To borrow a phrase from Oscar Wilde, to fall victim to a ransomware attack once may be regarded as a misfortune. To fall victim to a ransomware attack twice looks like carelessness.

And yet, that is exactly what happened to an organisation just this month. They paid the ransom, received the decryption key, restored systems, and returned to ‘normal’, without carrying out post event analysis, and thinking the story was over and done with.

Until they were attacked by the same cyber criminals a second time, just two weeks later. They neglected to carry out a full post event analysis exercise to find out how the attack happened in the first place, and by doing that, let the attackers back in.

The lesson of this story is that without post event analysis which identifies compromised or vulnerable components of the network, and steps to remove or mitigate them, cyber criminals could take advantage, and successfully attack them again.

Why it’s important to understand the causes of a cyber attack

Cyber criminals are opportunistic attackers. Most victims are chosen simply because it is easy for them to make a profit from attacking them. Now that the attackers know that an organisation’s network is vulnerable to attack, they may try again.

In addition, most cyber attacks are not one and done. In some cases, the attackers may have been lurking inside a network for some time before they are detected. According to research, the dwell time, or time between the attackers first infiltrating a network, and the attack being identified, varies between 43 days and 56 days on average. Some ransomware attackers piggyback off other forms of software which lurk undetected in systems until ready to strike (see the example of the now defunct Emotet).

They will not withdraw from a network just because the attack is over, they will wait for the next opportunity. Therefore it is up to the victim to analyse the causes of the attack, and investigate the tactics, techniques and procedures (TTPs) that allowed the attacker to insert malware into the network, and compromise the organisation.

Once this post event analysis is done, the organisation needs to ensure that they have put the necessary control in place to both reduce the likelihood of another attack, and also to reduce the impact of an incident if it does happen again.

Post event analysis is a crucial step to recovery

For most organisations, a cyber attack is just the tip of the iceberg. Once the attack is over, they begin the long, arduous journey of rebuilding. Incident response and recovery requires the organisation to assess the damage, understand how their network security controls were compromised, rebuild systems, recover data, and more. This post event analysis can take weeks, disrupting operations and causing concern to customers.

However while understandably, efforts are focussed on returning to operations, incident recovery must also work quickly to identify the cause of the attack to avoid the attackers coming back in before the organisation has had the opportunity to close the vulnerability.

Avoid becoming a victim once, let alone twice

Cyber criminals are opportunistic – they attack organisations that they feel have weak defences. Avoid falling victim to a ransomware attack by ensuring that the organisation’s network security posture is mature enough to keep cyber criminals out.

Just some of the elements of securing an organisation’s network security include:

Monitor the network perimeter at all times, and ensure alerting systems are in place to pick up and notify of attacks
Segment networks to ensure that an attacker can’t compromise the entire network in the event of a breach
Prevent malware being delivered through emails by setting filters that only allow permitted file types, and alert when suspicious files are received
Make sure security patches are up to date
Change default passwords across all access points
Apply multi factor authentication to all systems where applicable
Support employees to set strong passwords and recognise the signs of a social engineering attack (for example a phishing or smishing attack)
Require the use of a VPN to access the organisation’s network from a remote location

And if these defences fail, ensure that there are solid incident response and recovery plans in place.

Incident response – ensuring all is not lost

Sadly, not all ransomware attacks can be prevented, and that’s why it is recommended to have a comprehensive, fully documented and tested incident recovery plan in place.

A complete, tested plan which includes requirements such as creating regular system backups will ensure that in the event of a ransomware attack the organisation is able to restore systems successfully, potentially avoiding the need to pay the ransom – avoiding a reputation hit, and the double costs of the ransom and post event analysis.

Further damage can also be avoided by including the tasks, roles, and responsibilities for team members to carry out, and in which order. For example, assign team members to inform the public or authorities, identify IT team members who need to work quickly to carry out the post event analysis and recovery functions, and even identify any expert support needed to achieve this.

And that circles back to the starting point. It’s not over until the post event analysis says so.

Stay safe

Cookie	Duration	Description
_GRECAPTCHA	5 months 27 days	This cookie is set by Google. In addition to certain standard Google cookies, reCAPTCHA sets a necessary cookie (_GRECAPTCHA) when executed for the purpose of providing its risk analysis.
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
elementor	never	This cookie is used by the website's WordPress theme. It allows the website owner to implement or change the website's content in real-time.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gat_UA-176747747-1	1 minute	This is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic volume websites.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
CONSENT	16 years 5 months	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.

A Cyber Attack Isn’t Over Until the Post Event Analysis Says So

Why it’s important to understand the causes of a cyber attack

Post event analysis is a crucial step to recovery

Avoid becoming a victim once, let alone twice

Incident response – ensuring all is not lost

Recent Posts

How to build a cybersecurity strategy for startups

ISO 27001 vs SOC 2 – Which is better for your organisation?

Encryption of data in use: A new standard in data protection

What is HIPAA Compliance for Startups?

Benefits of ISO 27001: Why you need a cybersecurity framework

Are you the weakest link? How to prevent software supply chain attacks

Services

Location & Contact Details

Stay Connected