When a cybersecurity incident occurs, it can be an overwhelming experience resulting in infected endpoints, data theft, user disruption, extortion and even downtime that causes business interruption. These are some of the darkest days for any organization and will require decisive actions that can have a direct impact on its ability to recover essential business functions in an expedited manner.

Recover From Malware and Ransomware Attacks With Speed and Precision

The continued rise of malware attacks such as Emotet and TrickBot and financially motivated ransomware attacks such as Ryuk, Maze, DoppelPaymer, REvil and Dharma has placed considerable emphasis on the recovery aspects of a breach. In the wake of a cyberattack, confidently making the right choices on how to manage a recovery is more critical than ever, and recovering operations has never been more important or more costly. It is apparent that a more efficient and effective approach to recovery is essential — one that can eradicate persistent and destructive attacks rapidly and with minimal disruption.

Traditional Recovery: “Tear Down and Rebuild Everything”

Recovering from today’s persistent malware and ransomware attacks requires a new approach to remediate the environment with speed and precision in order to get back to normal business operations faster. The traditional approach of “tear down and rebuild everything” is way too time-consuming and costly for today’s enterprise-wide attacks, exposing the organization to potential business interruption and downtime. Persistent cyberattacks achieve lateral movement across a network, impacting hundreds and even thousands of endpoints in an enterprise-wide attack — and the time to reimage or rebuild hundreds, let alone thousands, of endpoints could take months while severely disrupting users and business operations. Worse still, persistent attacks anticipate this approach of recovering and restoring from backup images by reinfecting these same machines even after they are deemed clean.

The “tear down and rebuild everything” approach, once thought to be the only way to truly remove an adversary from the environment, is now a fallacy that exposes an organization to a higher risk of business interruption and reinfection.

There has to be a better way. And fortunately, there is.

Intelligence-led Rapid Recovery

CrowdStrike partnered with Baker Tilly and MOXFIVE to develop a report discussing the value of using an intelligence-led rapid recovery approach to quickly gain visibility to the full threat context across the entire environment and surgically remove all persistence mechanisms deployed in the attack, across hundreds and even thousands of endpoints, without the need to reimage, rebuild or replace a large percentage of the impacted systems.

With the evolution by threat actors to big game hunting tactics that capitalize on lucrative business opportunities and persistent, enterprise-wide attacks, we see an increase in financially motivated malware and ransomware attacks. The bigger the target, the wider the attack surface — and the larger the ransom. While the traditional approach may have been acceptable for an attack on a single system or even 5 to 10 systems, this same approach quickly becomes problematic when we’re talking about 500 endpoints, 1,000 endpoints or even 10,000 endpoints.

Using an intelligence-led approach, we’re able to quickly identify and contain all host computers that have been impacted by the attack. Gaining visibility to the process tree executed by the threat actor enables us to use remote Falcon Real Time Response to reverse the malicious operations — killing bad processes, deleting infected files, restoring registry keys, and removing any and all persistence mechanisms with speed and surgical precision.

In short, an intelligence-led rapid recovery approach enables you to:

• Recover systems and endpoints using threat intelligence
• Gain immediate visibility to the full threat context
• Use remote Falcon Real Time Response to surgically remove all persistence mechanisms 
• Recover within hours or days from a malware or ransomware incident
• Minimize user disruption without the need to reimage endpoints and reboot computers
• Prevent system reinfection with threat hunting and monitoring
• Reduce the risk of business interruption due to an otherwise long recovery process

Getting Back to Business Faster

In this paper, we present three use cases comparing the traditional approach to the intelligence-led approach, the relative cost and time of both approaches, and the potential cost of business interruption when using an inefficient recovery process. From these use cases and multiple other endpoint recovery engagements across these firms, we have witnessed a significant reduction in the time to recover and the cost of recovery, enabling business to get back to normal operations faster and with less risk of interrupted business operations.

Download the Intelligence-led Rapid Recovery white paper.

Visit the CrowdStrike Endpoint Recovery webpage.

To request more information or to speak with a CrowdStrike Services representative, complete and submit this form.

Additional Resources

• Learn more by reading the IR data sheet: CrowdStrike Incident Response Services.
• Download this endpoint recovery data sheet to learn more: CrowdStrike Endpoint Recovery Services.
• Learn how Falcon Complete can instantly raise your cybersecurity to the highest level: CrowdStrike Falcon® Complete Data Sheet.
• Learn more about CrowdStrike Services offerings by visiting our website.