Matt Lawrence, F-Secure
Cyberattacks come at a devastating cost to organisations. Sometimes the impact is felt immediately; other times it can take years for the slow erosion of share price and customer confidence to be felt.
According to the latest research, it takes an average of 69 days for a cyberattack to be resolved once detected. This gulf between detection and response means that organisations are missing a vital window of opportunity to stop attacks before attackers reach their objective, which could include server encryption, data exfiltration, and ransomware deployment.
Response readiness requires time and investment across people, processes, and technology. While achieving 100% response readiness requires a high level of time and investment, this article will outline the basic tenets of how organizations should preparefor, respond to, and remediate a cyberattack.
BEFORE A CYBERATTACK
IDENTIFY WHICH ENDPOINTS AND SERVERS YOU CAN’T FUNCTION WITHOUT
Before a breach occurs, think about what in your organization might be of value to attackers, such as confidential client and employee data, information on intellectual property, mergers and acquisitions, and plans for growth. Pair that with the endpoints and servers that are critical to the smooth running of your businesses. Merging the two together guides you towards allocating your cybersecurity investment to defending your most critical assets. This can include endpoint monitoring and backing up business-critical servers.
COVER YOUR ENDPOINTS
Most modern day cyberattacks start with an endpoint compromise. This is why deploying an endpoint detection agent before a cyberattack is crucial. It helps responders get immediate visibility and data into how the attacker got in, what they have accessed, and what they might be trying to achieve.
TRAIN FIRST RESPONDERS
Every organisation should allocate a team of ‘first responders’: the team that are called upon when an incident in suspected. Your team of first responders will need to know:
-What steps must be taken to investigate the suspected incident;
-How to access data and telemetry to confirm if the incident needs to be escalated;
-How to manage the incident for the first 48 hours;
-When to call in incident response teams, either internally or externally.
First responder training shouldn’t be limited to security people and IT staff. Many different types of staff need to be trained in first response activities – from personal assistants to human resources, office managers, and analysts.
Make sure your first responder team encompasses of all your IT estate, including a map of all endpoints, hardware, and software, with clear roles and responsibilities.
DURING A CYBERATTACK
Once the incident is confirmed, what next?
DON’T SHUT DOWN THE HOST
When a compromise is detected, a common misstep is pulling the power cable. While shutting off power may seem a good thing from a containment standpoint, it makes the job of the responder much harder. If the attack is wholly memory resident, shutting that host down can completely remove the evidence of how the attacker accessed the endpoint, and impede gathering intelligence on the attack’s origins and potential objectives.
This policy should be continually communicated to all employees.
IDENTIFY THE MAIN CONTACT(S) FOR INCIDENT RESPONSE TEAMS
We can’t emphasise how crucial this is. When organisations have not done this – and an incident is live – a lot of time can be wasted figuring out who is the owner of systems, who responders need to speak to in terms of escalation, and signing off necessary budget. It is often necessary to take defensive actions to protect the business, such as taking down critical elements of the infrastructure – if a business isn’t prepared for that in advance it can be difficult to debate the pros and cons while an attacker is live on the estate.
KNOW THAT EXPELLING THE ATTACKER RIGHT AWAY ISN’T ALWAYS THE RIGHT MOVE
While the impulse to get the attacker off your estate as quickly as possible is understandable, it is not always the right move. This is particularly important when dealing with sophisticated attackers, alerting them to the fact that they’ve been detected can either be the point at which they deploy ransomware, or they leave the estate to come back with a stealthier method. A measured, coordinated response can ensure that assets are protected and the attacker is expelled without recourse.
AFTER A CYBERATTACK
TAKE A BREATH
Breaches – while stressful and potentially damaging – can sometimes lead to good things, such as security improvements across the organisation, hiring of additional resources, and a wider understanding that security needs to be embedded in every facet of an organisation. However, it is crucial that you:
We provide post-incident recommendations on improvements that can reduce the impact of future attacks. A good example of this is our own research in Active Directory security using the Red Forest architecture, which is something that – once implemented properly – can have a major impact on the effectiveness an attacker has if they have compromised that environment. While it requires investment in time and money, the backend of an incident is often an opportunity to make such improvements. However, it is sometimes the case that organizations don’t action our recommendations, reverting back to the same risk profile they started with before they were attacked.
BUILD IN CONTINUOUS IMPROVEMENTS AND ASSESSMENTS
Cybersecurity is a lifecycle. One of the best ways to ensure you are bolstered against the threat landscape is to take lessons learned from investigations and build a program that can implement those recommendations. However, constraints to budgets and time make it difficult to implement every single recommendation. However, 10% readiness is better than no readiness. It is not purely about monetary investment, but about making internal improvements to your processes and procedures.