Ransomware gangs target the innocent and vulnerable. They <\/span>hit a Chicago hospital<\/span><\/a> in December 2023, a <\/span>London hospital<\/span><\/a> in October the same year, and <\/span>schools and hospitals in New Jersey<\/span><\/a> as recently as January 2024. This is one of the biggest reasons I\u2019m committed to stopping these criminals by educating organizations on how to re-think and re-architect their approach to cybersecurity.<\/span><\/p>\n In previous articles, I discussed IMI (Isolated Management Infrastructure) and IRE (Isolated Recovery Environments), and how they could have quickly altered outcomes for <\/span>MGM<\/span><\/a>, <\/span>Ragnar Locker<\/span><\/a> victims, and organizations affected by the <\/span>MOVEit vulnerability<\/span><\/a>. Using IMI and IRE, organizations find that the key to not only speedy recovery, but also to limiting the blast radius and attack persistence, is <\/span>isolation<\/b>.<\/span><\/p>\n [\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.17.6″ _module_preset=”default” width=”100%” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.17.6″ _module_preset=”default” global_colors_info=”{}”][et_pb_text admin_label=”Text” _builder_version=”4.24.2″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n The NIST framework for incident response has five steps: Identify, Protect, Detect, Respond, and Recover. It\u2019s missing a crucial step, however: Isolate. Stay tuned for a full breakdown of this in my next article. But the reason this is so critical is because attacks move at machine speed, and are very pervasive and persistent. If your management network is not fully isolated from production assets, the infection spreads to everything. Suddenly, you\u2019re locked out completely and looking at months of tedious recovery. For healthcare providers, this jeopardizes everything from patient care to regulatory compliance.<\/span><\/p>\n Isolation is integral to building a <\/span>resilience system<\/span><\/a>, or in other words, a system that gives you more than basic serial console\/out-of-band access and instead provides an entire infrastructure dedicated to keeping you in control of your systems \u2014 be it during a ransomware attack, ISP outage, natural disaster, etc. Because this infrastructure is physically and virtually isolated from production (no dependencies on production switches\/routers, no open management ports, etc.), it\u2019s nearly impossible for attackers to lock you out.<\/span><\/p>\n So, what really should you do if you\u2019re ransomware\u2019d? Let\u2019s walk through an example attack on a healthcare system, and compare the traditional DR (Disaster Recovery) response to the IMI\/IRE approach.<\/span><\/p>\n [\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.17.6″ _module_preset=”default” width=”100%” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.17.6″ _module_preset=”default” global_colors_info=”{}”][et_pb_text admin_label=”Text” _builder_version=”4.24.2″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n Suppose you\u2019re in charge of a hospital\u2019s network. MDIoT, patient databases, and DICOM storage are the crown jewels of your infrastructure. Suddenly, you discover ransomware has encrypted patient records and is likely spreading quickly to other crown jewel assets. The risks and potential fallout can\u2019t be understated. Millions of people are depending on you to protect their sensitive info, while the hospital is depending on you to help them avoid regulatory\/legal penalties and ensure they can continue operating.<\/span><\/p>\n Though the word \u2018recovery\u2019 is in the name, the DR approach is limited in its capacity to recover systems during an attack. Disaster Recovery typically employs a couple things:<\/span><\/p>\n What happens when you activate your DR processes? It\u2019s highly likely that you won\u2019t be able to, and that\u2019s because the typical DR setup relies on the production network. There\u2019s no <\/span>isolation<\/b>.<\/span><\/p>\n Think about it this way: your backup servers need direct access to the data they\u2019re backing up. If your file servers get pwned, your backup servers will, too. If your primary firewall gets hacked, your secondary will, too. The problem with backup and redundancy systems \u2014 and any system, for that matter \u2014\u00a0is that when they depend on the underlying infrastructure to remain operational, they\u2019re just as susceptible to outages and attacks. It\u2019s like having a reserve parachute that depends on the main parachute.<\/span><\/p>\n And what about the rest of your systems? You just discovered the attack has encrypted your servers and is quickly bringing operations to a crawl. How are you going to get in and fight back? What if you try to log into your management network, only to find that you\u2019re locked out? All of your tools, configurations, and capabilities have been compromised.<\/span><\/p>\n This is why CISA, the FBI, US Navy, and other agencies recommend implementing Isolated Management Infrastructure.<\/span><\/p>\n You discover that the ransomware has spread. Not only has it encrypted data and stopped operations, but it has also locked you out of your own management network and is affecting the software configurations throughout the hospital. This is where IMI (Isolated Management Infrastructure) and IRE (Isolated Recovery Environment) come in.<\/span><\/p>\n Because IMI is physically separate from affected systems, it guarantees management access so teams can set up communication and a temporary \u2018war room\u2019 for incident response. The IRE can then be created using a combination of cellular, compute, connectivity, and power control (see diagram for design and steps). Docker containers should be used to bring up each step.