Common Misconceptions

… is quicker than reimaging impacted ones.

In most situations, reimaging impacted systems is faster than purchasing new ones. Generally, when you buy a new device, you still have to configure it to work in your environment. In those instances, reimaging achieves the same purpose as buying new. Therefore, it may be quicker and more cost-effective to reimage impacted machines.

… is necessary because we cannot tamper with the forensic investigation.

Reimaging or wiping a computer will indeed erase all its forensic data. While it’s essential to understand what happened, there are ways to reimage systems and get them operational while preserving the integrity of the forensic data. Rather than purchasing new hardware to replace impacted ones, you could do one of two things:

1. Replace the hard drive of the impacted systems and preserve the impacted drive for the forensic investigators.
2. Make a forensic image copy of the impacted system to an external hard drive for the forensic investigators.

Either option guarantees the forensic provider will have the proper data they need to investigate while allowing you to recover your environment quicker. These options should always be discussed with legal counsel to ensure compliance with any legal/ regulatory obligations.

… is necessary because our systems are bricked.

When systems are “bricked”, it is considered that they can no longer be recovered by any means whatsoever. However, in most cyber incidents, systems rarely get bricked due to a cyberattack. Before investing time and money in a new system, it’s recommended to check the following:

1. Try a different power cable/source.
2. Swap out the hard drive and reinstall a new operating system.
3. Reinstall the computer’s firmware.

Performing these activities can help determine if your systems are bricked. Often, the operating system is the culprit, which results in systems being unable to be turned on, making it seem that they are bricked.

… is essential because I can no longer trust and connect them to my network.

Dealing with a cyber incident is not a pleasant experience. However, when faced with one, the forensic providers involved can provide evidence of what happened in the incident, ideally providing technical details on:

1. How did the threat actors gain access to the environment?
2. What was the extent of the threat actor's malicious activity?
3. Was there any Data exfiltrated from the environment?

Forensic investigators can provide recommendations to build a more resilient and secure environment by answering these questions on the incident and assessing the impact. In most cases, these reimaged systems can be placed back into the environment. Proper endpoint monitoring capabilities will also guarantee that these systems have additional protection and that it’s safe to introduce them back into your environment.

Migrating to the cloud is not an easy matter, as it requires careful planning, adequate resources, and experts that have done this many times. These are not easy to obtain while in the midst of responding to a cyber incident. Establishing a new infrastructure in the cloud with the pressure of restoring as quickly as possible will introduce more risk and complexities to an already precarious situation. Recovery efforts should prioritize restoring the environment to a known good pre-incident state. Migrating to the cloud without the necessary groundwork while under pressure can substantially prolong the recovery timeline.

Additionally, it can also lead to increased operational costs that generally stem from the planning phase of a migration effort, which is usually a common oversight during recovery efforts. The more complex the architecture, the greater the risk of unforeseen challenges and the higher the operational costs, making a cloud migration an unwise strategy during a critical recovery phase in many cases.

Often, recovery efforts take a long time and may require more storage than what’s available. Typically, this stems from the need to preserve forensic data, decrypt impacted systems, and/or restore systems from backups. However, in most cases, the additional storage is temporary, which may be satisfied by renting storage solutions. After the environment is recovered, while having the extra storage may be great, it’s not necessary. There are many vendors that can provide rental services for simple and robust solutions that can meet your infrastructure needs.  Beazley’s Cyber Services team or your claims professionals can make introductions to qualified firms if you need them.

It’s common to have reservations about leveraging a threat actor’s decryption utility to recover your environment, especially since the threat actor caused all of this in the first place. A couple of things to consider regarding leveraging the threat actor’s decryption tools:

1. Forensic and threat negotiation experts can help perform additional analysis on the decryption tool to ensure no hidden or malicious capabilities are built into it. In addition, leveraging an Endpoint Detection and Protection (EDR) solution would also help ensure that if something bad did run on the system due to the decryption utility, it gets blocked.
2. Generally, threat actors want to ensure you can decrypt successfully. A good track record for them helps build a “good reputation” for their other victims to be aware of. While it’s not always going to be the same case for every threat actor, work with the forensic and threat negotiation experts as they can provide more guidance.
3. Leveraging a decryption utility, in some cases, might lead to a far quicker recovery as opposed to rebuilding your system from scratch.

During the recovery efforts in a cyber incident, such as ransomware, it may be tempting to take the opportunity to upgrade systems, but this can inadvertently delay the recovery process by introducing new complications. Upgrades to hardware or software typically require thorough testing, validation, and training, which are steps that are not feasible in the urgent timeline of recovery. Prioritizing upgrades during this critical time not only extends the recovery timeline but also diverts essential resources, such as staff attention and computing power, away from the primary objective of restoring operations. Recovery and restoration efforts rely on the known stability and configurations of current systems. Implementing new software or hardware during the recovery can introduce unforeseen compatibility issues and security vulnerabilities, potentially prolonging downtime.

It depends on the incident. Traditionally, from a data restoration perspective, it's best to restore systems to their last known good configuration, as it tends to minimize unforeseen complications. However, there are instances where backups may no longer be available, or a decryption utility wasn't obtained. Therefore, during the rebuild process, you might encounter system and/or software updates that are no longer available or supported.

In these cases, if the legacy system or software is still functional, it’s advisable to use it to revert to the original baseline. In cases where the system or software is obsolete or unsupported, reaching out to your vendor for alternative solutions would be best. They may be able to offer different solutions or workarounds that you can utilize.

Make sure to keep in touch with your assigned claims manager, so that they can best support you through these issues.