Security Forensics: 4 Steps IT Teams Should Take to Handle Ransomware Attacks Like WannaCry and Petya
Another day, another cyberattack. Just as companies were recovering after the WannaCry attack, a number of organizations were hit by Petya… or NotPetya. Name it as you see fit. In a matter of just two months, two devastating ransomware attacks have crippled networks globally. Clearly, security threats are multiplying in intensity and complexity. But what are enterprises doing to address the security forensics leg of their defense strategy?
As security threats have increased, enterprise IT teams have been racing to stay one step ahead of the hackers. Our annual State of the Network study found that three out of four teams spent up to 10 hours a week fire-fighting cybersecurity issues. Yet, it is an uphill struggle. The challenge facing IT teams is further compounded by the exponential network traffic growth, compelling enterprises to embrace advanced technologies such as higher capacity data center interconnects, software-defined networking (SDN) and cloud. This combination of new technology adoption, accelerating traffic and cyber threats is creating unprecedented complications for IT managers. It is the perfect storm and enterprise IT teams are being inundated.
Unfortunately, cyberattacks are not a matter of if – but when. Traditional strategies are not working, so many IT teams are moving away from prevention and detection-only approaches by defending their networks with enhanced security forensics strategies.
Here are four practical steps IT delivery teams can follow to be better prepared:
- Step 1: Know your “normal” – Start measuring network traffic and behavior over time using automated benchmarking in commercial network performance monitoring and diagnostic (NPMD) tools, such as Observer Apex. This will help you to recognize abnormal traffic levels to pinpoint security issues not detected by standard security prevention tools.
- Step 2: Know your speed of discovery – According to a recent Mandiant M-Trends report, the median number of days that attackers were present on a victim’s network before being discovered is around 146 days; despite the use of traditional security tools. Using packet capture with retrospective analysis, network teams can rewind to the time of an incident and track exactly what the hackers accessed.
- Step 3: Know your long-term packet retention needs – For many networks, a purpose-built appliance with complete packet capture and analytics may be the next step for security forensics. Depending on size and volume, there are appliances like Observer GigaStor that can capture and store over a petabyte of network traffic up to 40 Gbps line rate for later analysis, providing ample historical time horizons for forensic investigations and complete remediation.
- Step 4: Know your team – Facilitate effective network and security team cooperation. Ensure successful collaboration between network and security teams on investigations with documented workflows and integration between security, network forensics, and performance management tools.
With smart network monitoring to indicate irregular network behavior and full packet visibility for post-attack security forensics, IT teams can achieve 24/7 insight into their network to help ensure troubleshooting and threat intelligence information is always available. Because although we don’t know what the next cyberattack will be called, ransomware by any other name is still a major threat to your business and your reputation.
To learn more about Viavi’s security forensics solutions, read more here.