Sponsored Post: Paul Ashwood, CrowdStrike Senior Product Marketing Manager, Incident Response
When a breach occurs, time is of the essence. The decisions you make on who to partner with and how to respond will determine how greatly this incident will affect your business operations.
There are seven key components for successful incident response, all of which are essential for organizations to know given the spate of widespread ransomware attacks we are witnessing today. eCrime threat activity reached an all-time high in 2021, causing broad disruption across industries around the world. Names including DarkSide, REvil, Sodinokibi, Conti, Babuk and HelloKitty will stand out to organizations hit with ransomware or other destructive malware.
CrowdStrike’s incident responders and forensic investigators face adversaries time and time again as we respond to security threats on behalf of targeted organizations. Just as attackers have evolved their tactics and techniques, so too have we evolved our incident response approach to leverage threat intelligence and help victims navigate the labyrinth of cyberattacks.
Our approach encapsulates seven ingredients that we identify as critical capabilities needed to respond and recover from advanced threats with minimal business disruption. Each of these components contributes to a sizable reduction in the time it takes to recover from a cyberattack — from weeks/months to hours/days — as well as lower cost of recovery, and most importantly the avoidance of downtime that can significantly affect business finances.
These key ingredients are based on many years and thousands of IR engagements defending organizations across the globe against nation-state actors and cybercriminals. We have evolved our incident response technologies, processes and methods to keep pace with adversaries so we can help respond to today’s widespread sophisticated attacks.
The seven ingredients are:
- Immediate threat visibility
- Active threat containment
- Accelerated forensic analysis
- Real-time response & recovery
- Enterprise remediation
- Threat hunting & monitoring
- Managed detection & response
If you suspect a breach has occurred, your current security technology and processes may have failed. The faster you begin to leverage next-gen technology and take these steps, the faster you can contain the attack and recover your environment.
The last thing you want in breach response is a traditional approach that suggests the only path to recovery is through wiping and reimaging systems from backups. While this may have worked in earlier attacks against a handful of systems, modern widespread ransomware attacks infecting hundreds or thousands of endpoints demand a different tactic. An intelligence-driven solution can provide immediate visibility into the full threat context, help you understand the malicious actions executed, and enable the removal of attack artifacts with speed and precision.
The Ingredients to Successful Incident Response
The first four ingredients are critical in the aftermath of a security incident. Gaining immediate threat visibility allows us to see the full threat context and examine the precise actions an attacker took. From there, active threat containment is necessary with the right blocking and prevention policies to stop the spread of an ongoing attack before it can cause further damage.
With the threat contained, we can focus on collecting and preserving evidence needed for a full investigation with accelerated forensic analysis. Knowledge of the attackers’ actions enables us to undo them and remove the threat using real time response and recovery. In many cases, we can remove malicious artifacts without rebooting the system.
The last three ingredients are essential to remediation and ongoing detection and response. In serious cases, when attackers are deep into the threat lifecycle, we may need to do a full enterprise remediation on a subset of infected systems that have been encrypted or compromised so extensively, they cannot be recovered through real time response. This process requires reimaging systems from backup and rebuilding servers for badly compromised systems.
Once a threat is contained, the adversary ejected, and systems recovered, we continue with threat hunting and monitoring to observe the environment for new hands-on-keyboard threat activity to stop potential reinfection. One thing we have learned from past engagements is once a threat actor gains a foothold in an environment, they won’t go away easily. This is where customers often ask, “how do we stop this from happening again?”. Many businesses prefer managed detection and response to let experts protect their environment going forward.
These seven ingredients enable incident responders to minimize the percentage of endpoints that require full system remediation. Our goal is to recover the majority of endpoints using real time response, so we only have to reimage or rebuild a smaller number of systems. For some clients, we are able to recover all their systems using real time response, enabling them to get back to business in a matter of days.
CrowdStrike’s Incident Response service uses an intelligence-led approach that has proven to reduce the time it takes to recover from ransomware and other destructive attacks — up to five times faster than the traditional method of reimaging from backup and rebuilding servers. This efficient approach to incident response reduces the cost of investigations and recovery efforts, and gets victim organizations back to business faster.
The unique approach to incident response is outlined in this infographic and captured in a recently published IR eBook that describes in detail, the value of each ingredient and how it contributes to a substantial reduction in the time it takes to recover from a cyber incident (from weeks/months down to hours/days), the cost of recovery, and most importantly the avoidance of business downtime that could have a material impact on an organization financials.