Search
Close this search box.

Defend Your Business During an Attack: Threat Actors Webinar

Vivian Lee

Defend Your Business: Webinar Summary

Airiam and Eviden wrapped up the second of our Threat Actors webinar series! Art Ocain and Dwayne Robinson were great hosts walking us through a ton of information.

Scenario

On a normal Tuesday morning, you start up your computer to work, but your application suddenly freezes. You then see all files on your computer end in “.fried”

You then see a RANSOMNOTE.txt file in every folder.

ransomware note example

What should you do to defend your business?

The first things you should NOT do are:

  • Turn off all your computers and servers
  • Call 911
  • Get your wallet out and pay the ransom
  • Put a PSA about the breach in your local newspaper, Twitter (or X), or other mass, public notifications.

The Right Way

As a preface, everyone should know that the right way is not cheap or easy. If it was, everyone would be able to do it and experts wouldn’t be needed.

When you realize your business has been breached, you should:

  • Take a picture of the ransom note.
  • Isolate affected computers.
  • Call your cyber insurance carrier.
  • Call a cyber breach lawyer to coordinate:
    • Breach notification to clients
    • PR regarding your breach
    • Involvement of law enforcement
    • Ransom negotiation
  • Call a reputable cybersecurity company who can:
    • Collect forensic artifacts
    • Perform forensic analysis
    • Contain/eradicate the threat (SOC/Incident Response capability)
    • Perform recovery
    • Perform post-incident improvements

Make sure to discuss with your lawyer before any communication with PR or law enforcement. While this might sound counterintuitive, the goals of law enforcement and the goals of your business do not coincide. Law enforcement’s goal is to find and prosecute the attackers, not get your data back or get you up and running again.

SANS Incident Response Process

Preparation

Determine how you will respond to an incident. Make a plan and prepare.

  • Collect an inventory of assets (your computers, servers, cloud services, usernames/passwords)
  • Create a prioritized list of IT systems, services, and data locations
  • Create an incident response plan
  • Create backup/restore strategy
  • Improve defenses (MFA, endpoint detection & response, next-gen firewall, etc.)
  • Determine who you are calling for help
Identification

How do you know if you’ve been breached? Look for these signs:

  • Ransomware: Encrypted files, ransom notes
  • Business Email Compromise (BEC): People let you know that they receive emails from you (impersonation), fraud is performed as you, you find that information has been breached or stolen from your email account
  • Phishing: Unprompted password reset requests, identity theft, locked accounts, unfamiliar transactions [note that phishing is usually a component of Business Email Compromise (BEC)]
  • Breach: Anomalies on your systems (new accounts, etc.), systems are being used at strange times, your data is found on the Internet
Containment

Stop the threat from creating further damage! IMMEDIATELY AFTER AN ATTACK, start with isolating affected systems and creating an air gap in the breach/ransomware.

  • Disconnect infected computers from the network (Ethernet & Wifi).
  • Unplug the Internet from your router to kick the attacker out.
    • DO NOT continue to use them and DO NOT connect to a hotspot. The attacker can access your computer.
  • If there is spread between computers (a worm or other lateral movement from a hacker), unplug each computer individually, you can unplug the core switches in your network closet.
  • Avoid shutting down as malware often runs in memory now.
  • Protect your backups. Immediately unplug your backup storage (USB hard drives or network-attacked storage).

If you are not sure which computers/servers were impacted, assume that ALL systems are infected or compromised.

Eradication

Begin to eliminate the threat and the root cause of the attack.

  1. Disable compromised accounts
    • Disable the accounts that the attackers used.
    • Verify that there are no forwarders or rules sending a copy of your email to an attacker. Check password recovery/MFA methods for compromise.
  2. Change ALL passwords [in all forms of attack: BEC/phishing/breach/ransomware
    • From a clean, uncompromised computer, change ALL your passwords: email, financial sites, network passwords, wireless, etc. Flush Kerberos ticket – twice.
    • Make sure that you use a different password for EVERY site.
  3. Deploy MFA [in all forms of attack: BEC/phishing/breach/ransomware]
    • Deploy multifactor authentication (MFA) on your email, your VPN, and other applications.
  4. Put in firewall rules before plugging the Internet back in [in breach/ransomware]
    • Block remote desktop (RDP) [no exceptions – this is a gaping hole]
    • Block compromised applications and command-and-control servers.
    • Deploy geo-blocking (block non-US locations) if possible.
    • Use Next-Gen Firewall features (automatic threat blocking). Throw non-NGFWs in the dumpster.
  5. Deploy an Endpoint Detection & Response (EDR) tool [in breach/ransomware]
    • Have a cybersecurity professional configure your EDR to automatically quarantine your threats and isolate machines under attack.
    • Install EDR on every computer and server.
  6. Patch Vulnerabilities
    • Install all Windows updates and 3rd party security patches.
    • Upgrade firewall software.
    • Upgrade wireless software.

For all of these points, use a SECURITY PROFESSIONAL.

Recovery

Once the threat has been eradicated, you can then work on recovering your files and restoring your business.

  1. Rebuild, restore, or decrypt
    • Restore any servers/computers from backup from before the attack.
    • Reinstall any servers/computers from scratch that have no backup.
  2. If you paid a ransom, decrypt the computers to obtain your data. Remember that the machines you decrypt are still compromised.
    • Assess compromised accounts which you disabled
    • Determine whether you want to create new user accounts to replace any compromised accounts, or whether you will risk using your old accounts.
Lessons Learned

Finally, the last steps in all of this are to review and improve. Improve your incident response plan and your cybersecurity strategy and solutions.

Register for More Webinars

Register for our next webinars! Airiam is hosting our next series of webinars in collaboration with our partners! Each partner will help us walk through 4 key moments of a threat actor attack. Next up is “How to Rebuild Your Company After an Attack” with MOXFIVE.

DATE TOPIC PARTNER REGISTER
July 19, 11AM EST Live Attack Simulation Watch Here
August 29, 12PM EST How to Defend Your Company During an Attack Watch Here
September 19, 12PM EST How to Rebuild Your Company After an Attack Register Here
October 11, 11AM EST How to Prepare Your Company for Future Attacks Register Here

New Resources In Your Inbox

Get our latest cybersecurity resources, content, tips and trends.

Other resources that might be of interest to you.

Prepare Your Company for Future Attacks: Threat Actors Webinar

Prepare Your Company: That’s a wrap! Airiam and ThreatLocker wrapped up our final webinar in our Threat Actors series! Art Ocain and Danny Jenkins went in-depth about Royal Ransomware and data exfiltration. Royal Ransomware Royal Ransomware is a sophis
Vivian Lee
>>Read More

Tips and Tricks for Surviving a Long Cybersecurity Conference

Attending a long cybersecurity conference can be both exciting and exhausting. With back-to-back conferences like Black Hat and DEFCON in Las Vegas, you can expect even more excitement and exhaustion. However, you don’t need to freak out! With the righ
Vivian Lee
>>Read More

Teach Your Employees Not to Take the Phishing Bait

Hopefully, your employees know a foreign prince doesn’t really want to send them $1 million, and your systems probably block those types of phishing emails. But is your team prepared to avoid taking the bait as phishing attacks grow more sophisticated?
Avatar photo
Doug Church
>>Read More