Threat-Informed Response: Accelerating Investigation and Recovery
When an organization identifies that they’ve been the victim of a serious incident such as a ransomware attack, their speed of response is critical.
The longer it takes to answer important investigative questions – how did the attacker gain initial access to the environment, what persistence mechanisms are in place, how did the attacker escalate privileges, what credentials were compromised during the incident, what systems were accessed by the attacker, was any data exfiltrated, etc. – the longer the adversary has to cause harm. Finding the answers to these questions may take time consuming analysis, but strong intelligence about the threat actor or threat group can expedite the investigation and recovery effort. In addition, it accelerates the response team’s ability to answer these important questions. The sooner an organization understands the details surrounding the cyberattack, the sooner they can contain, remediate, and recover from the incident.
Threat actor playbooks
Ransomware attacks have been widespread in recent years, impacting tens of thousands of organizations worldwide. One of the most prolific ransomware groups is known as Conti. Conti is believed to have been responsible for more than 850 ransomware attacks. The group has been consistent in how they carried out ransomware attacks, so much so that we believe they were following a specific playbook to carry out their operations – much like security teams leverage playbooks when responding to specific incidents. Our suspicion was confirmed in early 2022 when a large amount of data from the Conti group was leaked publicly, which included the group’s internal playbooks. The playbooks included information such as specific tools to use, commands to run, and even how to determine a victim organization’s insurance levels to use as additional leverage during ransom negotiations.
Respond with intelligence
From an incident response standpoint, the more you know about the threat actor, the more quickly and efficiently you can identify attacker activity during an investigation. After the Russia/Ukraine war began in 2022, a number of major ransomware groups disbanded and a number of newer and lesser known ransomware groups were formed. The new groups have evolved their own tactics, techniques, and procedures (TTPs) and their operations and actions aren’t as consistently predictable as with larger groups like Conti. Staying on top of the latest intelligence available for these new groups and their methods is a daily battle; but doing so enables a strong and effective response to any threats facing your organization.
Ransomware continues to devastate companies and cause significant harm to business operations and reputations. By leveraging timely and relevant threat intelligence, your organization can accelerate its response time.
Tags: Incident Response