researchHQ’s Key Takeaways:
- Traditional recovery from a security breach involves a time-consuming and costly “tear down and rebuild everything” strategy.
- Intelligence-led rapid recovery offers greater threat visibility, enabling the surgical removal of all persistence mechanisms deployed in the attack without needing to tear down the impacted systems.
- Benefits of intelligence-led rapid recovery include the recovery of systems and endpoints within hours or days of an attack, reduced user disruption, and prevention of system reinfection.
When a cybersecurity incident occurs, it can be an overwhelming experience resulting in infected endpoints, data theft, user disruption, extortion and even downtime that causes business interruption. These are some of the darkest days for any organization and will require decisive actions that can have a direct impact on its ability to recover essential business functions in an expedited manner.
Recover From Malware and Ransomware Attacks With Speed and Precision
The continued rise of malware attacks such as Emotet and TrickBot and financially motivated ransomware attacks such as Ryuk, Maze, DoppelPaymer, REvil and Dharma has placed considerable emphasis on the recovery aspects of a breach. In the wake of a cyberattack, confidently making the right choices on how to manage a recovery is more critical than ever, and recovering operations has never been more important or more costly. It is apparent that a more efficient and effective approach to recovery is essential — one that can eradicate persistent and destructive attacks rapidly and with minimal disruption.
Traditional Recovery: “Tear Down and Rebuild Everything”
Recovering from today’s persistent malware and ransomware attacks requires a new approach to remediate the environment with speed and precision in order to get back to normal business operations faster. The traditional approach of “tear down and rebuild everything” is way too time-consuming and costly for today’s enterprise-wide attacks, exposing the organization to potential business interruption and downtime. Persistent cyberattacks achieve lateral movement across a network, impacting hundreds and even thousands of endpoints in an enterprise-wide attack — and the time to reimage or rebuild hundreds, let alone thousands, of endpoints could take months while severely disrupting users and business operations. Worse still, persistent attacks anticipate this approach of recovering and restoring from backup images by reinfecting these same machines even after they are deemed clean.
The “tear down and rebuild everything” approach, once thought to be the only way to truly remove an adversary from the environment, is now a fallacy that exposes an organization to a higher risk of business interruption and reinfection.
There has to be a better way. And fortunately, there is.
Intelligence-led Rapid Recovery
CrowdStrike partnered with Baker Tilly and MOXFIVE to develop a report discussing the value of using an intelligence-led rapid recovery approach to quickly gain visibility to the full threat context across the entire environment and surgically remove all persistence mechanisms deployed in the attack, across hundreds and even thousands of endpoints, without the need to reimage, rebuild or replace a large percentage of the impacted systems.
With the evolution by threat actors to big game hunting tactics that capitalize on lucrative business opportunities and persistent, enterprise-wide attacks, we see an increase in financially motivated malware and ransomware attacks. The bigger the target, the wider the attack surface — and the larger the ransom. While the traditional approach may have been acceptable for an attack on a single system or even 5 to 10 systems, this same approach quickly becomes problematic when we’re talking about 500 endpoints, 1,000 endpoints or even 10,000 endpoints.
Using an intelligence-led approach, we’re able to quickly identify and contain all host computers that have been impacted by the attack. Gaining visibility to the process tree executed by the threat actor enables us to use remote Falcon Real Time Response to reverse the malicious operations — killing bad processes, deleting infected files, restoring registry keys, and removing any and all persistence mechanisms with speed and surgical precision.
In short, an intelligence-led rapid recovery approach enables you to:
- Recover systems and endpoints using threat intelligence
- Gain immediate visibility to the full threat context
- Use remote Falcon Real Time Response to surgically remove all persistence mechanisms
- Recover within hours or days from a malware or ransomware incident
- Minimize user disruption without the need to reimage endpoints and reboot computers
- Prevent system reinfection with threat hunting and monitoring
- Reduce the risk of business interruption due to an otherwise long recovery process