Written by James Tamblin, BlueVoyant UK President
Ensuring that businesses are properly prepared to react to a cyber attack, and to secure assets and data afterward, is entirely dependent on the proactive steps businesses take in advance so they can respond to such an incident quickly and efficiently.
This is why businesses must have an incident response plan in place, detailing how they should respond to cyber attacks. This plan should have complete buy-in across not only the cyber security or IT divisions, but the entire company from marketing and sales to the CEO and Board, if applicable.
This is crucial in businesses of all sizes, to ensure that everyone is reading from the same hymn sheet should the unthinkable happen. Knee-jerk reactions to a cyber attack, both internally and externally (to customers, partners, stakeholders and the press), can do far more damage than a carefully considered approach.
Evidence that organisations may have already suffered a cybersecurity incident
Businesses, dependent on their size and internal cyber security capabilities, should look – or engage their managed security service provider (MSSP) – to analyse whether they are suffering from any of the following lapses in security, which may indicate that a cyber attack is imminent or already in progress:
- Does the business have open, at-risk ports, such as remote desktop protocol (RDP), authentication, and datastore ports?
- Is there evidence of outbound traffic to known malicious infrastructure?
- Is the business being targeted by known IPs that are associated with ransomware?
How to secure your business in the event of an attack
If an organisation detects that the above anomalies are taking place, they should follow the six steps below to develop an incident response plan. There are multiple frameworks in circulation, but the following steps cover the basics – and more – of how to best respond to an incident.
- Preparation
This begins with fully preparing for a potential cyber attack. Businesses need step-by-step guidance to define how incident response teams will manage incidents, including internal and external communications plans and incident documentation.
The adage that a business is only as secure as its weakest link – in this case, the business within its supply chain with the weakest cyber security practices – should be front of mind. As internal security becomes more secure, an organisation’s supply chain often becomes the weak link. Supply chains are the vendors that are connected to an organisation’s network.
As the size of supply chain ecosystems continues to increase, with BlueVoyant research indicating that the number of businesses reporting supply chains of more than 1,000 companies rose from 8% in 2020 to 43% in 2021, a proactive approach is crucial in ensuring all departments of all organisations in a supply chain are ready.
- Identification
This is the detection of malicious activity. Whether based on security and monitoring tools, publicly available threat information, or insider information, an important part of identification is to collect and analyse as much data as possible about malicious activity. Incident response teams must also distinguish between benign activity and true malicious behaviour.
This requires a substantial effort in reviewing security alerts and determining whether alerts are ‘false positives’ — not real security incidents — or ‘true positives,’ which indicate malicious activity.
It’s important at this stage for an organisation’s threat intelligence/incident response consultancy to ensure they have secured any evidence that could be subjected to scrutiny as part of formal legal proceedings. It’s also crucial to ensure that a company’s legal counsel has been fully briefed on the developing situation, but organisations should look towards MSSPs that can assist legal advisors and counsel prior to and throughout the course of proceedings.
It’s important to remember that many organisations won’t have large cybersecurity departments – if at all; if this is the case, it’s likely that legal counsel may not be well versed in how to deal with an ongoing cyber attack.
- Containment
Containment is an attempt to stop the threat from spreading in the environment and doing more damage. There are two types of containment:
- Short-term containment — immediate action to prevent the threat from spreading. For example, quarantining an application or isolating a system from the network.
- Long-term containment — restores systems to production in a clean state, identical to how they were configured before the threat was introduced.
- Eradication
This process includes identifying the point of intrusion, assessing the attack surface, and removing any remaining backdoor access. At this stage, the incident response team neutralises any remaining attacks. As part of this step, the team determines the root cause of the incident to understand how to prevent similar attacks.
- Recovery
At this stage, the incident response team returns systems to normal operation. Compromised accounts are given new, more secure passwords, or replaced with a more secure access method. Vulnerabilities are remediated, functionality is assessed, and normal operations resume.
- Recommendations
There are lessons to learn from any cyber security incident, both at the process level and because threats are constantly changing and evolving. Learning from experience and pinpointing what went wrong is a crucial step in improving your ongoing incident response plan. It is a good practice to perform a post-mortem meeting with the entire team to provide feedback on what worked, and what didn’t, and raise suggestions for process improvement.
The first 72 hours after a data breach are critical. Every decision that an organisation makes can carry financial, legal, regulatory, investigatory, and perception repercussions. This can include disruption of operations, client blowback, increased security and insurance budgets, intellectual property theft, the devaluation of a company’s name (potentially resulting in a stock price dip or drop in investor confidence), and more.
Furthermore, the number of cyber attacks – particularly ransomware attacks – has skyrocketed, with cybercriminals taking advantage of a vastly expanded attack surface. It’s therefore vital that organisations actively prepare for cyber attacks, either by bolstering their own cybersecurity and incident response capabilities, or by engaging with an MSSP to make cyber preparedness both a business protector and enabler for growth.