How StreamScan's CDS accelerates response to ransomware incidents
When responding to a ransomware incident, one of the most difficult tasks is to identify all infected machines (servers, computers, etc.) and those on which the attacker has already deposited a copy of ransomware for later execution. Every minute counts and you have to act fast to minimize the impact.
Identifying the suspicious machines linked to the ransomware is one of the nightmares of IT managers and CISOs because if they miss a single machine, they take the risk that the ransomware will persist in the network and spread again. What a tragedy! No one wants to go through that.
How does it actually work?
In the event of a ransomware attack, IT teams and most cybersecurity firms specializing in incident response use a manual method to identify which machines are infected and on which machines the hacker has dropped a copy of the ransomware. For this, IT technicians will be called in to help. They will run an antivirus scan on every computer on the network to see if it is infected or not. Imagine that the infected network has 2000 computers. What a daunting task! Manually identifying suspicious computers can take several days, effectively slowing down the response to the incident. We have seen cases where it took from 3 to 6 days.
Often you have to find external IT technicians (through a placement firm) if you want to go fast. This creates even more delays and lengthens the return to production... in the ideal case.
In the worst case scenario, this leads to what is known as the Monday Nightmare! After returning from the weekend, many employees try to connect to the network while the IT team has to check if their computer is infected with ransomware or not. The challenge: what comes first? Senior management, production, sales, marketing, etc.? Obviously everyone thinks they have priority. Needless to say, you will have to deal with employee frustration and complaints.
Conclusion: in addition to lengthening the time it takes to get back into production, manually identifying questionable machines increases your costs (hiring temporary IT technicians) and increases your financial losses (production systems are down, no sales, etc.).
The Streamscan Method: Automation
Organizations that call Streamscan to help them manage their incident don't have to go through this nightmare. We use an automated 2-step approach to identify and isolate all suspicious machines linked to a ransomware case.
Step 1 - Find a copy of the ransomware and identify its indicators of compromise
When we help an organization manage a ransomware case, we start by isolating the infected machine(s) found by the IT team. Then we look for a copy of the ransomware on one of the infected machines. From this copy, we automatically identify signs of the ransomware's presence (also called Indicators of Compromise or IOCs): what processes and files are created? Which IP addresses or external domains does it communicate with? How does it propagate in the network? What is the ransomware hash?
Step 2 - Automated search and isolation of all suspicious machines
We then inject some of the relevant IOCs of the ransomware into our CDS cyber threat detection technology, which will scan the entire computer population to identify all the machines on which there are signs of the presence of the ransomware. This is done in a few hours maximum in a network that has more than 2000 computers! This saves a lot of time and allows you to get back into production quickly.
Plus, you don't have to worry about the Monday Nightmare. Every time a computer is connected to the network, it is automatically analyzed by the CDS.
The bonus: active monitoring of your network during incident response
In addition to enabling rapid identification of all suspicious computers during a ransomware incident, Streamscan's CDS technology protects your network throughout the incident management. Once the incident is corrected, we continue to monitor your network for a few days to ensure you are no longer targeted. All this gives you peace of mind for the return to production.
Don't hesitate to contact us if you need help managing a case of ransomware. You can also call us at 1-877-208-9040.