- Train the employees to recognize malicious emails and websites – Done
- Apply security updates and patches quickly and thoroughly – Done
- Tier your administrator accounts to limit access to devices as needed – In progress (That turned out to be a bigger work effort than expected.)
- Implement Multi-factor Authentication (MFA) for remote access and SaaS applications – Stalled (The user community simply does not understand the risk and is convinced it will inhibit their ability to work.)
- Build a firewall between your backups and the rest of your systems – Budgeted for next year
You know there are holes, but there’s a roadmap and budget. And, unlike most, you actually have a plan.
It’s Friday night. You’re just sitting down to dinner and finally relaxing. Meanwhile, your system administrator starts getting alerts that a server is going offline. It’s not a critical issue; they’ll address it after dinner. Another alert comes in, then another…now there’s a problem. Your system administrator tries to connect remotely: “Authentication failed” Panic sets in as they jump in their car and head to the data center. It’s too late. The message on all the screens reads, “All your files are encrypted.”
Your phone rings and you hear the words, “They got everything: servers, workstations, backups and, for good measure, they extracted 2TB of data from our system and say they’ll post it on the web.” The whirlwind begins. There’s insurance, lawyers, consultants, investigators, negotiators. You pay the ransom, get the decryption keys and the process runs anew, albeit painfully slower than you would have thought.
A bad actor’s goal is to inflict maximum damage in order to extort as much as possible. They can start with a user’s PC and carefully navigate laterally until privileges are elevated to the level needed to stage and execute the attack. They use malware like Emotet and TrickBot and tools such as Mimikatz, Cobalt Strike, and Metasploit, spreading them to as many machines as possible and replacing files you might have never known were changed. The criminal continues until they have your domain administrator credentials – the golden ticket for forging Kerberos tickets. It’s not even hacking anymore when they can just log in to whatever they want. Game over.
| Your local Iowa Mold Tooling Co Inc dealer |
|---|
| Nichols Fleet Equipment |
Attempting to reuse any part of your environment is a huge risk. The systems are still compromised, and the exploits used for the infiltration are still there. Consequently, you need a plan and resources to rebuild everything as quickly as possible. This includes sterile networks, fresh installs, and data restoration – as well as significant monitoring to ensure security holes are not left open.
The recovery will be a dynamic situation in regard to priorities, resources and roadblocks to navigate. However, the following can facilitate a faster recovery:
Often, the system that contains your documentation is encrypted. The inability to access documentation slows down the recovery process, as resources become dependent on the one staff member who has the information memorized.
One of the most time-consuming components of recovery is moving a large volume of data. Cloud backups are great as a last resort, but the amount of time required to download and then restore is prohibitive. In many cases, this is a primary reason companies decide to pay the ransom, as restoring from cloud backups simply takes too long.
Braden Daniels is a Director in RSM US LLP’s Technology and Management Consulting Practice and is RSM’s West Region Infrastructure Practice Leader. He can be reached at Braden.Daniels@rsmus.com.
