Lessons from a Ransomware Response
Our focus as IT Professionals is on providing services and preventing a major disaster. In reality, many organizations face strict budget constraints, limited staff, and short falls of existing technology. It is nearly impossible to protect yourself from every possible event, and it requires commitment from every level of the organization. It could be as simple as a single misconfiguration, lax end-users, or complex as an APT (Advanced Persistent Threat). If you have been targeted, it's probable there will be some level of success by the attacker.
When responding to a major event, there are a few simple things that we can do to prepare for a response.
- Printed list of locations and physical addresses.
This is extremely useful when bringing in outside parties for assistance. - Printed list of key vendors.
Take an inventory of the key vendors for your environment. Collect all key contacts for those vendors so they are readily available. - Printed password list.
Most organizations use password managers, many of which are hosted internally. If those machines have been compromised, or domain authentication is unreachable, you will need a way to evaluate your environment. - Printed Restoration of services Plan.
A plan documenting priorities of each service, department, and system in your environment. This should be inclusive of everything. Assume you had no technology, and needed to start from the ground up. Also assume you are not the person executing this plan. - Printed Documentation.
This is another tough one for many organizations. But any documentation is better than none. This could be as simple as notes, or configuration documents from installation. Something as simple as a list of IP addresses for a critical system can save a huge amount of time.
It's important to remember, no plan, technology, or system is impenetrable. No matter how small or large your network is, these simple tasks can greatly reduce your recovery time and impact to your organization.