After a Ransomware Infection – Enhancing Security for Your Infrastructure Against Further Intrusion

In a previous blog, we outlined the essential steps that organizations should take within the first two days after the detection of a ransomware attack. In this follow-up post, we’ll discuss what an organization should do after the initial response to reduce the risks of future attacks. We’ll also highlight how Progress Flowmon can support ongoing network monitoring, early detection of attacks and reduction of further damage.

Webinar: The First 48 Hours of Ransomware Incident Response 

These topics are discussed further in our webinar, The First 48 Hours of Ransomware Incident Response, hosted by Flowmon product experts, Roman Cupka and Filip Cerny.  

Preventing Further Infections 

Once the security response team has dealt with a ransomware incident, it’s essential to leverage the lessons and take steps to reduce the risk of further attacks.   

Mitigating the risk of follow-up attacks and future ransomware infections  requires IT teams to enhance the security of their network infrastructure. This can be achieved via a combination of quick-win activities, long-term changes to technology solutions and updates to your network monitoring tools. The quick-win activities to carry out after the initial response include: 

• Changing passwords and refreshing any private keys used prior to the attack, including admin-level passwords and keys. 
  

• Updating security system rules to limit access from any locations and IPs that participated in the attack. If possible, IT teams should implement a block list permitting essential traffic to cross the firewalls. 
  

• Performing basic analysis and system hardening across all infrastructure components exposed to the Internet and any cloud services and authentication systems in use (such as Active Directory). 
  

• Scanning for and removing any other malware and backdoors the attackers may have access to. You may not get them all on an initial quick scan but scanning for common threats and vulnerabilities is essential. 
  

The IT and cybersecurity teams should implement continuous infrastructure monitoring alongside other network defenses, if not already in place. This should include continuous compromise assessments to help detect anomalies quickly.  

Post-Incident Activities  

After post-attack quick wins are implemented, additional medium-term actions should be taken. Some of these include: 

• Forensic analysis – Teams can start conducting a detailed forensic analysis using all the available network and security system data. The goal should be to identify the initial point of compromise, the attacker’s activity after they breached security and any secondary infections beyond ransomware. This search should be deeper than the quick scan for common malware mentioned earlier. 
  

• A complete security audit - The forensic analysis and deep scan for other malware installations and backdoors should be part of a thorough security audit covering every IT system in your organization. If you can get breached once, there is a good chance that some other systems will have an exploitable vulnerability.  

• Attack Vector Identification - The technical team must identify the root cause that enabled the ransomware attack and close any gaps that allowed it to happen. These gaps can be technical-, process- or people-related—or any combination of the three. 
  

Simplify Incident Handling with Flowmon Network Detection 

Network monitoring is an essential part of ongoing network security after a ransomware attack. The network is often a visibility gap in many cybersecurity defense setups.  

Firewalls and intrusion detection systems help cover edge security. Endpoint devices typically have several layers of cybersecurity installed. Web-based applications have server-level security, strong authentication and run firewalls on load balancers.  

But who or what is watching the network? There needs to be monitoring in place, to help identify anomalous traffic.  

Flowmon’s capabilities help fill network visibility gaps. Flowmon Anomaly Detection System (ADS) supplements the protection provided by firewalls and endpoint security. Flowmon ADS enables a deeper view of what’s happening by monitoring network traffic. This allows for enhanced detection of any strange activity within the network, such as an endpoint security breach.  

Flowmon ADS uses an intelligent detection engine, which leverages behavior analysis algorithms to help detect anomalies concealed within network traffic. In turn, IT and network teams are equipped to expose malicious behaviors, locate attacks against mission-critical applications and identify data breaches and indicators of compromise. 

Flowmon Helps You Deliver on Regulatory Requirements 

New cybersecurity regulations and updates to existing regulations are high on the agenda of lawmakers in the EU, the US and other countries around the world. 

In the EU, there is the Network and Information Security Directive 2 (NIS2), which came into force in January 2023. It sets a baseline for cybersecurity risk management measures and reporting obligations across sectors such as energy, transport, health and digital infrastructure services.   

NIS2 builds on the 2016 NIS directive, and EU member states are required to publish how they will implement and enforce NIS2 compliance within their countries.  

Flowmon has several features and functions to help support NIS2 requirements, which you can find on our webpage here. 

In the US, the Securities and Exchange Commission (SEC) published cybersecurity rules that publicly listed companies must follow. The rules mandate reporting of incidents, an outline of cybersecurity risk processes and disclosure of the cybersecurity governance practices in use.  

Flowmon’s solutions assist in providing assets for US public companies to help meet the requirements of the SEC rules and enhance cybersecurity resilience in general. To find out more, read our recent blog titled Meeting the SEC’s New Cybersecurity Rules: How Flowmon Empowers Companies To Comply.

This blog was prepared by Filip Černý in their personal capacity. The opinions or representations expressed herein are the author’s own and do not necessarily reflect the views of Progress Software Corporation, or any of its affiliates or subsidiaries. All liability with respect to actions taken or not taken based on the contents of this blog are hereby expressly disclaimed. The content on this posting is provided "as is" with no representations made that the content is error-free.