This blog post is part of a series of cyber incident top tips, you can view them all here.
Imagine the worst has happened: ransomware has infiltrated your critical systems, bringing your operations to a standstill. Your internet connections are shut down, and the cause and entry route of the ransomware attack remains unclear. To make matters worse, your forensic logs are either unavailable or were never in place to begin with.
Where Do You Start?
In this dire situation, there’s only one safe route to restoration: re-build everything in a new ‘clean’ environment. Your external incident response team has set up the right protective measures and 24/7/365 monitoring for this new environment, but now you face the monumental task of rebuilding all your systems from scratch.
This can be daunting, so we have put together a step-by-step guide to steer you in the right direction.
1. Assessment and Planning
Initial Assessment:
- Determine the Extent of the Damage: Work with your incident response team or provider to assess the full impact of the ransomware attack. Identify which systems are compromised and prioritise them based on criticality to your operations
- Evaluate Your Backups: Check the integrity and availability of your backups. Verify that they are clean and can be restored without reintroducing malware into the new environment
Planning the Rebuild:
- Define Objectives and Scope: Outline the goals for the rebuild, focusing on essential systems that must be operational first. Define the scope of work, timelines, and resources needed
- Develop a Rebuild Strategy: Create a detailed plan that includes the sequence of system restorations, roles and responsibilities, and the tools and technologies needed
2. Secure a Clean Environment
Set Up a Clean Environment:
- Isolate the New Environment: Make sure that the new environment is completely isolated from the infected network to prevent cross-contamination
- Implement Security Measures: Deploy strong security measures in the new environment, including firewalls, anti-virus software, and intrusion detection systems
Continuous Monitoring:
- 24/7/365 Monitoring: Set up continuous monitoring to detect and respond to any suspicious activity immediately. This includes real-time threat detection and incident response capabilities
3. Rebuild Critical Systems
Prioritise Critical Systems:
- Identify Critical Systems: Start with the systems that are most critical to your business operations. This may include servers, databases, and applications essential for day-to-day activities
- Stage the Rebuild: Rebuild systems in stages, starting with the most critical and working towards less critical systems. Check that each stage is thoroughly tested before moving on to the next
Restoration and Verification:
- Restore from Backups: Carefully restore data and applications from clean backups. Verify the integrity of the restored data and make sure that no malware is reintroduced
- Functional Testing: Conduct thorough testing of each system to ensure it operates correctly and securely in the new environment
4. Address IT Resource Needs
Assess IT Headcount:
- Evaluate Resource Availability: Do you have enough IT personnel to complete the task before your organisation suffers irreversible damage? Rebuilding systems requires more resources than maintaining them, and the scale of this task could overwhelm your existing IT team
- Identify Potential Gaps: Identify any gaps in skills or manpower that need to be filled to complete the rebuild efficiently
Secure Additional Resources:
- Engage External IT Resources: In the event of a major breach, especially one affecting remote sites and various geographies, one of your earliest actions should be to secure additional IT resources. Lining up local, trusted IT resource suppliers to carry out your instructions in restoring service and building new systems can be a lifesaver
- Coordinate Efforts: Manage and coordinate the efforts of internal and external teams to ensure a seamless rebuild process
5. Seizing the Opportunity to ‘Build Back Better’
Take Advantage of the Opportunity:
- Leverage Crisis for Improvement: Use this rebuilding phase as an opportunity to upgrade outdated systems and improve overall infrastructure. Management is often more open to investing in new solutions during a crisis
- Enhance Cyber Resilience: Focus on building a more resilient IT environment that can better withstand future attacks. This includes regular backup testing, continuous monitoring, and employee training
The Benefit of Having a Business Continuity Plan
One of the most critical elements of effective cyber resilience is having a tried and tested business continuity plan in place. While rebuilding in a clean environment, your business continuity plan should allow your business to continue operating within a recovery environment. This ensures that your operations are maintained even as your primary systems are being restored, minimising downtime and protecting your data.
Conclusion
Facing a ransomware attack is a nightmare scenario, but with the right preparation and response strategy, it can also be an opportunity for improvement. Ensuring you have a reliable incident response plan, adequate backups, and additional IT resources on standby can make the difference between a catastrophic loss and a successful recovery.
Need Some Help?
Contact us today to discuss your cyber security needs and explore how our comprehensive solutions can help protect your data and ensure a swift, effective recovery in the event of an attack.
This blog post is part of a series of cyber incident top tips, you can view them all below:
- Tip 01: Taking advantage of ransomware’s biggest secret!
- Tip 02: Securing your backups from vulnerabilities
- Tip 03: Beware of automated response dangers!
- Tip 04: The importance of disconnecting yourself during a breach
- Tip 05: How to integrate your anti-virus protection with SIEM
- Tip 06: Ensure that your insurance covers cyber incidents
- Tip 07: Preparing for the worst – rebuilding after a major ransomware attack
- Tip 08: Who you should call first during a cyber breach
- Tip 09: Hold onto the evidence – why securing system logs is essential for cyber incident response
- Tip 10: What you need to know to make sure your penetration testing is effective
- Tip 11: Why tabletop exercises are crucial for incident response
- Tip 12: Famous last words – misconceptions before a major cyber breach