Breaches Happen: Why Great Incident Response Is Key to Managing Cyberattacks
Serge Droz | November 19, 2019
Serge Droz is a Cybersecurity Expert at Open Systems
The scenario is familiar to all of us: A well-known business announces a cyberattack and data breach affecting millions of customers. The aftermath is swift. Customer loyalty and trust is diminished, especially if the breach isn’t announced promptly and properly. Fines may be levied. And the brand then directs significant resources into hardening enterprise security and repairing its image.
While taking measures to prevent cyber attacks is a given, it’s also nearly inevitable that today’s smart and relentless cybercriminals will find a way in. Incident response (IR) — what happens after a breach — is also crucial. From responding in the moment to resolve the threat to addressing the incident publicly, the way an enterprise responds to an attack can affect public perception, brand trust, customer loyalty, and the ongoing repercussions of a data breach, as well as the ability to eradicate the problem at the root: Kicking the attacker out completely.
The unfortunate reality is that most organizations aren’t prepared to respond to attacks, even with such high stakes. It’s common for organizations to seek help only after an incident. However, scrambling to come up with a plan on the fly during a crisis simply isn’t good business in today’s environment.
Breaches happen, but poor IR shouldn’t. A thorough IR plan can help reduce losses, restore processes and services, and even curb exploited vulnerabilities.
Does your organization have an IR plan in place? Is it comprehensive? Cyberattacks globally are increasing in scale, impact, and frequency, so going on the offense and establishing a sound IR plan is vital for any company’s cyber defense.
To get your business ready, follow these four keys for a successful IR plan:
To prepare for incident response, the first step is to create a quality IR team. Make sure to recruit the right people and partners for this team, outline their roles and responsibilities, and allow them to help develop policies that should be implemented once an incident is detected. Team members should include security engineers with both the technical skills necessary to uncover and defend against attacks, plus the social skills to connect with important colleagues if a breach occurs. These colleagues may include compliance leaders, HR managers, attorneys, and public relations specialists. Having the team connect and train before an event takes place is essential.
Secondly, your business will need to develop a communications plan around IR that ensures timely delivery of appropriate information to both external and internal stakeholders. A well-planned communications strategy also should cover compliance-related issues and media communications.
- Breach detection
The hard truth is that detecting a cyber incident is really hard. It sometimes takes days, weeks, and even years — yes, years — for organizations to discover they’ve been breached because attackers stay undetected if no one is looking for them. Companies must have 24/7 monitoring and detection tools to assist in analyzing the incident and determining the breadth of the breach. That will help the team understand what type of incident has occurred, be it malware, phishing, or a denial-of-service attack, and enable it to make a quick, focused response.
Many incidents are discovered by external parties. Key to an immediate response is having visible points of contact. If someone finds an issue in your network, that person needs to be able to reach someone who can take action.
Once you have detected a security incident, it’s important to perform an analysis to determine the scope of the event, whether attackers are still in the network, and how widespread the attacks may be. To be sure, because of the urgency of the situation, decisions may have to be made on incomplete information before moving on to the next step.
By combining information about your own network with the latest threat intelligence, such as specifics on attacker tools, techniques, and trends, you’ll achieve effective triage. This will help you avoid spending time on false positives or irrelevant alerts, and focus your efforts on the security incidents that matter.
Now that you have detected the attack and determined its threat level, it’s time to find and eradicate the actual cause of the threat — for example, locating the malware or other malicious files that caused the breach. At the same time, your team needs to backup all affected systems to preserve their current state for later forensics and then move on any needed service restoration. Finally, this is the time to start communicating with your customers, demonstrating that you are in control of the crisis — not the other way around.
By taking pre-planned IR steps to effectively identify the threat, minimize the damage, contain the cost of the incident, and find and fix the cause to prevent future attacks, your organization will be fully prepared to avoid any unnecessary business impacts and reputational damage.
Breaches happen. Be ready with great IR.
Learn more about our SOC-as-a-Service solution.