What’s in my ransomware jump bag

In my many years leading response to data theft and destructive cyberattacks, I learned the value of having a “jump bag.” The term, as old as my career in incident response, originally referred to a physical container that held all of the hardware and software we needed to pick up on our way to a physical location that suffered an attack to gather evidence and investigate the incident. The idea is to be prepared to respond immediately—rushing around to find everything you need while under the pressure of an incident wastes valuable time and leads to forgetting something essential.

Jump bags, then and now

Fast-forward to 2024, and the “jump bag” is more important than ever for those trying to investigate, mitigate, and recover from cyber incidents. For most of my career, the threat we faced was almost uniquely data theft, which wasn’t really “theft” at all. It was the unauthorized disclosure of data—we still had a copy of the data, which allowed us to continue to deliver the mission of our organization. Our impacts were largely reputational damage, potential litigation from impacted data subjects, and supply chain and regulatory fines.

However, with the advent of destructive cyberattacks, such as ransomware and wiper attacks, where the organization can no longer deliver its products and services, losses now scale linearly. Every second spent on response and recovery can impact a victim organization’s viability. It is not just that jump bags are more important than ever before. The nature of its contents has also changed, reflecting the changes in the way we deliver IT over the past four decades.

I remember dealing with some of the earliest malware in the 1980s, and the jump bag was typically a rucksack or a pelican case. Sometimes, even five pelican cases in large government networks. These contained the resources needed to run response activities with my team.

Jump bag checklist—back then

Here’s a list of what was in our jump bags back then:
Multiple hard disk drives to hold gathered evidence
Write blockers to prevent our acquisition from contaminating the evidence on the original disk
A camera and perspex evidence markers to record the acquisition
Physical tools to gain access to the inside of victim machines
Faraday bags for evidence with a printed chain-of-custody record on the outside
CD-ROMs and later flash drives containing the digital forensics and incident response tools we would use to investigate the systems
Notebooks with numbered pages and pens to ensure our acquisition notes weren’t tampered with later.

Today, we live in a world of remote acquisition, end-point and extended detection and response (EDR/XDR), virtual machines, and cloud instances. Jump bags can still be physical containers we take on-site, but today, these physical ones will likely be augmented by a “virtual jump bag,” the tools required for remote acquisition and analysis.

So, what would a best-practice jump bag look like in 2024? The exact nature of what goes into your jump bag is highly contextual based on your incident response workflow and the way your organisation delivers its IT services.

Jump bag checklist—today

There are, however, several standard tools that I have observed being used by organisations that have resulted in better response and recovery outcomes:

Contact list: A list of all the stakeholders in the incident that will need to be involved and informed. This should include internal and external parties, such as insurers, law enforcement, and retained incident responders. The contact list needs to be maintained to ensure it is up-to-date if there are any changes in roles, contracts, or contact numbers.

In a physical jump bag, this can be laminated printed sheets.
In a virtual jump bag, this is an electronic document stored on an immutable file system that cannot be deleted.
In both cases, the contact list should be versioned and dated so responders know they are working from the latest version.

Mobile telephone(s): The incident can impact communications infrastructure, so having a mobile phone for at least the lead incident handler provides a point of inbound and outbound contact.

It is important to ensure that the line is activated and that the number isn’t recycled by the cellular provider after a period of non-use, as is the case with some pre-paid contracts.
You should also choose a cellular provider with network coverage in the areas where you will be doing incident response.

Copies of incident response workflows: Adversaries can target or impact electronic repositories that are part of your organisation’s IT infrastructure, like SharePoint, or workflow systems like a Security Orchestration and Automated Response (SOAR). It is important to maintain a copy of your incident response workflows in a location where they can be protected from attack.

In the case of a physical jump bag, these can be laminated printed sheets.
In a virtual jump bag, electronic documents can be stored on an immutable store that prevents deletion.
But make it in a form that doesn’t require software to be installed to start executing on the workflow, i.e., make it something like a PNG document of a Visio diagram rather than a Visio diagram that can be viewed natively on a device.
In both cases, incident response workflows should be versioned and dated so responders know they are working from the latest version.

