One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 1996582 |
| Date de publication | 2020-10-26 11:00:00 (vue: 2020-10-26 11:13:33) |
| Titre | Observations from the digital trenches |
| Texte | When AT&T Incident Response Consultants first engage a client during a ransomware incident, the situation is often very chaotic. The client's ability to conduct business has stopped; critical services are not online, and its reputation is being damaged. Usually, this is the first time a client has suffered an outage of such magnitude. Employees may wrongly fear that a previous action is a direct cause of the incident and the resulting consequences. This fear can propagate amongst the team, impacting their ability to communicate knowledge and expertise and leading to inefficient recovery efforts. As trusted advisors, AT&T has a responsibility to educate our clients on the stress of these moments. The situation requires the efforts of your team on multiple complex tasks. Rebuild/Recover critical applications and services Communicate with key stakeholders (external and internal) on the status of the restoration of services Conduct a forensic investigation in parallel with rebuild/recovery efforts Implement near term security controls to bring the operating environment to an acceptable level of risk In this article, we highlight our insights into the primary access vectors seen in ransomware attacks investigated by AT&T. We also provide recommendations on how to configure your systems to be proactive in collecting data to help protect systems before an attack, and to support forensic investigations if breached. Paradigm shift One of the questions always asked while rebuilding from a ransowmare breach is, "Are the threat actors still in my network?" This is usually the moment when a paradigm shift happens with the client’s security and IT staff. Until this point, the underlying assumption was the network and its assets were protected from attacks, or the level of risk was considered acceptable. But breaches have a way of sliding the scale of acceptable risk to a lower level. Usually, its because the breach is tangible; you see its effects and can measure its impact. The impact could be several hundred thousand dollars or more in ransom, an immediate stop to all revenue-generating business processes, and several long work days restoring services. The long-term implications are discovering the root cause of the attack and implementing adequate controls to help prevent future attacks. The root cause analysis often shows several additional vulnerabilities besides the one that granted attackers access, leading to the larger revelation that previous security controls were not as effective as initially believed. The paradigm shift is complete. "I am not as protected as I thought." This leads back to the question, "are the threat actors still in my network?" The answer is, "it depends." It depends on several factors. How long have the threat actors been in the network? What are the available data sources for forensic investigators? Did they install tools and software that were inadvertently copied as part of a backup process? Does the root cause analysis identify the attack vector used to gain access? The answer to these questions are needed to continue to bring systems and applications back online and to operate under a reasonable belief that they are protected. Otherwise, you must accept a higher level of risk and worry about the threat actors return. The challenges There are two primary access vectors for ransomware attacks, phishing and patch management. These vectors have not changed since attackers figured out that encrypting someone else's data can lead to massive profits. However, only focusing on strong controls in these two areas is no guarantee of success. For one, cybersecurity is mostly a reactive function. This is because, in order to program cybersecurity software (.e.g. Antivirus, EDR, etc.), you hav |
| Envoyé | Oui |
| Condensat | and big help increase prevent 2020 ability about accept acceptable access across action activities actor actor's actors additional additionally adequate administration advanced advise advised advisors affected after against aggregate aggregation ahead alerts all allowed allowing allows almost already also although always amongst analysis analysts analytics answer anti antivirus anywhere application applications apply are areas around article asked assets assumption at&t at&t's attack attackers attacks attempt attempting automated available back backup based because been before behavior being beings belief believed benefits besides best bias big binary breach breached breaches breaching bring business busy but can can't cannot capabilities cause challenges changed chaotic cisco client client's client’s clients code collecting combined common commonly communicate complete complex comprising conclusion conclusions conduct configurations configure configured consequences consider considered consultants consulting containing continue controller controls copied cost could counters coupled covering critical criticality custom customer cvss cybersecurity cycle damage damaged dashboard data days dealing decision decrease decreasing default delete depends detect detections development device devices did different digital direct disadvantage discovered discovering disk does dollars domain done downtime due during edge edr educate education effective effects efficient efforts else's email emails employee employees enables encrypting encryption engage environment environments erase erased etc evaluate ever evidence exact examination example execution experience expertise exploits extensive external extreme facing fact factors failed far fear figured file file's files find firewall first focusing fooled forced forensic forewarning from function fused future gain gaining generating get given goal granted guarantee hacker happens has hash have having help helps heuristic higher highest highlight hope hosted how however human hundred identification identified identify identifying immediate impact impacting implement implementing implications inadequate inadvertently incident includes including incorporate increase increasing inefficient initially insight insights inspection install insufficient intelligence interest internal internet introduced investigated investigation investigations investigators its keep key knowing knowledge known larger lastly latest lead leading leads leaving level like limit log logging logs long looking looks lower magnitude mail malware managed management managing manner many massive matrix maximum may measure megs methods microsoft mistakes mitigate modifying moment moments monthly more most mostly multiple must name natural near necessary needed network new newest newly nightmare nor not number observations offers often once one online only operate operating options order other otherwise out outage outlier overall paradigm parallel part past patch patches per perform performed performing perimeter phished phishing platform point policy possible potentially powershell premises prepare preserving prevent prevents previous previously primary proactive process processes produces products profits program programs propagate protect protected protecting provide provides put query question questions quicker quickly ransom ransomware ransowmare rate rating ratings reactive real reasonable rebuild/recover rebuild/recovery rebuilding recently recommend recommendations recovery reduce referred relevant remarkable remediate remote remove reputation require required requirements requires response responsibility restoration restoring restricted resulting results retention return revelation revenue risk robust root routable safely scale scanning scenario second security see seen server servers service services setting settings several sheer shift shortcutted; should shows since situation sliding software solution solutions someone source sources space specul |
| Tags | Ransomware Malware Vulnerability Threat Guideline |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.