First Doesn't Always Make the Winner – The Pitfalls of Self Remediation Post Cyber Incident

So, you just got the news every organization does not want to hear; you have become the victim of a cyber attack. 

While there are many different ways of approaching a cyber incident, the one thing that is consistent is the need to fix the problem as soon as possible. The need to get back to business as usual efficiently is at the forefront of everyone’s minds, and rightly so. However, being first does not always make the winner.

When you are in the midst of an incident, it is often easy to overlook aspects that may consume additional time. Let’s say you were hit with a malware outbreak, luckily for you, it only affected two systems, and, the incident response team was efficient, they caught it in good time, isolated the systems from the network, and rebuilt them on the same day. Good news, right?

It is great that the incident was contained and eradicated quickly, but did you get everything you needed? Cyber incidents always pose an opportunity to learn and having additional information could make a world of difference. In the chaos of the incident, an important factor was overlooked and that was preserving forensic data from the two systems prior to rebuilding. Without any detailed information from those systems, can you be sure you are in the clear? Do you have concrete evidence on the point of entry? If you re-installed from backups, are you confident that the date you chose was pre-infection? Do you know if you need to report a potential data breach?  And could you accurately report a data breach to the regulator if there is no evidence of what was on the system? Taking that extra couple of hours to preserve data could be the difference between having the answers to these questions or just hoping for the best. It could also help you avoid a fine from the Information Commissioner’s Office (ICO) or other regulatory bodies.

What should you do?

Before calling in the experts to help answer all these pressing questions, these are the things we recommend you should, and should not do in the immediate aftermath following a cyber incident:

DO

• Try to isolate all known affected systems, either via an Endpoint Detection and Response (EDR) tool or by physically disconnecting from the network.
• Check backups and ensure they are unaffected and accessible. Take action to ensure they continue to remain in those states.
• Preserve logs that may be overwritten in the coming days or even hours, including logs that may not seem relevant, you want to be sure that the forensic teams can uncover all the evidence and find out exactly what happened. In addition, ensure that logging periods are extended if they are not already and if this is possible. The more logs you have, the more likely you are to get the answers.
• Take forensic images or snapshots of systems before taking any actions which will alter the data on them, such as rolling back or rebuilding. If this is not possible, hold off and leave the systems untouched and isolated until the forensic team can assist.
• Save a copy of the ransom note (if possible) or a screenshot, ready to show to the forensic experts.

DO NOT

• Rebuild or roll back systems without preserving data from them. There could be key pieces of the puzzle hidden in them.
• Rebuild or roll back systems without being confident in the date you are rolling back to. The last thing you want to do is put a system back into production thinking it is fine, only to find later that there were malicious files present for months prior to the date you thought.  
• Put rebuilt or rolled-back systems back into production without any testing or additional measurements in place. Similar to the point above, you put a system back into production thinking it is fine, but can you be certain it will remain unaffected? Do you have the means to test it first or a way to keep a close watch just to be on the safe side?

It is so important to preserve data, it could provide you with answers you did not know you might need, and it could save you from re-infection. Digital Forensic Incident Response teams can not help you find the answers if there is no evidence left to look at. Remember, every cyber incident is a lesson, and the more information we take from that lesson, the more prepared we will be for the next one.

To discuss any aspect of this article, or to request further information on the service offerings at Ankura, please get in touch via cyber@ankura.com.

© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.