An article on ZDNet caught my eye about picking up the pieces in the aftermath of a ransomware infection. (To be fair, they were extensively referencing an article on the UK’s National Cyber Security Centre website.) Essentially, it was about being victimized a second time by failing to investigate and remediate the failure(s) that caused the first breach.
It got me to thinking about process. A process or a checklist can save you in a busy or stressful situation.
When I waitressed, I was surprised by how many people would request a to go container, put their leftovers in the to go container…and maybe 2/3 of the time, leave the to go container behind when they got up and walked away from the table. Why?
As we tick through the usual list of things to do in a busy situation we can easily overlook an out of the ordinary task. When trying to follow the Leaving the Restaurant script (calculate the tip, pay the bill, find your coats, say goodbye to friends and figure out the Uber situation, etc) remembering to grab your leftovers is not usually on that mental list. So they’re left behind.
A process is even more important in a charged situation like a fire scene investigation. Time is ticking and multiple people are involved. A checklist at the scene helps investigators prioritize when things are stressful and mistakes have big consequences.
Ransomware Remediation – Busy and Stressful
A ransomware attack is both stressful and busy, and most network admins don’t have much experience with handling the attack and the aftermath. And the immediate issues (decrypting your data either via paying the ransom or attempting restores from backups) are all-consuming and can take up all of of your organization’s time and energy. You may be so focused on getting everyone back to work that you forget to figure out how the problem started in the first place.
Fire investigators know that fires can reignite – sometimes they are even still smoldering behind walls in a structure when it seems like a fire is out. They don’t consider the scene secured until there is no change of reignition and they take steps to check.
KnowBe4 has a checklist for handling a ransomware attack, though they don’t go into detail about determining the infection vector. So does Manage Engine (and they go into a bit more detail). NIST has a fantastic Computer Security Incident and Handling Guide – they outline steps to follow and they recommend reaching out if you can’t figure out exactly what happened and how to remediate it:
Occasionally, the team will be unable to determine the full cause and nature of an incident. If the team lacks sufficient information to contain and eradicate the incident, then it should consult with internal resources (e.g., information security staff) and external resources (e.g., US-CERT, other CSIRTs, contractors with incident response expertise). It is important to accurately determine the cause of each incident so that it can be fully contained and the exploited vulnerabilities can be mitigated to prevent similar incidents from occurring.
An incident response plan is very important for, well, responding to incidents – but don’t forget to tick the whole way through the list and figure out how the breach occurred and how to both remediate it and learn from it. SANS has some great resources as does NIST and Cynet.