Data from SonicWall’s 2021 Cyber Threat Report showed more ransomware attacks in the first half of 2021 than in all of 2020. Much of the recent conversation around ransomware (fueled by attacks like the Colonial Pipeline and Kaseya) has focused on prevention, but clearly successful attacks will still happen if the attackers are persistent enough.
Given that, companies also need to carefully consider their ability to respond and recover from a ransomware incident. While the key component of recovery is maintaining and testing backups of critical data, one aspect of recovery that’s often overlooked is having access to the stored packet data from the lead-up and ransomware attack itself.
High-quality packet data is important for ransomware recovery in three critical ways: (a) For determining the timeframe for backup restoration; (b) For creating a record of the attack for incident response (especially for legal and compliance reporting); (c) and for analyzing the attack itself to prevent it from happening again.
How far back should we restore from?
Imagine an IT team that just endured a ransomware attack and all or most of their critical business data was encrypted and locked. Assuming they have a backup strategy, they will need to examine packet data-based forensics from before and during the ransomware attack to know how far back to restore their backup from. Do they need to go back a day, three days, a week or more? Malware will often lie dormant on a network for a while to avoid detection or spread slowly before it locks down critical systems.
According to Mandiant, dwell time for malware overall and ransomware specifically has been decreasing over the last few years, but the median global ransomware dwell time is still five days – plenty of time for potential confusion. IT will want to restore the system to a malware-free state (i.e., before the malware entered the network), and packet data can be critical to identifying the precise moment of compromise.
At the same time, companies want to lose as little data as possible, so restoring from a backup that’s older than it needs to be (“just to be safe”) is counterproductive. Without detailed analysis of packet data, they’ll be forced to guess how far back to rewind the clock – and hope they got it right. Therefore, capturing and storing the network traffic with a “rolling-buffer” will complement a data backup strategy. In other words, organizations need a backup of data-in-motion (network traffic) as well as a backup of data-at-rest (business data) to really cope with the ransomware.
Forensics, analysis and reporting
Access to packet data allows IT and Security Operations (SecOps) teams to conduct detailed incident response and forensic investigation to determine exactly what the attack was, how it breached the security perimeter, and how it spread. This sort of forensic analysis is only possible with stored packet data, which creates a record of events leading up to and during the breach. As they say, “Packets never lie.”
SecOps team members or external consultants can comb through the data to find the original malware that caused the attack, determine how it got onto the network in the first place, map how it traversed the network and determine which systems and data were exposed.
Note that the storage capacity required to store even a week’s worth of packet data can quickly become prohibitively expensive for high-speed networks. To have a realistic chance of storing a large enough buffer, these organizations will need to be smart about where to capture and how much to capture. One way to do this is to use intelligent packet filtering and deduplication by front-ending the packet capture devices with a packet broker to reduce the amount of data saved.
Another method is using integrations between the security tools and the capture devices to only capture packet data correlated with incidents or high alerts. Using a rolling buffer strategy to overwrite the data after a “safe period” has passed will also reduce storage requirements.
Beyond remediation, this packet data is vital for reporting the attack to the appropriate authorities and documenting the incident and response for legal purposes. Significant ransomware attacks should be reported to the FBI’s Internet Crime Complaint Center and local law enforcement, as well as any regulatory agencies that the victim falls under.
Most of the major compliance regulations today, such as PCI-DSS, HIPAA and GDPR require this notification, and many will specifically ask if packet data is available for their own investigative and reporting. Relevant packet data will also be important evidence in any legal proceedings.
Fixing vulnerabilities for the future
As touched on above, packet data allows IT to analyze an attack in depth, and thus understand how to prevent it in the future. It identifies rogue devices connected on the network, suspicious activity such as large file transfers at odd times, unusual patterns, and many other indicators of what happened, when it happened, where it happened, and why it happened. This is important not only for identifying the actual incident or breach itself so that the perimeter can be hardened, but also for understanding how the malware hid or spread across the network.
This allows the IT or SecOps team to strengthen the security posture of internal systems, processes and people to limit the penetration and impact of any future incidents. The packets themselves create a roadmap to the attack, eliminating guesswork and supposition for a fast, accurate assessment.
Gathering the packet data to prepare for ransomware recovery is no small task – it requires accessing physical, virtual and cloud-native elements of the distributed network stretched across the data center, branch offices and multi-cloud environments. This necessitates using both physical and virtual network probes to consolidate data and deliver it to security tools, as well as packet capture devices to store the data – which is required if companies are serious about ransomware attacks, and security in general.
The more extensive and versatile the probing mechanism, and the easier it is to access, index and analyze this data (preferably in a “single pane of glass” fashion), the easier it will be to detect, report and analyze a ransomware attack to restore the business continuity, and thus the more prepared organizations will be against the future threats.