by David Wren
The last few weeks have been crazy busy. Year to date, hacking activity is up over 400%. Locally, we have seen an increase in successful infiltrations followed by data loss and ransomware. My team and I have been on several “Incident Response” (IR) engagements over the past few months to help organizations investigate and recover from cyber incidents. These occurrences should be viewed as a matter of “when” and not “if” an incident will occur. In 2019 more than 74% of small- to mid-sized businesses experienced a negative cyber event. How well are you prepared?
There is an industry-standard approach to IR planning that contains a six-step process. Here is the outline for an effective strategy: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned.
Preparation: Assess the organization to identify what assets need to be protected and who will be responsible for protecting them. Define and document IR policies and procedures, and establish an IR team. The IR team should include internal resources as well as an IR firm on retainer for rapid response. Create communication guidelines and practice mock events for purposes of training and preparedness. Identify current tools and determine if a gap occurs that would delay the restoration process.
Identification: Multiple ways exist to identify a potential cybersecurity incident. Many times, such information comes from users, a help desk, or tools, so it is important to train and communicate within the organization. [Editor: Re: use of the word “tools,” does writer mean data analytic tools? Unclear meaning.] Having proper tools and processes in place ahead of time will positively impact the speed and effectiveness of this step. An IR investigation will include log collection and correlation for forensic log review, next-generation endpoint protection that includes Endpoint Detection and Response (EDR) and proper network monitoring and flow analysis. The response team should be well versed in proper collection and preservation of evidence.
Containment: This step often occurs in tandem with the Identification step or as soon as possible following identification of the compromise. Containment is the process of isolating all damaged and affected servers or devices and locking down compromised accounts. This step stops and limits any further or potential leaks and damage.
Eradication: This step should be completed by properly trained professionals after a comprehensive investigation to determine how the bad actor gained access and overall extent of damage to the organization. Analyzing malware, tools and artifacts left by bad actors can help to identify your adversary. We often find that organizations have deleted and restored backups prior to an adequate review, which can invite a repeat occurrence.
Recovery: This step involves testing the fixes from the Eradication phase and transitioning back to “normal” operations. Remediate vulnerabilities, change or completely remove/replace account passwords, and add necessary tools or processes to prevent a repeat occurrence. Test accounts and functionality so that regular flow of business resumes as soon as possible.
Lessons Learned: This step involves reviewing outcomes from the earlier steps and improving IR capability and overall security posture. In short, analyze threat vectors and identify ways to limit future events. The IR team must consider the implications of what caused the security incident and take corrective actions or advise the business about further investments needed to prevent a similar event. Common causes are human error, security holes, or a flaw in a security product. This step gives the organization an opportunity to assess what went wrong and use the incident as a stepping-stone for improved organizational security.
Statistically, organizations are compromised an average of six months before a cybersecurity event has been identified. The longer a threat actor has a foothold in the environment, the longer and more complicated the remediation process will be. Bad actors are highly trained, well financed, motivated, and extremely organized. Your first step should be to hire a firm to perform a comprehensive assessment on your organization, attempt to hack into your company, then provide findings and recommendations.
Cyber preparedness should be a part of every organization’s operational plan. IT companies that provide switches, routers, patching and desktop support offer some level of security. However, the majority of IR cases to which we respond have an IT staff or partner. Security is a specialization much like the medical field. You have general practitioners, and then you have neurosurgeons.
Now more than ever, you need a security partner you can trust.
David Wren, CISM is President of Network Technology Partners, a regional Cyber Security Intelligence firm headquartered in St. Louis, MO. He can be reached at firstname.lastname@example.org