Page 142 - Cyber Defense eMagazine December 2022 Edition
P. 142
However, one of the most impactful issues facing organizations fell to fourth in the report, despite its
potential to fuel future ransomware attacks: the severity of data breaches.
After the significant disruption of an initial ransomware attack, it is easy for organizations to view
subsequent intrusions as standalone events, each compartmentalized in its circumstances and
highlighting yet another vulnerability that new tools need to solve.
It’s more likely that these ransomware attacks are recurring from data taken in the initial breach that has
become a force multiplier of new intrusions. Without organizations having full visibility into what data has
been compromised, they may be subject to a feedback loop of new ransomware attacks resulting from
data taken in the initial breach.
At its foundation, the full mitigation of a ransomware attack is still a challenge for organizations. Even
with a percentage of organizations able to retrieve their stolen data post-attack, that doesn’t mean that
data wasn’t already shared more widely for other follow-on attacks, as the multiple attack data may
indicate.
With current endpoint solutions only accounting for the initial infection on a device and not the additional
applications or tools that may have been impacted, a big part of the post-infection remediation is missing
for most organizations to truly be free of exposure.
The post infection remediation approach
Remediating malware infection usually begins and ends with re-imaging the infected machine, but as
we’ve seen from recaptured data, criminal activity usually lives well beyond the scope of an initial malware
infection.
Post-infection remediation, rather than focusing just on the machine, requires exploring what information
was exposed and then remediating that exposure to its furthest reaches.
A machine’s infection is not fully remediated until the exposure of the user and the user’s impacted
applications are known and accounted for. This means taking the appropriate steps to re-image the
infected machine and researching the impacts of that infection concurrently to prevent new attacks from
materializing.
Factoring post-infection remediation into an enterprise’s cybersecurity plan helps prevent attackers from
re-accessing a network through malware-harvested credentials, stolen session cookies, and other data
exposed from an infostealer infection.
While wiping malware-infected devices is the first step, organizations also need full visibility into the
devices, applications and users that may have been compromised by an infection. Without all that
compromised data being remediated, the enterprise remains at risk for follow-on attacks including
ransomware.
Cyber Defense eMagazine – December 2022 Edition 142
Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.