In the world we are living today, possibility of suffering from a cyber attack increases every minute. According to PwC “The incidence of reported cybercrime among our respondents is sharply higher this year, jumping from 4th to 2nd place among the most-reported types of economic crime. Notably, it was the only economic crime to have registered an increase in that category. Over a quarter of respondents told us they’d been affected by cybercrime. Ominously, another 18% said they didn’t know whether they had or not”. While avoiding an attack is ideal, it’s not always possible. No security measure can guarantee 100% surety of making a system or network attack proof since attackers constantly find new ways to break in.
In the unfortunate case that your systems suffer a breach, you should be prepared to address it swiftly. To help, we have tried to come up with steps that can help you doing so.
Document
First of all we need to LIST down anything and everything that is important and the loss of which can be harmful. This includes any information that is private to a server which brought down can effect operations.
Perform a complete audit of your systems, take note of the most important components, and track everything. Make sure you are not the only person aware of this document. Where possible, tag the resources such as servers, laptops, backup tapes etc.
Pick a Team
Now that you know what is most important, make sure all the relevant players are aware as well. Nominate one person as the IT owner in the event of a cyber attack. This individual needs to be readily available in case of an emergency, and equipped to manage the many internal technical components involved with recovering from a breach. Nominate a second person to own the management of external needs of a breach – such as outreaching to public relations, getting in touch with the organization legal counsel, etc. Both of these roles are critical for a timely and effective response. Just to be safe – pick a second in command for both teams. After all, no man is an island.
Make a Plan
You know the data, you have the right people in place – now it’s time to develop an actionable plan and provide specific, concrete procedures to follow during a cyber incident. The procedures should address:
- List possible sources of those who may discover the incident. The known sources should be provided with a contact procedure and contact list.
- Is the equipment affected business critical?
- What is the severity of the potential impact?
- How to preserve data that was compromised by the intrusion and perform forensics to review for gaps in security and insights into the actual attack.
- Who needs to be notified (data owners, customers, or partner companies) if their data or data affecting their networks is stolen.
- When and what law enforcement will be brought into the picture, as well as any regulated reporting organizations.
Make sure everyone on the team is aware and has read and reviewed. In addition, take time to appraise the plan every quarter for relevancy and update as necessary. Unfortunately, security is not static. Also, this is important; it should be tested PRIOR to an actual cyber incident. Tornado, zombie apocalypse or biblical flooding is NOT the time for a try-out.
Action
Despite all your planning, preparation, and good intentions – what happens if (when) you are struck by a cyber attack? First things first – implement your cyber incident plan as soon as possible. Take a critical assessment of the situation. Does it appear to be a malicious attack or a simple tech glitch or misconfiguration? Once you’ve determined intent (and it’s not good), it’s time to collect and preserve the impacted data, and put the rest of your plan into action.
- Disconnect!
Once you have confirmed that the attack is not a mistake you should immediately disconnect your assets from the network where possible. A better approach can be to disconnect the important information only and keep the front end connected which can help track the attacker.
2. Inform.
You should already have this information in place and readily available in your cyber incident plan. Start your outreach right away and begin with your response owners and work your way down the line. For example, the “external” owner at your organization should notify law enforcement, possible victims and the Department of Homeland Security, if necessary. Overall, the best approach is transparency. No one wants to admit to a breach. However, hiding critical information or delaying notification can backfire. A good approach involves being as direct as possible, highlighting the known and promising a timely follow up on any unknown. As always, keep it simple and straightforward. Don’t make promises you cannot keep or address concerns that are not valid.
3. Involve a professional.
Sometimes an internal response team just isn’t enough. Fortunately, there are many third-party organizations that specialize in incident response and can help you navigate through the breach. The fresh set of eyes can look at the breach in a way internal staff – already vested in the company and outcome – cannot. They can help you discover exactly what has been accessed and compromised, identify what vulnerabilities caused the data breach, and re-mediate so the issue doesn’t happen again.
4. Verify.
Finally, verify that your backup data was NOT compromised. It would be “no es bueno” to restore your system using data that you believe is valid, only to discover that your backup was just as bad as your compromised data.
5. Monitor.
Even after a cyber incident appears to be under control, remain vigilant. Many intruders return and attempt to regain access to networks that they previously compromised. It’s possible that, despite your best efforts, a hacker could STILL find a way into your system. They are a slick, determined bunch. Continue to monitor your system for out of the ordinary activity. Invest in a software solution that utilizes User Behavior Analytics to recognize unusual behavior and notify prior to an actual attack.
6. Facts.
Once your organization has recovered from the attack, it’s time to thoroughly review what happened, and take steps to prevent similar attacks. What went well with the cyber incident response plan? What may need just a wee bit of tweaking? Assess the strengths and weaknesses of the plan, and determine what needs adjusting. Implement the changes. You’ll be glad you did if (when) you are attacked again.
7. Revise.
Protecting against a cyber incident is a full-time job. As ransomware evolves and the insider becomes a consistent threat, it’s important to continuously revise and revisit your Cyber Incident Response plan:
- Keep your plan up to date.
- Have the right technology in place (including lawful network monitoring) to address an incident.
- Hire legal counsel that is familiar with the complex issues associated with cyber incidents.
- Make sure existing corporate policies align with your incident response plan.
A cyber incident is never something you want to face. However, being proactive and prepared will make a huge difference in your response.
waqar ahmed 