Preventing Damage and Recovering From a Ransomware Attack – How Does Visibility Help?

Days pass as your organization continues to scramble, trying to recover from the crippling ransomware outbreak.

CIOs, CTOs, CISOs and owners of the affected applications meet daily to strategize ways to improve their standard security measures. While the IT team attempts to assess and mitigate the damage, determining the proper steps to fully recover and return to normal operations. Both are equally pressing but logic would dictate you cannot fully recover until all the damage has been mitigated.

The typical way to prevent or minimize damage when an outbreak occurs is to isolate the infected system from the rest of the network as quickly as possible, all while ensuring no communication is happening to any command and control servers outside the network. But assessing the damage isn’t always a straightforward process. However, the Forescout platform is able to be queried as the single source-of-truth, and answer the important questions:

What host has this IP address?
What switches are these devices connected to?
What systems are vulnerable to exploitation?
What systems have been exploited or touched by the bad actor?

After an analysis has been performed, specific restrictions can be applied to mitigate the risk and minimize the impact to the systems. This knowledge then lets you drive accurate access control, enforcement, and remediation policies.

Often, it’s not until a user tries to access a file, system or an application that IT becomes aware that the system has been compromised and is now unusable. That realization, while painful in and of itself, also spawns a set of questions to determine the impact and the extent of the damage.

Is the system mission critical?
If so, is there a backup we can recover from?
Do we have reliable/not-compromised target environment to recover into?
What if there is no backup?

The speed from which you can recover from a ransomware attack is dependent on multiple factors but ultimately reliant on the completeness and effectiveness of your disaster recovery (DR) plan. The DR plan must include an inventory of all devices and configuration items, all the requisite application components and databases, new destination information including all required network switching and security mechanisms. Ultimately, the only way to accomplish this is to have complete visibility of the network in order to properly capture all the elements. Without complete visibility, the essential DR plan is riddled with half-truths.

To hear more about how Forescout can help during the various stages of a ransomware attack, be sure to check out my recent webinar, “Post Ransomware Crisis -Tips, Tricks, & Lessons Learned to Stay Protected”.