You got ransomware, now what?
As mentioned earlier, there have been several cases reported in which organizations that have just recovered from a ransomware attack have been attacked again just days or weeks after the initial attack.
This is because most of the focus in the aftermath of an attack is on restoring systems and infrastructure from backup or setting up systems again so that your IT systems remain available to your end users. The problem is that if a new attack occurs, all the time and effort are lost when you need to do the same process again.
Therefore, it is important to have processes in place to ensure that you are also able to find out how an attack occurred and close that vulnerability or remove the attack vector in question.
Sometimes, we have a lot of insight into logs and alerts that have been collected, which allows us to pinpoint where it started. However, sometimes, we have little information since our SIEM tooling or infrastructure was also targeted...