Known good copies of incident response tooling: Incident responders rely on tools to acquire and analyse evidence on systems. If a system has been compromised, we cannot trust the tooling which is incumbent on the endpoint. It is important that we’re able to establish the trust of the software we’re using to handle the incident. This involves using trusted versions of these tools. Ideally, these tools will be downloaded from trusted sources, validated as genuine by checking checksums, and put into an immutable repository to prevent tampering.

In the case of a physical jump bag, this can be accomplished by writing the tools to a write once, read many (WORM) media like a DVD-ROM.
In a virtual jump bag, store the software on an immutable file system.
USB thumb drives are also popular, as they allow tools to be executed from, and evidence stored on, the drive itself without leaving too large an acquisition footprint on the system being investigated.

Relying on the downloading of tooling post-incident is not a good strategy. Adversaries may have compromised your network infrastructure and could hamper attempts to do so. The trend has been for incident responders to increasingly rely on remote agents for detection and response activities, such as searching for indicators of compromise and forensic acquisition. Some of the challenges to this approach are that after an incident, any incumbent tooling on the end-point can never be 100% trusted. Popular incident response frameworks, such as NIST SP800-61 and the SANS Institute Six Step Incident Response Cycle, recommend the containment of the spread of an incident by isolating hosts and networks that would limit their functionality in response.

The tooling required to respond and recover from a destructive cyberattack isn’t just traditional security tooling, as core IT infrastructure is also likely impacted. Services like email, DNS, certificate authorities, identity and access control, voice-over-IP, and even physical access systems may be impacted and need to be brought back to a trusted state before you can coordinate and communicate response efforts with external third parties and internal stakeholders. This is commonly overlooked in crisis response plans for ransomware.
Software licence keys for incident response tooling: While many excellent open-source response tools are available to incident responders, proprietary and “freemium” tools also require license keys to function.

These can be available to the incident responders on a laminated printed sheet, although typing them in can be time-consuming and prone to errors.
A much better option is to have them in an electronic document, allowing those installing the software to copy and paste the keys.

Storage devices: Storage devices store evidence for later analysis and preserve forensic artefacts for later criminal or civilian prosecution. Incident responders have two main concerns about these areas.
The first is acquisition footprint: How much impact does acquiring the evidence have on the system being investigated? In other words, if we need to install software to acquire evidence, does this software change the evidence?
The second area of concern is maintaining a chain of custody to ensure that evidence isn’t changed from the original during its lifecycle. In physical disk acquisition, we solve this problem by using write blockers to prevent changes to the file system of the original disk and placing the original disk in a Faraday bag, locked in an evidence safe. At the same time, we only work on a working copy.
Remote acquisition is almost always a trade-off where we almost always need to deploy some software on the end-point, which results in the end-point file system being changed in order to obtain a copy of the remote disk’s contents. Some organizations do pre-deploy acquisition capabilities onto their end-points in advance of an attack, but this in itself represents an extended attack surface that attackers can use against systems or can be evaded by the adversary during the attack.
Another challenge with remote acquisition is that the first stage in most incident workflows for destructive cyberattacks like ransomware and wipers is isolating compromised systems. This results in an inability to connect to the systems, requiring a physical presence to either place the system into an isolated network or to remove the disk for acquisition.

This is where backup snapshots provide a lot of forensic value. They already exist in a central location and, in addition, provide not just a snapshot of a system after the attack but can show the changing state of a filesystem over the duration of the attack.
Network equipment to set up an isolated response environment: One of the first things that most retained incident response companies will do when a victim organization contracts them is establish isolated environments to conduct their response and recovery tasks.
In the case of Cohesity, we recommend the customer has four networks:

The untrusted victim “dirty” network, which is where the attack has taken place.
A “clean room” network is where security operations use trusted tooling to investigate the incident.
A “staging room” network is where IT operations use the knowledge of the incident gained by security operations in the clean room to recover or rebuild systems, taking into account interdependencies, mitigating the threats found, and then testing system performance and functionality.
Finally, the mitigated and tested systems are released onto a “production” network.

Any physical jump bag should include the network equipment required to establish these isolated environments. With a virtual jump bag, the golden masters of the network configurations to create these isolated environments should be held on immutable storage, cryptographically hashed, and ready to be deployed in minutes.

Cohesity has a design blueprint and associated workflows that organizations can leverage to prepare for establishing these clean and staging room environments in advance.

