We will examine scenarios for common actions and see what the positive and negative impacts of each may be
Once had a customer do this before we arrived
Lost all memory evidence
Lost some hard drive evidence
Lost a lot knowledge of what the threat actors were doing
Same situation, different outcome
Threat actors were done exfiltrating and had planted a self-destruct piece of malware
Shutting down immediately stopped it from executing and allowed for a backup of the hard drive, etc, before the logic bomb could kick off
Once had a customer do this ahead of time
Killed a critical company-wide global trading application
CFO said amount of money lost was unimaginable
Same situation, different outcome
Threat actors had begun an exfiltration operation
Appeared to be getting everything
The act of disconnecting that group of servers stopped them before they got to any customer data
Advised customer to allow us to observe and hunt for 72 hours
Discovered that the "compromised" machines were only compromised to distract
Real objective was data on a completely different segment of the network previously unkown to be accessed
End result: We found the threat actor's true objective, which led to more complete eradication
One organization followed this process for two weeks
It was during that two weeks that the threat actors took the most important data
Previous examples show how varied specifics can be
Proper assessment and scoping helps
Discourages minimizes heroics and shotgun decisions
Keeps the whole team focused and on-mission
Last updated