His take is that a thorough digital forensic investigation is an urgent and essential next step to getting back to normal after having hard drives and associated master boot records (MBRs) wiped out. Master boot records encapsulate critical information on the organization of file systems on the drives. Affected systems were given a forced reboot command, but restarts were impossible because the MBRs and file systems had been corrupted.
Vital Forensic Intelligence Can Limit the Damage of Cyber Attacks
These South Korean banks and broadcasting firms, Smith says, may discover too late that, “The number of infected computers could vary dramatically from the initial estimates—if the attack vector is not consistently transmitting and detectable. Only incident-response technology built on forensic methodologies can uncover the dormant malware.”
What the affected organizations urgently need to know is:
- Whether data is being quietly exfiltrated from their networks
- How the malware entered the network
- How network defense should be augmented to prevent a future attack
- How many computers have been infected
- How fast the malware can be remediated
- Whether there’s a risk of being re-infected.
Published reports have speculated on the sophistication of the attacks. Regardless of the sophistication level of the attackers, Smith says that the use of simple code could mean that attackers used existing code to speed the process. If he were advising these South Korean companies, Smith said, “I’d caution these firms to be very concerned about data leaving the network via this malware and to remediate all infected computers as soon as possible. The misuse of the banking data could cause a bigger problem for the banks and their customers than the impact of the initial attack.”
More evidence that a significant part of effective enterprise cybersecurity is host-based incident response.