<\/span><\/p>\n Image: The infrastructure and incident response protocol involved in the Isolated Recovery Environment. These products were chosen from free or open source projects that have proven to be very useful in each of these stages of recovery. These can be automated in pieces for each phase, and then be brought down via Docker container to eliminate the risk of leakage or risk during each phase.<\/span><\/p>\n Without diving too far into the technicalities, the IRE enables you to recover survivable data, restore software configurations, and prevent reinfection. Here are some things you can do (and should do) in this scenario, courtesy of the IRE:<\/span><\/p>\n You can\u2019t fight ransomware if you can\u2019t securely communicate with your team. Use the IRE to create offline, break-the-glass accounts that are not attached to email. This allows you to communicate and set up ticketing for forensics purposes.<\/span><\/p>\n There\u2019s no use running antivirus if reinfection can occur. Use the IRE to take offline the switch that connects the backup and file servers. Isolate these servers from each other and shut down direct backup ports. Then, you can remote-in (KVM, iKVM, iDRAC) to run antivirus and EDR (Endpoint Detection and Response).<\/span><\/p>\n The key is to have backup data at its most current, both for patient data and device\/software configurations. Because the IRE provides an isolated environment, and you\u2019ve already pulled your backups offline, you can gradually restore data, re-image devices, and restore configurations without risking reinfection. The IRE ensures devices \u201ckeep away\u201d from each other until they can be cleansed and recovered.<\/span><\/p>\n [\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.17.6″ _module_preset=”default” width=”100%” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.17.6″ _module_preset=”default” global_colors_info=”{}”][et_pb_text admin_label=”Text” _builder_version=”4.25.0″ _module_preset=”default” hover_enabled=”0″ global_colors_info=”{}” sticky_enabled=”0″]<\/p>\n We\u2019ve created a comprehensive blueprint that shows how to implement the architecture for IMI and IRE. Don\u2019t let the name fool you. The Network Automation Blueprint covers everything from establishing a dedicated management network, to automating deployment of services for ransomware recovery. Get your PDF copy now at the link below.<\/span><\/p>\n [\/et_pb_text][et_pb_button button_url=”https:\/\/zpesystems.com\/network-automation-blueprint\/” button_text=”Download blueprint” _builder_version=”4.24.2″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_button][et_pb_text admin_label=”Text” _builder_version=”4.25.0″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n It’s nearly impossible to build the IMI or deploy the IRE using older console servers. That’s because these only give you basic remote access and a hint of automation capabilities. You’ll still need the ability to run VMs and containers. Gen 3 console servers let you do all of the things for IMI and IRE, like full control plane\/data plane separation, hosting apps, and deploying VMs\/containers on-demand. They’ve also been validated by Synopsys and have built-in security features I’ve been talking about for years. Check out the link below for resources about Gen 3 and how we’ll help you upgrade.<\/span><\/p>\n [\/et_pb_text][et_pb_button button_url=”https:\/\/zpesystems.com\/replace-discontinued-console-servers-with-zpe-systems-complete-products-services-solution\/” button_text=”Upgrade to Gen 3″ _builder_version=”4.25.0″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_button][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.17.6″ _module_preset=”default” width=”100%” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.17.6″ _module_preset=”default” global_colors_info=”{}”][et_pb_text admin_label=”Text” _builder_version=”4.24.2″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n I\u2019d love to talk with you about IMI, IRE, and resilience systems. These are becoming more crucial to operational resilience and ransomware recovery, and countries are passing new regulations that will require these approaches. Get in touch with me via social media to talk about this!<\/span><\/p>\n [\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":" Cybersecurity expert James Cabe discusses what to do if you’re on the receiving end of a ransomware attack, including isolating systems.<\/p>\n","protected":false},"author":5,"featured_media":39566,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","content-type":"","footnotes":""},"categories":[98,103,156,101,93,82,97,81,112,134],"tags":[],"class_list":["post-39564","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-data-logging","category-improve-network-security","category-micro-segmentation","category-minimize-impact-of-disruptions","category-network-automation","category-out-of-band-management","category-user-management","category-virtualization","category-zero-touch-provisioning","category-zero-trust-security"],"yoast_head":"\nWhy is isolation (not segmentation) key to ransomware recovery?<\/h1>\n
![\"\"](\"https:\/\/zpesystems.com\/wp-content\/uploads\/2022\/06\/A-diagram-showing-a-multi-layered-out-of-band-isolated-management-infrastructure.jpg\")
<\/p>\nRansomware in Healthcare: Disaster Recovery vs Isolated Recovery<\/h1>\n
The problem with Disaster Recovery<\/h3>\n
\n
IMI and IRE guarantee you can fight back against ransomware<\/h3>\n
![\"Diagram](\"https:\/\/zpesystems.com\/wp-content\/uploads\/2024\/02\/IRE-Tools-and-protocol.png\")
<\/p>\nEstablish your war room<\/h4>\n
Isolate affected systems<\/h4>\n
Restore data and device images<\/h4>\n
Things You’ll Need To Build The IMI and IRE<\/h2>\n
Network Automation Blueprint<\/h3>\n
Gen 3 Console Servers To Replace End-of-Life Gear<\/h3>\n
Get in touch with me!<\/h2>\n
\n