What to Do in Case of a Network Breach?
Ransomware has fast become the major threat to business IT infrastructures across virtually every sector. It is an aggressive form of attack through which cybercriminals gain access your network, blocking user access to files or systems. These are then held hostage using encryption until the victim pays a ransom in exchange for a decryption key. The key allows the user to access the files or systems encrypted by the program. Ransomware is not a new threat, but it has become more widely used among today’s highly sophisticated cybercriminals simply because it is highly profitable.
Some of you reading this will become the unfortunate victims of a particularly damaging form of ransomware attack. And it could happen tomorrow.
There tend to be 2 simple misconceived reasons that businesses all too often fail to adequately protect themselves.
The first is that they don’t believe their businesses are a target for cybercriminals. It is critical to understand that, regardless of your size or location, your business is a potential target. Attacks are orchestrated by organised criminal gangs, using automated and sophisticated techniques. While your business or organisation might not have been specifically singled out, once a vulnerability is found and an access route into your infrastructure has been discovered, more focused attacks will follow.
The second is the assumption that your IT support, internal or external, is qualified to look after your cybersecurity. In almost every case they are not. And that’s not having a go at your IT provider. In the same way that you wouldn’t want your GP to carry out brain surgery, your typical IT support provider is geared up to support your business for ease of access and productivity, not cyber risk management and sophisticated cybersecurity solutions. Cybersecurity is a very different discipline from generalist IT support.
In an all too familiar situation, new clients often come to us having suffered a breach, panicked and stressed about how to deal with the situation. This has given us a unique insight into cybersecurity, as we are on the frontline, often dealing with the aftermath from the types of attack taking place today.
Steps to Take if Your Organisation Gets Infected
When a ransomware attack happens, time is critical. You need to recognise that you’re under attack in order to quickly lock down your network and begin restoring data.
Contain the Breach
As soon as you are aware of a network breach, you need to focus on eliminating and containing the breach by isolating the infected device(s) from other computers and storage devices, including switches. It might be necessary to disconnect from the internet and turn off the WiFi and disable core network connections. Treat all networked computers as possible spreaders of ransomware cryptoworms aggressively seeking out connections to other computers in order to spread across the network.
You can only begin the recovery process after successfully containing a network breach, which needs to be done quickly if you want to recover from it. If you do not have the necessary expert IT resources in house to complete the required work, or prefer to have an expert handle it for you, Syscomm can help.
Investigate the Breach
You need to first contain or eliminate the data breach. It is important to know how the attack was actually executed. If you don’t know how the ransomware attack occurred on your network, you won’t know where to start to close any potential vulnerabilities. Only once this is known can you apply the fixes necessary to protect your network. A Rapid Response Triage Investigation will help you better understand the incident, helping you:
- Determine how the incident occurred (tools and attack methods used, vulnerabilities exploited, etc.)
- Identify what user accounts were utilised by the hacker and for how long
- Attempt to geo-locate the logins from the network
- SIEM activity logs are going to be very valuable during this process. Your security team needs to sort through this data and find as much information as possible about the attack.
If you’ve received a ransom note, it will most likely tell you what type ransomware has invaded your system. Knowing what infection has occurred can help in deciding what your options are for disinfection and removal. In all likelihood, you’ll need to carry out a deeper level forensic investigation, which will help you understand just how deep your exposure has been.
Eradicate the Malware
Eradication refers to the removal of all the malicious elements from the affected network. The main eradication activities include resetting passwords, removing malware and backdoors, and closing ports. Even if you’re using some kind of modern EDR software, further action will typically be required in order to remove all traces of the malware.
Restore Your Network
You can start restoring your network after containing the network breach. The process will depend on the nature of the hacking attack as different types of network breaches will affect different network assets. In any case, you’ll need to reset credentials including passwords (especially for administrator and other system accounts), safely wipe infected devices and reinstall the OS. This is no small task, especially if you have a larger business.
If you have a business continuity plan, then it will greatly help in restoring your network. If you already have a remote backup, then you can more quickly recover your data and applications. You can also create a cloud-based replica of your environment where you can work virtually. However, it is critical to verify that any backup that you use is free from any malware. You must only restore from a backup if you are very confident that the backup and the device, you’re connecting it to are malware free.
If you’ve been following a good backup policy with both local and off-site backups, you should be able to use backup copies that you are sure were not connected to your network after the time of attack and hence protected from infection. Backup drives that were completely disconnected should be safe.
It’s also important to note that a System Restores is not the best strategy for dealing with a ransomware and malware attack. The malicious software will typically be buried within all kinds of places on your network, meaning that you can’t rely on a System Restore being able to root out all parts of the malware. Moreover, a System Restore does not save old copies of your personal / important files as part of its
snapshot and does not delete or replace any of these files when you perform a restoration. System Restore is not a system backup – you should always have a good backup procedure in place for your business.
Following a ransomware attack, and once your networks have been restored and deemed secure, it is advisable that a security monitoring period of at least two weeks be done just to ensure that all your systems are ‘clean’. This allows you to take quickly and proactively take action against any threats that might be subsequently detected.
