Detecting ransomware is just half the battle; it’s after your tools have identified ransomware on your network that the real work begins. While EDR tools may be able to block and alert that ransomware has hit a system, you still need to identify the root cause of the infection to make sure it doesn’t happen again.
To find the root, answer these questions:
- How did the attacker gain access to the network?
- Was it a phishing attack or did they compromise valid credentials?
Finding the answers to these questions means looking beyond just your endpoint data—you need to pivot into your firewall and network data, your SIEM or other security tools directly to identify how the attacker circumvented your controls.