Page 34 - The EDGE Fall 2024
P. 34

COMMUNICATION

                          BY BY LAUREN OWENS AND BRANDON GABEL
                          This Story Really Has a Happy Ending




        Lauren Owens



        On  Jan.  18,  at  4:47a.m.,  a  threat  actor  gained  Brandon immediately initiated a quarantine and
        remote access to our network. Using service  isolation  of  all  network  traffic,  “locking  the  bad
        account credentials not yet locked behind MFA,  guys in the house” as we began our investigation.
        this threat actor began exploring servers on our  The two aims of a cyber threat actor, to 1) exfiltrate
        network, quickly centering on one of our backup  data and 2) to lock us out of our servers for ransom,
        servers and deleted all of our backups. They then  were both mitigated by his quick, informed action.
        moved to our data center and began encrypting it  We called the Arizona Department of Homeland
        while searching for other valuable-looking servers  Security, cyber insurance (The  Trust), and most
        to access.                                              importantly our network partner, who kept an open
                                                                video call with us through the rest of the day and
        Yes, the “not if but when” had happened to us.  was invaluable in our investigation and recovery.
        We’d been cyber attacked, and the bad guys were  Here’s what the rest of that day was like:
        in the house.
                                                                •   Staff locked out of the network; I handled that
        The threat actor’s behavior drew the attention of          communication.
        our monitoring software but not enough to sound         •   Investigate possible exfiltration.
        the alarm. Our network team began working on            •   Was able to restore 90% of services within 24
        diagnosing the outage, a common enough process             hours, due to our 3-2-1 backup plan.
        that also happens to be the first step on our Cyber
        Incident Response Plan (CIRP) adopted in the fall.  By 10 p.m., we were confident that we had identified
        We mentioned a happy ending, and the CIRP was  all  sources  of  infiltration  and  that  our  “warm”
        crucial for that.                                       backup had been kept secure and untouched, so we
                                                                were able to quickly restore all critical servers to
        As the team checked the usual suspects for  full functionality.
        network failures, I worked on communication with
        principals and cabinet. For the first two hours, all  All  told,  within  less  than  24  hours  after  our
        network  traffic  was  halted  and  we  methodically  investigation began, we were able to restore all
        checked possibilities off our list: power, hardware,  critical systems to full functionality, a stat we are
        network servers/services, and then our Manager of  very happy with but where we also see opportunities
        Network and Security Brandon Gabel found it – he  to improve. Here are our takeaways, what we have
        saw a service account doing way more than it was  learned was important before and during our first
        supposed to. He immediately upgraded us from  cyber incident.
        Network Outage to Cyber Incident, and things
        moved quickly for the next 24 hours.

                                                                                            CONTINUED ON PAGE 36


                                                                                                          |
        34                                                                                  THE EDGE   FALL 2024
   29   30   31   32   33   34   35   36   37   38   39