When it comes to incident response it’s not enough to only to treat the symptoms. It’s important to treat the disease as well.
When a threat is detected, the first thing to do is triage the immediate attack. This could mean cleaning up a ransomware executable or a banking Trojan or blocking the exfiltration of data. However, often teams will stop the initial attack but not realize they haven’t really solved the root cause.
Successfully removing malware and clearing an alert doesn’t mean the attacker has been ejected from the environment. It’s also possible that what was detected was only a test run by the attacker to see what defenses they’re up against. If the attacker still has access, they’ll likely strike again, but more destructively.
Incident response teams need to ensure they address the root cause of the original incident they mitigated. Does the attacker still have a foothold in the environment? Are they planning to launch a second wave? Incident response operators who have remediated thousands of attacks know when and where to investigate deeper. They look for anything else attackers are doing, have done, or might be planning to do in the network – and neutralize that, too.
For example, in one instance, Sophos incident response specialists were able to thwart an attack that lasted nine days and saw three separate attempts by the attackers to hit an organization with ransomware.
Since they were not yet a Sophos MTR customer, the Sophos Rapid Response team was first engaged.
In the first wave of the attack (which was ultimately blocked by the organization’s endpoint protection solution) attackers targeted 700 computers with Maze ransomware and were making a ransom demand of US$15 million. Realizing that they were under attack, the target’s security team engaged the advanced incident response skills of the Sophos Managed Threat Response (MTR) team.
The Sophos incident response specialists quickly identified the compromised admin account, identified and removed several malicious files, and blocked attacker commands and C2 (command and control) communications. The Sophos MTR team was then able to defend against two additional waves of attacks by the adversary. If the attackers had succeeded and the victim had paid, this could have been one of the most expensive ransomware payments to date.
In another example, the Sophos MTR team responded to a potential ransomware threat but quickly realized there was no evidence of ransomware. At this point, some teams might have closed the case and moved on to other work. However, the Sophos MTR team continued investigating and uncovered a historic banking trojan. Fortunately for this customer, the threat was no longer active, but it serves as an example of why it’s important to look beyond the initial symptoms in order to determine the full root cause, as it could be an indicator of a broader attack.