Cables and chargers: For a physical jump bag, I make sure I have plenty of chargers, power cables, and network cables. It’s highly frustrating to go into a machine room and find out you’ve left the charger on the desk upstairs, or that the Ethernet cable you’ve brought is missing, or that the retaining lock has broken off. I usually bring a variety of Ethernet cable colours of varying lengths, allowing me to colour-code different networks I establish.
Network tap: If your network is not set up to allow span ports, bringing a physical tap that can be placed upstream of the attack can allow you to get visibility of command-and-control and exfiltration attempts. The adversary can observe setting up span ports and installing a physical tap, so take this into consideration.
Snacks and a water bottle: I keep a Nalgene bottle and some snacks with a long shelf life in a physical jump bag. You never know how long you will be on-site or what the local catering or retail situation will be. Sometimes, data centers are in the middle of nowhere.
Pen and paper: Whether you are on-site with a physical jump bag or doing remote acquisition or analysis, every step of the response workflow needs to be documented in a numbered notebook. This allows it to be used as evidence in any future criminal or civil prosecution. Don’t rip pages out of the notebook, and always write in permanent pen. In a physical jump bag, I also bring Sharpies, Sellotaoe, and Blu-Tac, which allow me to write and attach signs.
Digital camera: Any physical jump bag needs a digital camera to record the acquisition of evidence.
Photograph the overall scene.
Photograph disks in-situ.
Photograph the serial numbers, MAC addresses of machines, and the serial numbers of disks.

Headtorch: Believe it or not, the lights can go out! If you have skilled adversaries inside your environment with access to physical infrastructure, you might find yourself in a machine room with no windows or lights. Prepare for the worst.
Jacket and earplugs: Data centers can be cold and noisy places. I usually have in-ear hearing protection and a small packable down jacket that can make extended stays in the data center far more tolerable.

How Cohesity helps build your jump bag

Establishing a Minimum Viable Response Capability with the trusted tooling you normally have in your jump bag is a core feature of Cohesity’s Clean Room solution. It combines native response and recovery capabilities designed to continue to function after a destructive cyberattack with a collaborative approach with an organization’s existing security operations toolset.

The Cohesity Clean Room solution provides design blueprints and associated workflows that organisations can use to:

Recover a trusted response environment rapidly.
Establish the clean room where security operations can investigate incidents.
Stand up the staging room environment where IT operations can mitigate found threats, speeding response and recovery and minimising the impact of destructive cyberattacks on organisations.

Cohesity allows organisations to establish a vaulted immutable store for incident response workflows, contact lists, trusted software images, licence keys, and other digital assets required to respond to the incident. Cohesity FortKnox ensures that this can sit off the organisation’s core IT infrastructure beyond the reach of adversaries. The Cohesity SmartFiles functionality allows resources to be rapidly mounted and used by the native orchestration and scripting tools to start a response within minutes.

The acquisition of filesystem evidence at a file and directory level is simplified using Cohesity DataProtect. Incident responders can examine file systems over the incident timeline and extract configurations and binaries for further analysis. DataProtect’s file system’s immutability and integrity provide a strong chain of custody to help prove the validity of evidence. As DataProtect isn’t reliant on access to the victim system over the network, these forensics capabilities continue to function even if containment measures to isolate networks and hosts are in place. There is no additional agent to install, as the response and recovery functionality is provided by simply backing up your data into a Cohesity solution, thereby reducing the attack surface and the opportunity for evasion.

FortKnox and SmartFiles can further be used to store captured forensics artifacts, ensuring they’re held beyond the reach of adversaries and in a store with a strong chain of custody.

Cohesity DataHawk’s threat-hunting capability allows organizations to leverage a curated cyber threat intelligence feed of hundreds of thousands of Indicators of Compromise used by destructive cyberattackers to hunt for evidence on file systems without the need for an active network connection, decreasing the adversary’s ability to evade detection and allowing hunting even if networks and hosts have been isolated to contain a destructive cyberattack. Customers can augment the included feed with their own threat intelligence providers or threat intelligence platforms.

If you’re interested in learning how Cohesity can help you develop and deploy a clean room environment and jump bag, sign up now for our ransomware resilience workshop.