There’s an old saying which is very relevant when it comes to cybersecurity; hope for the best, plan for the worst. It’s natural to focus on preventing breaches entirely, but strong post-breach defenses can actually be far more effective in reducing the damage done by hackers.
Why is post-breach remediation important?
Especially when it comes to ransomware, the success of an attack depends on how much of the network the attackers are able to compromise. The more of a network gets locked down, the more economic damage it does to an organization, and the bigger the ransom attackers can demand. This also applies to data breaches— the more data attackers get their hands on, the more leverage they have over their victims. Attackers may be present inside a network for weeks before demanding a ransom. If they can be detected at any time during this process, the attack can sometimes be foiled completely. In other cases, the downtime, data loss, or ransom amount can be minimized.
Challenges of post-breach remediation
There are a number of challenges that come up when dealing with a breach.
Isolating the threat
The first priority after a breach is discovered is isolating the affected systems to prevent the attackers from spreading. This is much easier if your network is already designed with compartmentalization principles in mind. In any case, isolating the threat usually requires post-breach investigation and analysis to identify the suspicious activity and track it across the entire network.
Determining the source of the breach
Before returning to business as usual, we have to find the cause of the breach. We can accomplish this by identifying the route the attacker is using to communicate with the network, and tracing their footprints through the system logs back to the initial contact.
Once we know which ransomware attack vector was used and how the attacker got in, we can patch the vulnerability. In some cases this requires updating software, while in other cases it might require an overhaul of security procedures. In some cases, it is advisable to update hardware, too.
Restoring data and network function
Once the network is secured and the threat is removed, it’s time to get the network back up and running. This may involve decrypting data, restoring from backups, or recreating data, or a combination of these.
With ransomware infections, an organization may be losing millions of dollars an hour. This means that the speed and efficiency of post-breach responses can be extremely important. This is why BeforeCrypt’s emergency response team of ransomware experts is on call 24 hours a day, 7 days a week.
Depending on the nature of the affected organization, data breaches can carry serious legal consequences. Different countries have different requirements and procedures for data breaches, and failure to comply can carry heavy fines.
Documentation for insurance and law enforcement
Successfully filing a cyber insurance claim can require documenting the exact nature and scope of an attack. This usually involves filing a police report. Law enforcement may also request information to assist with their investigation.
What does post-breach remediation involve?
A good post-breach response usually involves the following steps.
Containing the threat
The first thing to do is make sure that no further damage occurs. The easiest way to do this is to shut down systems entirely and cut off communication with the internet.
The next step is to go through available information to find out what went wrong and why. This means finding out how much of a network has been infected, how the attacker got in, and how the attacker was able to gain control over the network.
Based on the findings of the investigation, patches will be implemented and new operational procedures advised. This means more than just installing better antivirus software— it can require educating staff about cybersecurity best practices, too.
Depending on the value of the compromised data, ransomware victims make different choices about how to recover files from a ransomware attack. In some cases, data can be reconstructed from emails or other cloud-based sources. In others, negotiations with the attackers are necessary. It’s always better to avoid negotiating with the attackers if possible, because paying ransoms encourages them to conduct more attacks. However, in some cases the cost of lost data is too high, and there’s no choice but to deal with them. In such cases, part of post-breach remediation is obtaining the decryption key and restoring all data without any data corruption or loss.
Partners for Post-Breach Remediation
BeforeCrypt has helped hundreds of ransomware victims safely, quickly, and securely recover their data and get back to work. If you need help with your post-breach response, contact us for a free consultation on our Ransomware Recovery Services.