Security monitoring allows for rapid containment and removal of any active threats in real-time before they inflict further damage.
Notify Affected Parties
You need to identify the sensitive data that was compromised during the attack. If your user’s data is compromised, then you need to notify all the affected users. Develop an internal and external communication strategy so that the right information reaches the right stakeholders in a timely fashion. This will help ensure that you comply with any breach notification laws.
Depending upon the nature and severity of the incident, reporting obligations may include:
- Your bank
- The police
- Your insurer
- Your employees
- Your clients and business relationships
To Pay or Not to Pay….
Depending on the nature of the attack, it is not always possible to help infected users to regain access to their network and encrypted files. In the continuing battle between cybercrooks and the struggle to defeat them, once your system has been encrypted, you still could lose all, most or some of your data. Before giving up, however, you should shop around for a ransomware recovery service to help with the above.
However, there is always the option simply to pay the ransom demanded. The UK’s NCSC generally advises NOT to pay the ransom, since it both rewards criminal activity and there is no guarantee that the perpetrator will free up your network and its data. Not only will you be paying a criminal group but you are also more likely to be targeted in the future. So, while the majority of cybercriminals want to stay in business and send the decryption keys to their victims, others simply take the money or don’t use ransom software that can actually undo its damage.
In the end, it’s up to you. If you’ve have a disaster recovery plan in place, the cost-benefit analysis of weighing the price of paying the ransom against the price of losing proprietary and irreplaceable data. Nonetheless, it’s important to remember that paying the ransom is no guarantee to retrieving your data.
Prepare for Future Breach Attempts
After first restoring your entire network and fixing all the vulnerabilities that were present in your network, it is imperative that you invest in state-of-the-art next generation network security solutions.
We recommend to our clients that they undertake a security architecture assessment, looking closely at how current information security controls are protecting the confidentiality, integrity, and availability of the data their business uses and stores on their network. This gives us the ability to design a solution that maximises their protection against cyberthreats, positioning their businesses security controls alongside business goals, giving them the ideal and balanced levels of cyberprotection.
With a strong assessment, you can clearly understand your current IT infrastructure and the path you should take to accomplish your security goals.
Backup and the ability to restore your data and networks are critical for business continuity, particularly if your business has been subject to a ransomware attack. Offsite, cloud-based storage data protection gives you cyber resilience to ensure continuity of operations, better performance, and lower infrastructure costs. They simplify VM, application, and container backup and recovery, which improves storage efficiency, and provides data isolation throughout your hybrid cloud infrastructure.
Whatever the cause, whether a cyberattack or some other kind of network breakdown, quick data recovery is essential to getting up and running again as quickly as possible.
By undertaking a comprehensive assessment, upgrading your network, and ensuring you have an off-site cloud-based backup solution, you will be putting in place the necessary preventative policies, processes, procedures and technologies to prevent future successful attacks.
You Can do Your Part in Defeating a Ransomware Attack by:
- Investing in business-grade firewalls and anti-malware hardware / software to block known payloads from infiltrating your network
- Applying an Intrusion Detection and Prevention System (IDS/IPS) that strongly enforces network security by providing real-time network protection against network vulnerabilities, exploits, and exposures in operating systems, applications, and databases
- Installing the latest security updates for your OS and applications. Always ‘Patch Early and Patch Often’ in order to repair vulnerabilities in browsers, web plugins, and operating systems
- Practising cyber hygiene, such as educating your staff and exercising caution to prevent phishing attacks
- Segmenting your networks to isolate critical computers and stop the spread of malware in case of attack. This includes shutting down unnecessary network sharing
- Restricting admin rights to only those users who require them – give everyone else the lowest system permissions required to do their work
- Restricting write permissions on file servers, to the extent possible
- Educating yourself on the best practices necessary to keep malware out of your system. Keep up with the latest email phishing scams and news by subscribing to cybersecurity newsletters and share this information with your employees
- Making frequent backups and isolating them from local networks and away from any potentially infected computer. Data backup and recovery is by far the most effective solution in reacting to a successful ransomware attack
- Working with an MSP that understands the complexity of cybersecurity. Securing your business is not a one-off MOT – it requires expert support and ongoing assessments and reviews.
These are some tips that will help you in recovering from a network breach. If you don’t have an in-house IT team, then you should work with an MSP. Experienced MSPs like Syscomm will help you in setting up the cloud-based backup. We can help you quickly recover your network should a breach occur.
Ultimately, the best solution to avoiding or coping with inevitable malware attacks to your business is adopt a ‘defence-in-depth’ approach. This means using layers of defence with several mitigations at each layer. You’ll have more opportunities to detect malware, and then stop it before it causes real harm to your organisation. Working with the right IT specialists can keep your business safe and shore up your cloud presence with the best infrastructure services.
Syscomm helps organisations assess their needs, develop strategies, and deploy and configure solutions to support cyber resilience. Talk to us today.
Has your business endured a ransomware attack or have a strategy to avoid becoming a victim? Please let me know in the comments below.