In this article, I’ll cover the during of an attack: the critical decisions you’ll be faced with, whom you should reach out to first, and key steps to take as you begin your recovery. This is where you’ll put your disaster recovery plan into action.
What Happens During an Attack?
“You can write as many things as you want down, you can practice as often as you can, and you need to. But when it comes to the heat of battle, different personalities pop up, and things that you rehearse tend to get tested.”
–Pure Storage CISO roundtable report
In keeping with the CISO mantra of “It’s not if attacks will happen, but when,” organizations need to be ready to manage situations where they’re under attack and under pressure. They can’t take the chance that they’ll lose sensitive data, damage customer loyalty, and disrupt the business. CISOs not only need to put procedures in place for managing the outcome of an attack but also be assured that the procedures will work under high-pressure circumstances like a ransomware attack. Do people know what to do and how to do it in the minutes and hours after a serious attack, or are they trying to find the file or notebook with the instructions?
In our first article, we looked at what happens before an attack. Now, let’s see what happens as you’re experiencing an attack or a breach:
- After “dwelling” in your environment, attackers have finally launched their campaign.
- Sensitive files may be exfiltrated for use in a secondary attack if the encryption campaign is unsuccessful or attackers want to make more money.
- Attackers may use exploit toolkits to gain elevated access (i.e., admin access) to your environment. Once in your environment, attackers will identify key systems, such as critical infrastructures like Active Directory, DNS, backup, and primary storage systems.
- Attackers may change credentials to lock you out of systems.
- Attackers may target backups first for deletion or corruption. They might also encrypt front-end backup servers to render catalogs useless.
- Then, attackers could target and encrypt primary user data files on host systems.
Read More from This Series
5 Ways to Address Data Security Gaps Before an Attack
5 Things to Do First During a Ransomware Attack
After a Breach: 5 Recovery Steps to Take
5 Response and Recovery Steps to Take During an Attack
Now it’s time to swing into action. Your exact disaster recovery plan will depend on your business and the breach, but this guide from the FTC is a great place to start. There are also security breach notification laws in the United States you must follow. If you haven’t prepared for these tasks yet, check out this guide to help you kick off some crucial conversations with your CISO.
1. Contain the attack and lock down your environment.
At the first sign of a breach, isolate impacted systems on the network by disconnecting them completely or quarantining them in a private network enclave. This will help stop the spread and minimize damage.
Never fully shut down systems or turn off the power—doing so greatly reduces or eliminates the ability to forensically analyze those devices later. Update credentials and passwords on clean machines. If any information was posted on your site by the attackers, remove it and contact search engines to clear the cache.
2. Execute your backup communications plan if email systems are down and mobilize your emergency response team.
In my article “8 Questions to Ask Your Security Team,” question #4 is “If we are under attack, how will we communicate?” You should have already nailed down a well-defined communications plan. Now’s the time to use it.
Inform leaders and internal stakeholders about the attack, whether it’s via mobile phone or an alternate email address. Get IT and security teams, senior leaders, and outside security consultants on the horn ASAP—we’ll cover more on that below.
Next, you need to mobilize your emergency response team. Your breach response team should have been assembled with some key players. Depending on your company, this could include forensics experts, legal counsel, InfoSec, IT, investor relations, corporate communications, and management.
Everyone on the team should have clear marching orders, as should others involved in recovery. In our “Hacker’s Guide to Ransomware Mitigation and Recovery” e-book, former hacker Hector Monsegur notes that this step is especially important: “Otherwise, network and systems administrators are left using their own judgment to neutralize the threat, which in my experience is usually ineffective or even disastrous,” he says.
3. Launch your external communications plan.
Get in touch with critical partners and authorities. Engage external tech partners to help (that includes your storage provider and any other vendors). If you’re working with the media, regulators, and legal teams after an attack, it’s helpful to maintain an updated list of contacts within local offices of law enforcement authorities such as the FBI in the United States. Contact your cyber insurance providers who can explain coverages and limitations. Contact local authorities and the FBI, if necessary, and be sure to mention any compliance obligations and potential penalties.
You’ll also want to notify affected customers and businesses. You might have drafted a notice and letter that help you frame up the information you’re obligated to share, recommendations for those affected, and a clear statement of what you plan to do next.
4. Begin the forensic process.
Monsegur says, “Assuming that you have all the proper network monitoring tools in place, such as SIEMs and logs, a well-trained staff looking for anomalies and events using the Pure1 anomaly detection capability will be able to identify an attack in action.” Security and access logs can help you identify the source of an attack fast. These logs can also provide the required proof of compliance to regulatory agencies, so you’ll want to make sure they’re adequately protected and secure from deletion.
Triage any impacted devices and prioritize them for forensic review. Your security team should determine what type of attack was launched and the breadth to which it’s impacting your environment. The sooner this happens, the sooner your team can apply patches and also restore a clean backup. Once you have that, you can begin the restoration process into a staged environment.
Tip: “Prepare your environment for investigations down the line with your vendors or law enforcement,” advises Monsegur. “If you’ve brought in a company to do an investigation, make sure there’s a handoff between them and law enforcement.”
5. Move to a clean recovery environment.
It’s time to begin your actual physical recovery. As part of your disaster recovery plan, you’ll want to have a recovery environment that has been staged and tested and is ready to go, giving you a prebuilt way to get back online right after an event. This includes having a line of sight to new hardware and systems. There’s no guarantee you’ll be able to use your existing hardware, which could be taken by authorities or investigators as evidence or might need to be quarantined.
Having clean hardware, like the clean storage environment shipped to you next business day with Pure Storage’s new ransomware recovery SLA in Evergreen//One™, can get you quickly back on track, not just a temporary fix. We’ll provide you with a plan for recovery and someone onsite to assist with migration to your clean arrays.
SafeMode™ Snapshots let you start recovering right away with immutable backups of application data or VMs.
Hacker’s Guide to Ransomware Mitigation and Recovery
Be Ready for Recovery with Pure Storage
Knowing the challenges you’ll face first and the immediate steps you can take during the early stages of an attack can help minimize loss, cost, and risk. Pure Storage® Evergreen//One combines the agility and flexibility of public cloud storage with the security and performance of an all-flash infrastructure. The ransomware recovery SLA is key, as it ensures you’re back up and running without damaging your business. Our new recovery SLA offers:
- Next business day shipping of recovery arrays (48 hours to Asia-Pacific)
- Expedited shipping (varies by region)
- 48 hours to complete your recovery plan
- 8 TiB/hour data transfer rate
- Onsite professional services from time of array arrival through RMA of infected array
Additionally, Pure Storage can help you take swift action at the “during” stage by:
- Providing always-on data-at-rest encryption, with no performance overhead or management required
- Eliminating the ability for protected data to be modified or deleted, thus ensuring recoverability
Revisit part one in this series for the “before” of an attack, or go to part three for the actions to take after an attack.
Written By:
Be Prepared
Learn insights and tips from a former black hat.
