Ransomware: The 6 Steps of Detection and Response

The ransomware threat is real and getting worse. According to the World Economic Forum’s 2022 Global Risk Report, in 2020, malware and ransomware attacks increased by 358% and 435% respectively – and are outpacing societies’ ability to effectively prevent or respond to them.   

Adarma’s recent 2022 Ransomware Readiness Report found that of the 500 UK C-suite level executives we surveyed more than half (58%) had suffered a ransomware attack. Unsurprisingly, 94% were either concerned or very concerned about being hit by a ransomware attack.  

Although ransomware attacks are not inevitable, there is a rising risk that you will be targeted by a malicious threat actor. In this part of our Ransomware series, we look at what organisations can do when the worst happens. 

Getting threat actors out of your network

In just the same way threat detection and response is vital to keeping threat actors out, it is equally important how you respond when they’ve already got inside. Even when prevention has failed and compromise has occurred, breaches can still be prevented and damage limited when you stop your adversaries from completing their mission. This is not, and can never be, a technology-only solution. It demands the right combination of technology, people, and process.  

It’s key that a company has the right data that enables the right detection content. This must then be visible to the right people, delivering the context that allows them to make sound decisions and follow streamlined procedures for defence, investigation, quick pivots, recovery, and post-incident forensics.  

This demands a six-step approach consisting of: Detection, Monitoring, Investigation, Containment, Eradication, and Improvement.  

1 – Threat Detection and Identifying the Intrusion

Detection is not just about sounding the alarm – it also involves presenting a picture of the intrusion events and seeking to identify a root cause. Of greatest importance is the act of identifying the intrusion and its type, and then deploying the resources to stop it, remove it, and prevent it from happening again.  

There are many ransomware incidents on record in which an organisation paid a ransom, was restored back to full operations, and then got hit with another ransomware incident by the same actors, because they failed to change anything or add more security. They had simply assumed they had been finished with and that the ransomware actors would move on to someone else. 

2 – Security Data and Event Monitoring

Monitoring is all about following the data. To ensure you can detect existing internal threats, you must have timely access to security data and events. Understanding your attack tree gives your team knowledge of how the attack is most likely to proceed.  

This will give you the speed advantage. Data from email, network, cloud, and endpoints can show you the progress of an attack and give you the ability to follow it and ideally block it. Observing and learning about an attack even while defending against it will also give you valuable intelligence on your opponents 

3 – Attack Scope Investigation

Investigation is the technique of taking the information obtained in the initial detection phase and seeking to understand as much as possible about the nature and scope of the attack. 

4 – Cyber Attack Containment

Containment is the act of learning from the detection and investigation processes, and then deploying actions to disrupt, contain or halt the attack. In the case of a data breach, even if data has already been lost, containment may help to stem further data damage.  

In endpoint situations, once the threat has been identified, the Incident Response (IR) team should work to contain the threat to prevent further damage to other systems and the organisation at large. It is during this phase that the responder quickly isolates any infected machine and works on backing up any critical data on an infected system, if possible.  

This might be as manual as pulling ethernet cords out of devices to detach them from the network. The goal is to limit the number of systems compromised during this phase. When the attack hits a company’s larger distributed systems or cloud-native technologies such as containers, it’s vital that the cloud services provider be available to isolate and secure the attack immediately.  

5 – Cyber Threat Eradication

Eradication is about removing the threat from the system, network, or organisation. This occurs post-incident as part of problem/issue management. Temporary changes might be implemented, but these should be reviewed post incident to ensure they’re effective enough to be permanent. 

6 – System Security Improvement 

Once the threat has been sufficiently contained, the IR team should work to implement a more permanent fix. This might include patching hardware, reconfiguring systems and application architecture, or rebuilding systems for production. The goal is to eliminate the entry point(s) that the threat actor used to obtain access to the network. 

To find out how Adarma can provide your organisation with managed detection and response services and how we can help prepare and protect your organisation against ransomware attacks, please Contact us now.

Stay up-to-date with the latest threat insights from Adarma by following us on Twitter and LinkedIn.