"There's a cyber attack under way. An intruder is inside your network: moving freely, collecting data, and setting up a command-and-control (C&C) node for future communication. Except this time, you're watching them - you can see what they're doing. The dilemma remains: what do you do? Allow them to continue traversing the network while you operate, wait for forensic specialists to arrive or find a way to stop them?"
"Earlier this year, a BBC news report on the Co-op incident claimed that the IT team at the UK retailer "made the decision to take computer services offline, preventing the criminals from continuing their hack". The criminals sent a message to the BBC, stating: "Co-op's network never ever suffered ransomware. They yanked their own plug - tanking sales, burning logistics and torching shareholder value.""
"In its statement, Co-op said it "took early and decisive action to protect our Co-op, including restricting access to some systems", which helped to contain the issue, prevent further data being accessed and protect the wider organisation. When questioned at the Business and Trade Sub-Committee in July, Co-op representatives did not use the phrase "pulling the plug" directly. But Rob Elsey, group chief digital information officer at Co-op, said VPN and remote access were restricted "as a way of ensuring that we were able to keep the criminals out of our systems"."
"Elsey explained that software within its network was "effectively trying to communicate with a threat actor's website", and after identifying the source, the team took the proactive measure of pausing all communication within that zone. This, he stressed, was not "pulling the plug". Co-op's systems "are heavily segregated, which means this was very much focused on one specific zone". He told the committee: "Throughout this, all our online business continued to operate normally,"
An active intrusion left an attacker roaming a network, collecting data, and establishing a command-and-control node. Security teams faced a choice between monitoring the attacker for intelligence, waiting for forensic support, or taking systems offline to stop activity. The Co-op restricted VPN and remote access and paused communications within a specific zone to block malicious connections while maintaining segregation. The organisation described the action as targeted containment rather than a full shutdown. Attackers claimed the organisation pulled its own plug rather than suffering ransomware. Focused isolation helped protect data access and allowed most online services to continue operating.
Read at ComputerWeekly.com
Unable to calculate read time
Collection
[
|
...
]