Incident Response - Containment
We are always available and extremely responsive.
Containment
Run endpoint detection and response (EDR or MDR) Security automation is critical in any attack, especially in cases of a ransomware infection. Your organization should have an endpoint detection and response (EDR) solution in place beyond basic antivirus protection. An EDR solution is helpful in cases of malware attacks in a few ways: [Talk to your CITS representative about our EDR solution we automatically implement for all our clients]
- It can help detect an attack in its earlier stages. Sometimes that can mean detecting in the first 2 days versus 4 days, averting more expansive impact to the infrastructure.
- It can help quarantine infected devices completely, keeping thempowered on, but disconnecting them from anything on the network. This way, infected devices retain important forensic data but can’t continue to cause damage outside the local system.
- It can help with forensics as remediation continues. If you do not already and regularly run a designated EDR solution, your organization will have to deploy one at the onset of finding out about a ransomware attack. This can also be done by your external service provider, if you enlist assistance from incident response experts. <
Last resort containment — Terminate access If the organization cannot quickly determine the source of the ransomware infection and where the encryption process originated, as a last resort, the organization should consider taking the file share(s) offline to help minimize risk and impact to the business. The file server(s) do not need to be shut down, but all access to the file shares should be terminated (remove the share, restrict by network or host based firewall ACL, etc.).
It is not recommended to change permissions on the files within a shared location when restricting access. Depending on the number of files, permission propagation could take hours and would allow the encryption process to continue. If you use Microsoft’s Common Internet File System (CIFS) protocol/Server Message Block (SMB) protocol on other operating systems, including UNIX, Linux, etc. remember to protect these as well. This can help greatly reduce the chance of these shares being encrypted because ransomware can exploit these protocols to move through networks and find more places with data to encrypt.