Imagine that your organization becomes the victim of a cyberattack that paralyzes your information systems. Your IT and security departments work hard to bring the damaged infrastructure back to life and discover that around 10% of your computers were unaffected. They might sigh in relief assuming there’s less work to do to mitigate the consequences of the attack. But this is where they can be totally wrong…
Targeted attacks usually consist of many stages, the last often being a clean-up stage. Adversaries want to delete traces of their presence and malicious activities, so they wipe out the computers they gained control of. This is what happened during the Not Petya cyberattack in 2017 – infected computers all over the world were encrypted with no possibility to restore the data.
In the event of such an attack, the first thing any company will do is try to restore whatever they can – data, software – to renew their business activity. A successful advanced persistent threat (APT) attack against any organization will always result in financial, operational, and reputational losses. Each working computer and server is an asset, and the more information systems are up and running, the better. Under these circumstances, seemingly unaffected computers are usually left unattended.
While investigating the Not Petya cyber invasion in 2017, experts from the ISSP Labs and Research Center discovered that in most companies whose information systems they analyzed, about 10% of computers survived the attack and seemed unaffected. The usual attitude of IT and security teams in respect to these machines was to ignore them and focus on recovering from the disaster. And after everything is fixed, this 10% is usually forgotten about and never analyzed.
It’s hard to blame anybody for thinking and acting this way. When your organization is on the brink of extinction, your first impulse is to bring it back to life, restoring one IT asset after another. It’s a natural and correct response. But the next step – the one that in most cases is ignored – should be taking a very close look at the “unusual 10%.” These computers and servers should be thoroughly analyzed.
Don’t allow adversaries to trick you twice
Obviously, attackers would like to retain control of a hacked organization once they’ve reached their goals. After all, they went through a long, hard, and costly process to penetrate the organization’s infrastructure and take control of its assets. So if some day they need to use its information systems for a different purpose, they won’t want to conquer the now better fortified castle again. They’ll want to use a backdoor they previously left behind. And this backdoor can be left in a certain number of computers that survive the first attack and will later be ignored by the IT and infosec departments.
This is why in the case of a targeted cyberattack, it’s essential to not only analyze and fix the affected IT infrastructure but also to conduct a wholescale investigation and assessment of every IT asset, looking for indicators of compromise and leaving no backdoors for future invasions.