Blog > Incident Response

Vanadium incident (Part 2) : Never give up!

Vanadium Incident (Part 1): You have up-to-date backups but you are in for a nightmare.

Part 2 : Never give up!

Saturday at 8:57pm - we need to consider other solutions. We call the Toronto backup solution provider to find out what alternative solutions they offer so we can get access to backups quickly. No answer on the phone. An email is sent and we wait for a response. The wait is unbearable, the seconds are long.

Saturday at 10pm - hope is restored: the backup solution provider informs us that the download stopped because of the large volume of data. He recommends that we come and pick up a copy of the data directly from him in Toronto! Dead silence in the room.

Realism takes over. But do we really have a choice? It's always better to drive 10 hours (round trip) to get the data in Toronto than to wait for a hypothetical download.

The option of going to Toronto to get the backups is unanimously supported for the moment. But we will have to come by the next day to get the data. A volunteer was identified to go to Toronto first thing in the morning.

Saturday at 10:36 pm - the data will finally be sent by air. A member of senior management made some calls and fortunately one of these contacts, currently in Toronto, returned to Montreal the next day. His contact agreed to pick up a copy of the data from the backup provider and deliver it to Montreal.

The one who was designated to go and get the data in Toronto does not hide his relief. He was visibly dreading having to go to Toronto and we understand him. He had not rested for several hours.

Saturday at 11:00 pm: pizza, unlimited coffee, continuation of the work. Some members of the IT team of the victim organization leave the place to go and rest.

Sunday 1:00 AM: Streamscan incident response team rotation.

Sunday 2:30 AM: coffee at will, continuation of the work

Sunday 5:30 AM: coffee at will, continuation of the work

...

Sunday - 6:17 pm: the data is delivered by plane: the trip went well and the data finally arrived in Montreal. A member of the senior management team went specifically to the airport to get the data. Then it was off to the office. Every minute counts and it is important to start the data restoration as soon as possible to avoid that employees cannot work on Monday.

Sunday at 8:38 pm - start of the data restoration: we validate that the backups are intact and do not contain any malicious tool. We authorize their restoration, which starts immediately.

We start restoring data from priority applications.

Sunday at 10:00 pm - the data restoration continues and everything is going well. The atmosphere is relaxing.

We also make sure we have more pizza. The coffee machine is running at full speed!

Sunday at 11:50 pm - data restoration is still in progress: no problems found, everything is fine. There is hope that at least one application will be functional during the day on Monday.

One person is designated to oversee the data restoration and the rest of the victim organization's IT team rests to refuel for the next day.

Monday at 7:00 am - part of the data is restored: we continue to cross our fingers.

Monday at 8:45am - AD and email server back in production: the email server is back in production. The support team is ready to respond to users who have connection problems.

Monday at 8:45am - start of post-incident security monitoring: our MDR team remotely monitors the network security for any malicious or suspicious activity. The network can now safely return to production. Streamscan ensures that the network is secure.

Monday between 8:50 am and 1:00 pm: some connection problems are reported by users but overall everything is fine.

From Monday at 1:05 pm to Friday: beginning of the progressive return to production for the other applications: during the whole week, we accompany the IT team in the restoration of the servers and the data. For each reinstalled server, we make sure that it is secure. We identify the immediate improvement points to be implemented and work with the organization to implement them. The return to production will take several days.

1 week later: we meet the organization for a global feedback on the incident (post-mortem meeting). The customer is satisfied with our quick reaction (quick handling of the incident in his premises) as well as our efficient management of the incident, which allowed him to return quickly to production.

At the client's request, our Cyber Threat Detection System (CDS) is permanently installed in their infrastructure. The network security supervision will be done by our MDR team who ensures 24/7 that the network is secure.

Just like firefighters are called to act in case of a fire, acting quickly in case of a cybersecurity incident is normal for us, because we know that every minute counts. We are cyber firefighters.

Do you still think that having up-to-date backups is enough to protect against ransomware?

How can Streamscan help you?

Cyber attacks are happening all the time. Without continuous security monitoring, you have no insights into the attacks impacting you. You can't protect yourself from what you can't see.

Let us give clear insights into your network. Join our MDR managed monitoring platform powered by our CDS cyber threat detection technology and keep yourself safe from cyberattacks.

- Contact us at +1 877 208-9040 or talk to one of our experts.