Perhaps the most interesting case last year was the incident management of a European financial firm’s application. The unnamed company had a significant number of its servers compromised by a targeted ransomware attack. The attacked infrastructure provided services that were used by hundreds of partners continuously, in real time. These partners were in direct contact with end users, a prolonged loss of service would have caused critical problems.
The ransomware attack was targeted, fitting into a typical attack scenario (based on tools-tactics-procedures). Detecting the fact of a ransomware attack was not easy, mainly due to the size of the attacked infrastructure. Most of the client’s critical data was stored on virtual machines, which were saved as large, standalone files. During the investigation, we discovered a feature of the ransomware that could be used to separate the compromised file parts from the undamaged ones, thus later restoring the system.
In addition to the technological aspects, the following factors had to be managed as well:
We had to provide essential assistance in the following areas:
With the help of the procedures and specific technical ideas detailed above, the company was able to restart its operations in a matter of days, without paying the attackers. Through the process we were able to find a heuristic, quick and efficient solution to negate the effects of the attack, instead of going with the trivial, but complex and time-consuming way. The success is mutual: the company under attack organized the recovery efficiently, we worked hard to fix the problem with our best people and the coordination was smooth, which is rare in such tense situations. In addition, during the investigation we were able to identify several vulnerabilities in the client’s systems, which were reported and later patched.
The loss of services could have affected hundreds of companies if it had been a longer-term problem, but we were able to pull together the most successful of all the possible scenarios, which meant that the case did not end in either a financial or a PR disaster.
Generally speaking, the key factor in the success of incident management is the attacked company itself. It must be prepared for similar cases like the one described above, the external team of experts can only rely on knowledge, tools and procedures acquired before and already in effect during an attack. Our job is to make the most out of this internal preparation, and to take it to the next level.
[This service is available in the form of a subscription.]
Copyright 2021 Ukatemi Technologies LLC.