With two-thirds of the UK’s big businesses being hit with a cyber-attack in the past year, it’s absolutely crucial for businesses to know how to respond and deal with the aftermath. A study we conducted last year revealed that more than half of organizations lack the capability to gather data from across their environment, or coordinate centralized alerts to the business about suspicious activity.
In addition, 40% do not have a program to address vulnerabilities – which seems astonishing, especially as we already know that vulnerabilities which are 10-15 years old are still being exploited.
In the immediate aftermath of a breach, organizations should have an incident response plan which includes incident detection as well as incident response. Despite this, we found that a third of organizations do not have an incident response plan in place, and two-thirds of those that do have never tested their plan. It’s like having a plan for a fire drill but never actually executing it.
So what are the steps we need to take in order to help combat a breach? Here is some guidance on what organizations should do immediately after, in the short term and in the longer term to avoid disaster.
Immediately after
The immediate response is often referred to as Triage, which typically consists of (1) classifying cybersecurity incidents e.g. critical, significant, normal or negligible impact, (2) prioritizing these incidents into high, medium or low, and (3) assigning the incidents to the relevant teams to further investigate. In this state of triage, organizations must:
- Act with speed and precision in active incident response: It’s important to take close note of the adversaries’ behaviors and applicable counter measures that can provide insight and a prescribed course of action. Speed is of the essence, and acting quickly will limit further damage.
- Fully assess the situation before taking action: Look for signs of lateral movement, exfiltration of data and files, and search for specific Indicators of Compromise across all hosts. The goal is to determine the nature, timing, and extent of the compromise. Don’t act in response to the breach without assessing the whole situation to discover what data and areas of the business the breach has affected.
- Isolate unaffected networks and systems: By cutting off access to other systems, this will help to mitigate damage and stop hackers from gaining access to other areas of the business. There’s no need to shut off all systems, but it’s important to identify what information has been made accessible by other platforms. Avoiding further infiltration can only happen if you act quickly and appropriately.
Short term
- Log actions: It’s important to monitor and track your activity following an attack. The response team can then track and distinguish between black hat activity, remediation and forensic activities.
- Get law enforcement involved: Share information from your forensic investigation with pertinent stakeholders. These may include involved partners and law enforcement. You may not think to take it this far, but not reporting a breach could have a significant impact on your business. To avoid reputational damage, UK police recently suggested developing an app that’s lets you report a breach anonymously as it’s been estimated that more that 1.5 million cybercrimes (costing around £12 billion) were not reported in 2013-14. As a total, 85% of fraud and cyber-crime offences were not reported to the police that year.
- Speak to an expert: If you don’t have the necessary skills, you could be putting your business at further risk. If your team isn’t experienced in the realm of cyber security, hire external experts to augment your incident response teams. Maturing incident response teams regularly by running breach readiness and response tests, as well as simulated incidents and breaches, will help to benchmark the results.
Longer term
- Remediate gaps and vulnerabilities: After the immediate threat has been neutralized, the eradication process must begin as part of an orchestrated response. The vulnerabilities exploited by threat actors must be remediated. Prepare your teams, change your processes, and update your technologies so that you can avoid it happening again. By doing this, you can spot the gaps in your ‘points of entry’ before it’s too late. These steps must also form part of a capability maturity model so that you are constantly improving your awareness and remain vigilant.
- Deploy network and endpoint monitoring systems: This will help to more efficiently detect and investigate current and future attacks. That means organizations have to do all they can to ensure they have the highest level of visibility of their IT environment, through continuous monitoring of their network and endpoints.
- Convene, brief and review the organization’s incident response plan with all stakeholders: Using intelligence you’ve gathered from past experiences and from other experts is critical to analyzing and interpreting results of the breach assessment. Collaborate with information sharing groups, such as other businesses who have been through the same experience, and have used different best practice. Reviewing and adapting your approach will keep you one step ahead of attackers.
Contradictory to what most people think, people and processes are often more critical than the technology in place when it comes to securing your business against a breach. A security operations team must have clearly defined roles and responsibilities to avoid confusion at the crucial hour.
It is just as important to have visibility and consistent workflows during any major security crisis to assure accountability and consistency and help organizations improve response procedures over time. Enterprises that fail to evaluate incident response plans against new threats expose their systems, data and infrastructure to attack.