Can Organisations Turn Back Time after a Cyber-Attack?

Wednesday, May 23, 2018

Patrice Puichaud


In the aftermath of a cyber breach, the costs of disruption, downtime and recovery can soon escalate. As we have seen from recent high profile attacks, these costs can have a serious impact on an organisation’s bottom line. Last year, in the wake of the notPetya attack, Maersk, Reckitt Benckiser and FedEx all had to issue warnings that the attacks had cost each company hundreds of millions of dollars. Whilst the full extent is not yet known, it has underlined the financial impact that such breaches can have.   

The severity of a breach is often linked to the costs associated with responding and remediating the damage. However, there are ways for organisations to minimise one particularly costly part of the process: new approaches to post breach remediation mean that organisations can, in effect, roll back time to a ‘pre-breach’ state.

The costs of a breach

Cyber attacks can cripple a business and take days to clear up. For larger organisations that are affected by an incident, the cost of remediation could include damage to the brand’s reputation, legal costs, setting up response mechanisms to contact breach victims, and more. For smaller organisations, even though the costs of remediation might be smaller, they’ll take up a greater proportion of their operating revenue; from lost data to damaged or inoperable equipment, as well as the disruption to normal business. There is also the cost of any fines that are generated because of failures in compliance. In fact, Ponemon now puts the average cost of a breach at $3.62 million. 

This clean-up operation can represent a serious drain on an organisation’s time and resources. The process of repairing and recovering data from compromised IT assets is consistently reported as one of the most high-cost elements of the breach. Ransomware attacks, in particular, are likely to become more difficult to remediate, by targeting systems that are more difficult to backup, which means that the costs of cleaning-up after a breach are set to get worse. Paying the ransom is no guarantee that files will be recovered: in fact 20% of ransomware victims that paid never get their files back.    

Part of the challenge is that cyber attacks are getting smarter and stealthier, and stopping every cyber attack in its tracks, before it reaches the network and can inflict any damage, is unrealistic. What organisations should aim for is, in all cases, to identify the virus as quickly as possible, halt the executable, and isolate the infected endpoint from the network. During execution, malware often creates, modifies or deletes system files and registry settings, as well as making changes to configuration settings. These changes – or remnants left behind – can cause system malfunction or instability.  

For organisations that are dealing with hundreds of incidents every week, there can be a serious impact to the business from working to re-image or re-build systems, or reinstall files that have been affected. There’s not only the lost work to factor in, but also the downtime while systems are restored as employees are stymied if they can’t access the files and systems they need to.

There are approaches through which these costs can be minimised: a new generation of endpoint protection observes the malware’s behaviour in order to flag activities that are seen as abnormalities and steps in the line of execution to deflect it completely.  Moreover, this new generation of solutions has remediation capabilities to reverse any modifications made by malware.

This means that when files are modified or deleted, or where changes are made to configuration settings or systems, it can undo damage without teams having to re-image systems. This ability to automatically rollback compromised systems to their pre-attack state minimises any downtime and lost productivity.

Assessing the Impact

The work isn’t done yet: an often-overlooked aspect of post-event evaluation of what happened should focus on how to prevent a repetition of a similar incident. Clear visibility of the kill chain and the affected endpoints across an organisation, in a timely manner, is essential for security staff to quickly identify the scope of the problem. In order to assess the impact and potential risk, organisations need to have assurance afterwards to confirm if a particular threat was present on their estate – the ability to search for Indicators of Compromise (IoC) is vital. Real-time forensic data allows organisations to track threats or investigate post-attack to provide insights into exactly which vulnerability the attacker targeted, and how. These can pinpoint the parts of the system that were directly affected and also determine if any further remediation actions are required. 

With the costs of breaches escalating, it’s more important than ever to have the capability to learn from incidents to avoid history repeating itself. Even if it’s not possible to thwart every attack, a full security approach which includes prevention, detection, automatic mitigation and forensics will ensure that the impact of any incident is minimised and that normal operations can be resumed as quickly as possible.  

About the author: Patrice Puichaud is Senior Director for the EMEA region, at SentinelOne.

Possibly Related Articles:
Viruses & Malware Enterprise Security Breaches
breach Indicators of Compromise cyber-attack compromise recovery
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.