Incident Management Chronicles: Striking The Right Balance

It’s 8:00PM on a Friday, your work email isn’t working, applications are down, and you get a call from your head of IT to report that there has been a ransomware incident. This is just one of the many painful situations that we see on a regular basis, and through that pain, we often see organizations burning the midnight oil trying to get everything up and running by Monday morning. With this added stress, it is often difficult to focus on what’s most important when responding to an incident and looking across containment, forensics, and recovery efforts.  

Typically, organizations see these functions as mutually exclusive items, where you either:

1. Pick forensics first and determine what happened and what led to the incident, implement stringent containment efforts and block the network from communicating to the world, or  

2. Focus your entire efforts on recovering at all costs.  

While all the response activities above are valid and important, at MOXFIVE, we focus on striking the right balance across the three primary functions – containment, forensics, and recovery. We find it imperative to find that equilibrium early on, so that the response efforts go as smooth as possible.  

Sometimes responding to these incidents might seem as mysterious as the Bermuda Triangle. We see them as part of a virtuous cycle – akin to a flywheel - where tying the three together creates momentum as the forensics, containment, and recovery efforts work together. As a result, you are able to respond to an incident quicker and far more effectively. Here are some of the reasons why these three components must balance each other in order to build a smoother, more efficient process:

• Containment: As the forensic investigation yields Indicators of Compromises (IOCs), these IOCs get put into place as part of your containment measures (e.g., blocking malicious file hashes on your Endpoint Detection and Response (EDR) solution or disabling unknown user accounts). The forensics workstream feeds the containment one and thus ensuring that there is increased coverage throughout the response efforts.
• Recovery: Recovering impacted systems usually requires the input of containment efforts such as installing EDR on a restored system before putting it back into production. So, as these IOCs get identified by the forensics team and are added into the EDR solution as a containment measure, when restoring these systems and installing EDR in them, organizations will be able to see if any of these indicators trigger on that system before putting it back into production. Without any indicators, recovering is a lot riskier. On the other hand, if a business decision is made to collect all IOCs before systems go back online, it will take longer to get the IT infrastructure up and running, which will cause increasing revenue loss. ‍
• Forensics: Throughout the recovery process, forensic data collection would be collected by the recovery team prior to the restoration of a system. This will aid the forensics team with identifying any additional IOCs across the environment to help with containment and potentially determine what may have happened or what may have led to the incident in the first place.

These workstreams feed off each other and it creates a virtuous cycle that just keeps on spinning smoothly. If one of these functions has more weight over the others, the process will drag and slow all the efforts tremendously. The closer containment, forensics, and recovery teams work together, the smoother the process all throughout, thus spinning the virtuous cycle even faster. Therefore, if you ever experience a ransomware incident, focus on striking the right balance across these three functions, and you might be able to get back online on Monday morning safely.

If you have questions about incident management or need help with a current incident, you can contact a MOXFIVE Technical Advisor at ask@moxfive.com or use our Contact form.

‍