1. Protect – The first and most important (time sensitive) step is to protect your environment and prevent additional damage and/or data loss. This could be as simple as disconnecting from any wired and wireless networks. Also disconnect any local backup drives that could overwrite previously archived data.
2. Communicate – It is vital to notify others in your organization of the suspected attack to prevent the spread. Remember, most breaches are not “IT Issues” and require the full cooperation of your entire organization. Review and execute your Business Continuation Plan and Emergency Notification Systems. Obviously, this means Breach Management must be an essential part of these plans. If the incident appears to be wide spread and rapidly spreading, it may be best to remove all connectivity within your network to ensure the protection of all connected devices.
3. Preserve – If the attack occurred on a local PC, disconnect from all networks as noted above but avoid powering the PC off and seek professional advice. Forensic evidence contained in volatile memory (RAM) may be lost if the device is powered down. Contact network support and ensure that any SIEM tools or system logs are preserved by removing any scheduled purge or reuse of media. This data could be the key to identifying the root cause of the incident.
4. Legal – Notify legal that a breach is suspected. They should advise you regarding chain of custody requirements that will ensure that any evidence found is admissible in court. It is important that they review and understand federal, state and local laws and how this may apply to the specific incident. They should also review client contractual obligations regarding notification of breach events and the notification period, which is typically 24 – 48 hours. In most cases, notification is only required for clients that are directly affected by a breach.
5. Recover – Ensure that all affected users and service accounts change their passwords to something “strong and complex”. The apparent damage may have been an encrypted drive, but the real target may have been stolen ID and password credentials, especially privileged accounts (Admin). Take no chances. Additionally, with many attacks such as Petya, a full restore may be your best or only option to recover your devices. It is always recommended that your company maintain a “gold image” of your desktop configuration and ensure that users avoid saving data to local drives since this data is rarely backed up. It is recommended that affected systems be restored using the image since a hacker could have “planted the seeds” for a future attack on the device. Remember to patch both PC’s and Servers with OS level and Anti-Virus updates prior to connecting to the production environment. This is a critical step to avoid further damage as many companies learned during the WannaCry and Petya incidents. Initiate new backups after your environment is confirmed to be clean, ensuring that old backups are not overwritten. Take time to review the root cause of the incident and how it could have been prevented or contained. Review and adjust all controls to prevent future outbreaks.
Remember, security is everyone’s responsibility, so this is a great time to review and reissue your Security Awareness program, which should be completed at least annually by your entire organization.
Joe Clapp is a senior consultant at SystemExperts with a highly diverse background spanning several continents. He specializes in supporting customers with highly complex problems in fast paced environments.