Seven Key Ingredients to Effective Incident Response

With ransomware attacks on the rise, organizations need to upgrade their incident response processes to improve speed and precision.

Tim Parisi, director of incident response services, CrowdStrike

February 11, 2022

5 Min Read
Laptop computer hacking, and stealing data from computer
Source: Sasin Paraksa via Alamy Stock Photo

Ransomware has evolved as a menacing way for threat actors to exploit organizations. It’s important to remember that today’s widespread ransomware attacks are very different from those of recent years in terms of scale and potential for damage. We are really not in Kansas anymore.

As ransomware attacks have evolved, so should your incident response (IR) and recovery process — specifically, one developed around seven key ingredients that deliver IR efficacy.

Problems With a Traditional IR Approach
Ransomware is not a new threat; however, approaches to remediation have changed as attacks have grown.

In the past, attacks were often confined to a few manageable endpoints, so a full remediation to reimage, rebuild or even replace affected systems made sense. Further, remediation efforts have historically lacked the visibility necessary to undo an attacker’s specific actions, leading to a default belief that the only way to eradicate a threat is to reimage, rebuild or replace the systems. This process also required boots on the ground to execute a strategy often flawed by the threat of reinfection from the backup copy.

Unfortunately, the frequency and scale of ransomware attacks have increased—5,000 systems affected by ransomware in an environment is not uncommon these days—making this legacy approach costly, time-consuming and exhausting to all parties involved in the response.

When an enterprise’s endpoints might be spread across the globe, an onsite response for every endpoint is not practical or cost-effective. It is a race against time for today’s Chief Information Security Officers (CISOs), who cannot afford to disrupt the business whenever such an incident takes place.

An alternative accelerated IR approach is becoming increasingly necessary to avoid business downtime. This approach has been used successfully to contain widespread attacks and recover systems with speed and precision. It is made up of the following seven key ingredients:

  • Immediate threat visibility

  • Active threat containment

  • Accelerated forensic analysis

  • Real-time response and recovery

  • Enterprise remediation

  • Threat hunting and monitoring

  • Managed detection and response

Immediate threat visibility is the crucial first step. Without visibility into exactly what happened and which systems have been infected, responders have no way of surgically recovering an environment. Once they have visibility into the full threat context across the organization's systems and networks, they can effectively contain, investigate and remediate the threat and get the organization back to business faster, with less disruption to users.

Active threat containment uses the visibility gained to contain the threat and stop the spread of the ransomware attack. Blocking malicious system and/or network activity to stop any further lateral movement, quarantining infected hosts, and ejecting the adversary from the network are critical threat containment measures.

Accelerated forensic analysis adds a further level of detail to understand the attack and attribute it to a threat actor. Once the security team has initial clarity into which endpoints have been infected, it is time to gather specific forensic artifacts from a select group of hosts. Instead of blindly collecting and analyzing petabytes of disk images or analyzing terabytes of log files, an accelerated IR approach uses technology to identify a specific subset of high-fidelity artifacts to gather and analyze, thereby drastically reducing the time for forensic investigation during the IR. This forensic analysis approach is proven to be faster, more resource-efficient and more cost-effective, ultimately helping organizations avoid a lengthy and disruptive IR engagement.

Real-time response and recovery is the “secret sauce” to get back to business faster and with minimal disruption. Real-time response is a capability that enables IR teams to remotely triage and remediate systems — effectively undoing what the threat actor has done. It allows for endpoints to be recovered with surgical precision by deleting infected files, killing malicious processes, restoring registry entries, and using other commands needed to recover the system. Real-time response aids in the mass recovery of hundreds or even thousands of systems by removing the malware and persistence mechanisms using automated scripts. If security teams can recover most of the systems using real-time response, they can get them back online quickly and minimize the potential for business outages. The larger the number of systems that are recovered using real-time response, the fewer that will require full-system remediation.

Enterprise remediation is the traditional process of reimaging, rebuilding or completely replacing infected systems to recover an environment. There are scenarios where threat actors make it deep into the threat lifecycle and encrypt disks and compromise systems to the point they cannot be recovered with real-time response. The key here is to minimize the number of systems requiring full enterprise remediation using the above ingredients to guide the recovery and response.

At this point in the process, responders have contained the threat, ejected the adversary, investigated the incident and recovered the environment. But, there are two more ingredients that provide value during incident response.

Threat hunting and monitoring by an elite team of threat hunters during an IR engagement provide a level of assurance and confidence for an organization going through some of its darkest days. Threat actors that gain a foothold into an organization won’t give up easily. They will attempt other attack vectors to try to achieve their mission and exploit a victim. Given the persistent nature of today’s threat actors and their tactics, the continuous monitoring of the environment for reinfection or any hands-on-keyboard activity to quickly mitigate potential threats is recommended for peace of mind that the adversary is no longer a threat.

And finally, the leaders of a victim organization will ask the question: How do we stop this from happening again?

Managed detection and response (MDR) is a fully managed cybersecurity service designed to detect threats in under 1 minute, investigate threats within 10 minutes and respond to threats within the hour. Victim organizations can leapfrog their current cybersecurity maturity level and achieve a high level of cybersecurity using the expertise of a managed service.

In sum, recovering from sophisticated widespread ransomware attacks with minimal business disruption requires an accelerated approach over the traditional inefficient and costly method of reimaging, rebuilding or replacing hundreds or even thousands of compromised systems. A modern approach to rapid response and recovery, led by experienced responders with deep knowledge of today’s widespread security incidents, will get you back to business faster and improve business continuity. Made for today’s cybersecurity challenges, this accelerated IR approach helps enterprises save valuable time and money — and a lot of frayed nerves in the process.

About the Author(s)

Tim Parisi

director of incident response services, CrowdStrike

As a Director of Incident Response Services at CrowdStrike, Tim helps manage and shape the Services team, leads teams responsible for delivering incident response investigations, and advises clients on how to secure their networks.

Prior to joining CrowdStrike, Tim was at Mandiant where he led incident response investigations, red/blue team exercises, and compromise assessments for small and large enterprises around the world.

Tim has performed multiple speaking engagements on topics of cyber security and investigations, and has published blogs at Mandiant and CrowdStrike pertaining to incident response and forensic analysis.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights