Our 2021 Data Security Incident Response Report discussed the challenges that organizations are facing with forensic investigations and ransomware recovery in the work-from-home world. Some of the greatest difficulties our clients encountered in the past year involved key components of incident response — communicating with employees, resetting remote user passwords, and deploying endpoint detection and response (EDR) tools at scale. There are steps that organizations can (and should) take to put themselves in a position to respond to incidents efficiently and effectively in a remote-work paradigm.
First, as part of your incident response plan (IRP), identify the partners you are going to engage to help you respond to an incident. The top three are your legal counsel, forensic firm, and recovery support or “helping hands” provider. Your carrier likely has an approved panel of providers for some or all of these services. Research who they are, include their contact information in your IRP, and maintain a copy of your IRP off your network.
Second, make sure you have a way other than email to communicate with your employees. If your network is down or the threat actor has compromised your email tenant, your usual communication channel may not be an option. You or your helping hands provider may need to contact employees to help them reset passwords, enable multifactor authentication, or reconnect to your network, and you’ll need a way to do it. You should also develop a protocol that you and your employees can follow to verify each other’s identities when you’re calling to provide remote support after an incident. Your employees may not cooperate if they don’t recognize the person on the other end of the line. Or they may be too trusting and may provide information that could allow the threat actors to recompromise your network. A secure, predefined protocol can help prevent both scenarios.
Third, use a remote management tool in your environment. A vital component of achieving containment after a network intrusion is deploying an EDR tool widely and quickly so your forensics provider can monitor your network, terminate unauthorized activity, and collect forensic evidence. Prior to the pandemic, companies often relied on endpoints being connected to the corporate network to push these tools. With employees now working from home, we have seen clients without a remote management tool struggle to deploy EDR solutions to their employees’ devices. While there are ways to work around these complications, they are much less efficient. A process that can take a few days with a remote management tool can take weeks without it.
The same is true for password resets. Clients with remote password reset tools have been able to execute enterprise-wide password resets after an incident in an efficient and organized fashion. If you do not have this capability, then your only options may be to provide employees with instructions for doing it themselves (and wait for the deluge of help desk calls) or make outbound calls to all employees to walk them through the process. Organizations rarely, if ever, have the internal resources to handle these tasks, and the cost for your recovery support provider to perform the work can be significant — often hundreds of thousands of dollars, depending on the size of your organization. The time to complete the tasks also increases significantly. Between the initial preparations for the password resets and the calls themselves, the overall effort can take hundreds of hours to complete at a time when every hour counts.
Fourth, consider deploying an EDR solution. The only thing better than having a way to quickly deploy EDR after an incident is to have it deployed beforehand to prevent an incident from occurring. We have represented many clients that through the use of EDR tools detected preparations for a ransomware attack in their network and evicted the threat actors before they could accomplish their objectives. EDR tools provide companies with the ability to remotely monitor employee devices for unauthorized activity and to remotely contain and remediate a device. They also allow forensics firms to more quickly gather evidence about the actions the threat actors took on the device before they were detected. When coupled with traditional antivirus programs, EDR tools can provide a much greater level of protection for your remote workforce and thus your organization.