ask five different security experts to define “containment”, you will likely get five very different answers. At MOXFIVE, we view containment as a set of activities designed to remove an attacker’s ability to operate in the environment. When flawlessly executed, this results in the total eradication of the attacker from the environment. It should come as no surprise that containment is seldomly executed perfectly during the chaos of incident response. To increase the chances of full eradication, we need to understand what the attacker has done in the environment. This starts with understanding the following:
How did the threat actor gain access to the environment?
What systems did the threat actor access?
How did the threat actor maintain access to the environment (including remote access malware and its associated persistence mechanisms, access to email, access to a VPN or remote desktop)?
What actions did the threat actor execute, and how did they execute them (includes encrypting files and corrupting or stealing data)?
What credentials did the threat actor have access to?
Obtaining insight to the areas above and building a clear understanding of the attack through a forensic investigation takes time. Unfortunately, victims of cyber attacks don’t have the luxury of time. That is why MOXFIVE recommends a targeted and phased containment strategy with the mindset of “less is more”. Put away the laundry list and focus your limited time and energy on the key set of activities that will provide you the greatest return on the investment of your precious time.
Containment: A Phased Approach
Stage 1 (Contain) — Limited Attack Insight, Focused Efforts
At the outset, you have limited information on the attack vector or what occurred after the threat actors gained access into the environment. At this stage, focus on creating a safe way to restore systems and on laying the foundation to have better information when you get to Stage 2. This commonly includes the following:
Build a quarantine VLAN to temporarily place suspected compromised systems while they are evaluated, cleaned, and protected. This can largely be done with existing equipment.
Deploy endpoint protection platform (EPP) tools to secure systems against malicious software and monitor for malicious activity.
Disrupt the attacker’s ability to operate in the environment. This can include restricting inbound / outbound network access, resetting passwords, and implementing multi-factor authentication for remote access.
Move rapidly to conduct a forensic investigation — the investigation’s outputs provide key inputs into later phases. This will require gaining visibility and control over an environment that likely did not have this previously.
Stage 2 (Eradicate) — Moderate Attack Insight, Refined Efforts
As the forensic investigation progresses it will provide an increasing amount of insight into what the threat actors did in the environment and what tools they used. Based on this information organizations should begin more focused containment activities. These efforts typically include:
Implementing measures to mitigate the condition(s) that enabled the initial attack to succeed. Focus on high impact actions that directly address the cause and that can be implemented within hours to days. This is not the time to pull out the laundry list of security improvements that have been simmering on your back burner.
Block the methods by which the threat actor maintains access to, and operates within, the environment. This can include restricting lateral movement techniques (e.g. randomizing Windows local administrator passwords and addressing privileged service accounts in a triaged manner) and blocking malicious command-and-control IP addresses and domain names, malicious files, etc.
Clean up threat actor related files and lingering artifacts associated with malware such as registry keys used to maintain malware persistence.
Stage 3 (Secure) — Full Attack Insight, Broad Efforts
Congratulations! When you reach the third stage, you have likely resumed business operations and are now in the best position to begin further securing the environment. MOXFIVE recommends continuing or expanding monitoring of the environment after the incident to continue to look for evidence of the attacker attempting reentry. This can include:
Malware that was missed during the forensic investigation. MOXFIVE has seen missed backdoors, web shells, or malware that was never removed during the initial response. This speaks to the crucial significance of Stage 1 (Contain) and Stage 2 (Eradicate).
Attackers attempting to regain access into the environment. This could be through phishing emails or prodding the front door of your environment to find a way back in.
Take a deep breath, you survived the recovery process but that doesn’t mean things are over. Now that the frenzy of activities associated with the recovery has subsided, your team can begin to focus on forward-looking strategies to further secure the environment and build resiliency. Don’t leave the next one to chance. Take this opportunity to critically examine your security posture to be ready for the next time lightning strikes.
Chaos Managed, Chaos Contained
There are no guarantees in love, life, or ransomware — but that does not mean you have to succumb to the chaos that ransomware brings in its wake. An effective containment strategy is a cornerstone of a successful recovery operation following a ransomware attack. To increase your chances of a successful recovery effort and minimize the likelihood of a recompromise of your environment, you must balance the recovery operations with an effective containment strategy.
Less is more.