Back to Cybersecurity Basics – Part 3: Incident Response
‘It’s no longer a case of if but when’.
Of course, those of us who have been working in the IT Security industry for longer than we care to remember know that we’re talking about becoming the victim of a cyber-attack.
For many of the larger organisations around the world this is nothing new, and I’m sure they’re under attack as I write this blog. As an industry, there has been a shift in thinking and many organisations have accepted this as fact and are now focusing on the cure, as well as prevention.
Developing an Incident Response plan is something that each company, however big or small should do. Many cyber-attacks are indiscriminate in who they target, and the results can be devastating irrespective of the size of the company. If anything, a smaller company with a smaller budget may feel the effects more than a large corporate.
How well you recover from an attack depends on if you can respond to an incident in a timely manner and how quickly you can respond depends on how well prepared you are.
This topic is something that we could go into a lot more detail on, however for the purposes of this Blog, below are some key points to consider when developing your plan.
Prepare – Putting in the groundwork at this stage will limit the effect of any incident.
- Create robust security policies.
- Ensure that your employees are aware of their responsibilities. Most incidents occur through negligent or malicious employees – see our previous blog post HERE on how to limit this.
- Practise the plan. It’s impossible to know if your plan will work unless you test it.
- Identify the start of the of the incident. On average it takes 210 days for a security breach to be detected. This is an area that we as an industry need to get better at.
- Pre-deploy assets. Being able to failover to a DR site will limit the impact on your users and take the pressure off somewhat during the clean-up phase
Identification – Is this an actual security incident or not?
- Signature based detection. Use signature based detection alongside a behavioural based tool. Signatures will detect MOST known threats.
- If something warrants further investigation, look at security and system logs, new user account creation, unexpected new files.
- Classify the incident. Is the incident unauthorised access (external threat actor or internal employee), Denial of Service, has malicious code been delivered, have scans on the network been conducted looking for weaknesses – how serious is the incident?
Containment – Understand what has been affected. The earlier the better. Reimaging one device is easier than a hundred.
- Communicate what has happened to the rest of the business. The idea is to limit the spread of infection by explaining what you (the SOC) have found, and what your users need to be aware of.
- Determine Operational Status – are you still working at full capacity or do you have to turn off devices to prevent the spread of infection? Are these critical resources and do you need to failover to your DR site?
- Network Segmentation – If you can segregate the high-risk users on your network this will help limit the spread.
The previous three parts of the blog focused on the pre and immediate aftermath of a breach. Hopefully, some of the ideas above will help you develop your plan.
The following four parts will look at the post breach phase.
Investigation – Who, What and Why? How in depth this stage is depends on what your motivation is post breach. Are you looking to get back to ‘Business as Usual’ as soon as possible, or are you going all out for prosecution? This needs to be understood from the very start of the process.
During the investigation phase there are 5 questions you need to be continually asking:
- What data was accessed?
- Who did it?
- How did they do it?
- Why did they do what they did/what was their motivation?
- What do your logs reveal?
If gaining a prosecution is your main priority, then it is important to ensure you have a copy of the following…
- External Storage
- Network Drive Logs
- Application Logs
- Any other supporting data – such as historical data and emails that may be of interest to the authorities.
If you know a device has been subjected to a Malware infection, it’s important to shut down the device during the investigation. The longer the device is on after the incident, the greater the spread of infection and therefore the more difficult it’s going to be to find the required evidence as data is overwritten.
If getting back to ‘Business as Usual’ is more important than gaining a prosecution, then move to the eradication stage at the first possible opportunity.
If the breach is post-May 2018, please consider what data needs to be supplied to the ICO, this may influence your decision on whether you go down the business as usual or prosecution route. Remember, the more information you can supply to the ICO in the event of a breach, including your remediation efforts, it is possible that any potential disciplinary action may be lighter.
Notification & Eradication -Once you have identified that you have a problem and you have investigated the matter fully, or to the best of your ability, it’s important to move swiftly to the clean-up phase.
- Notification – This phase also includes notifying the various internal and external parties involved in the breach. This could include, external
partners, customers and should include all relevant personnel within the business who this may affect.
With some compliance laws HIPAA, PCI etc, it is a legal requirement to notify all relevant parties and before this can take place, you must have all the facts readily available, including what data has been touched.
Notifying all relevant parties can be a challenging and costly process. A recent example saw a post-breach Equifax having to boost their call centres by approximately 2000 seats to handle the number of inbound calls because of their data security incident.
- Eradication – The Eradication phase should start with the uninstallation of the compromised application from the infected devices. This will be more challenging the longer it has taken to detect the Malware as more devices may have been infected.
It is also good practice to replace the OS/Hard Drive. This can be completed a lot quicker if you decide to reimage the machine. Configuring a baseline image will allow you to get back up to full operational capacity
Lessons Learned – With every data breach, it’s important to take stock of what happened and understand what you can do to prevent it from happening again.
Look back over your learnings from the investigation phase and decide how best to fill the gaps that you have identified.
This will help you regain customer and partner confidence.
Ensure that these lessons are well documented as they will be key to present to any relevant authority should you need to.
Like I mentioned earlier this is a topic we could talk about for a long time. For a more in-depth conversation on the subject contact one of our cybersecurity professionals on 01865 595510