Incident Response & Recovery Recommendations

In the cybersecurity field, the inevitability of incidents is a given. It isn’t merely a matter of what could happen, but when it will happen. Making preparations for such incidents through developing incident response, business continuity, and disaster recovery plans are crucial. Cybersecurity analysts play a large role as they must regularly review and update these plans with an understanding of the organization’s assets and their systematic operations.

My name is Gage Olson and I am a cybersecurity analyst. I have been notified by a help desk technician of a potential ransomware attack on a machine within the finance department. Ransomware is malware that is designed to deny a user or an organization access to the files on their computer. Attackers do this by encrypting the files and demanding a ransom payment for the decryption key to unlock the files. Upon arriving, both seeing the screen and the encrypted files, I can confirm the machine has been infected with malware (ransomware). Upon further investigation, I discovered that network segmentation is not in place as it should be and some departments are located on the same network as the infected machine. This could potentially allow the malware to laterally move to other machines or servers within that network segment.

In the event of a cybersecurity incident, such as a ransomware attack, a comprehensive response strategy is necessary. This approach will include identifying infected assets and systems, methods to contain the incident, remediation of the incident, and recommended strategies to minimize the possibility of the incident reoccurring. This will also include a strategy for maintaining normal business operations during the recovery process. I will also be looking at disaster recovery in terms of how failover could benefit the organization and proposing an update to the backup strategy and how that would affect people, processes, and technology.

There are quite a few potential assets that are affected by this ransomware attack. The finance workstation in question in which the attack originated, all computers and mobile devices within the finance department, network equipment such as switches and routers, and all servers that are connected and on the same network as the finance computer. Since network segmentation was not properly implemented, any computer, server, network storage device, printer, etc. that is located within the network is susceptible to this ransomware attack as it could spread laterally to these devices.

In an effort to contain the malware just to the infected workstation, I would isolate it by physically disconnecting the network cable and turning off Wifi and Bluetooth to prevent it from spreading. Seeing as the computer was located within the finance department, and no network segmentation was implemented, all computers that are connected to that particular network would need to be disconnected and checked for signs of malware. Network monitoring tools, such as Wireshark, snort, or Splunk, could be used to identify a lateral movement of the ransomware to other computers or systems.

Remediation is straightforward with the best-case scenario of identifying the ransomware variant and finding a decryption software, such as Kaspersky, Avast, or Trend, to decrypt the files and then remove the malware from the computer. If decryption is not possible, I would then reimage the infected machine and restore it from the backup. I would do everything within my power to not pay the ransom and recover as much data as possible. Paying the ransom only motivates the attackers and could trigger more possible attacks. This process would have to take place within a quarantined, secure environment, on a separate network to ensure the malware does not spread to other areas of the network. I would make sure the entire process is logged and any evidence is properly collected and preserved for further investigation.

There are many options to minimize future incidents as such. I would implement regular, more frequent backups and ensure they are isolated from the network and potentially offsite. The backup frequency would depend on the criticality of the system or data and how often it is used. I would also ensure regular updates and patches to software, operating systems, and systems are being done to mitigate vulnerabilities. I advise conducting security training for employees with a focus on ransomware and phishing to greatly decrease the chances of an incident like this happening in the future. Employees are the first line of defense and should be able to actively recognize such incidents. Employees should also have a proper channel in place to report such activity. I also advise more frequent risk assessments and vulnerability scans to happen. I would also look into an EDR (Endpoint Detection and Response) solution, such as Singularity, Crowdstrike, or Trend, if one is not implemented.

Maintaining business continuity and business operations is crucial in the event of an incident such as ransomware. Customers and users are depending on systems to be up and running. Any automatic processes that can be manually completely should be to keep business running. Offsite redundant systems can take over in the event the primary systems fail. Seeing as not just one computer or one department could be affected and we had to shut down multiple departments and computers on the network, utilizing the offsite redundancy is a must. I would also identify and prioriteze business critical processes and allocate resources there first to ensure those system stay up and running.

Post-incident disaster recovery is also a very important step in the process of disaster recovery. A failover is a process of automatically switching to offsite, redundant systems, servers, networks, or databases when the primary system fails or must be taken offline. This ensures minimum disruption to employees and customers and maintains business continuity. People should be trained on the failover procedures and what their roles are. Processes should be put into place to ensure the systems are triggered when necessary and for switching back to the primary system once it's back online. Equally as important is returning from the offsite redundant systems to the new/fixed onsite systems after they are back online.

Every company needs a robust backup system and strategy. A backup strategy is a comprehensive plan that many businesses follow to protect against data loss incidents and quickly recover with minimal or no damage to workflows or reputation. While I understand the company does have backups in place, the frequency should be in question, especially when it comes to the financial department. I would train employees and stakeholders on the importance of regular backups. Someone within the IT department must be responsible for monitoring and maintaining the backup system to ensure it is working correctly and backing up the files necessary. The frequency of the backups would be based on the criticality of the types of data. The financial department should probably have real-time backups while another department might get away with a daily backup after business hours. Backups should be maintained onsite and offsite for redundancy. In the event fire sprinklers go off in your server room and damage all your backups, you can still access them from offsite databases. All backups will need to be encrypted to ensure confidentiality and integrity.

References

Incident response management: Key elements and best practices. (2021, April 8). Cynet. https://www.cynet.com/incident-response/incident-response-management-key-elements-and-best-practices/

What is Business Continuity? (n.d.). VMware. Retrieved November 29, 2023, from https://www.vmware.com/topics/glossary/content/business-continuity.html

What is Disaster Recovery and Why Is It Important? (n.d.). Google Cloud. Retrieved November 29, 2023, from https://cloud.google.com/learn/what-is-disaster-recovery

Software, C. P. (2019, October 2). Ransomware Attack - What is it and How Does it Work? Check Point Software. https://www.checkpoint.com/cyber-hub/threat-prevention/ransomware/

Marget, A. (2022, September 27). Backup strategy: What it is & how to create one. Unitrends. https://www.unitrends.com/blog/backup-strategy