By Sergey Ozhegov, CEO, SearchInform
When a cyberattack occurs it is easy to panic and forget all the steps you have been told to make before. What is the very first thing to do, to report, to find out every detail about what happened, to inform your users?
According to the regulators, the first thing ever is to report a breach (although we solemnly swear that hoping ardently that comprehensive back up had been configured is believed to be the first thing to think of). It does create an unneeded problem quite often, as many companies can’t discover a source of an incident, aren’t aware of an incident or simply prefer to take time and solve it as soon as possible themselves because they fear ruining their reputation. More often a breach gets discovered by a researcher who, in case a company doesn’t respond to the researcher’s attempt to notify it, posts about it online bringing the situation to a dead end.
Apart from reporting, the affected systems should be secured promptly. In order to limit the possible spread of a cyberattack, the attack must be contained, which mostly include terminating as many system connections with outer world as possible in the first place, focusing on the Internet, devices and access rights.
Think of what can be affected first or what could be a priority target for a violator. It is fair to look at the matter making your point based on your industry. Depending on a certain industry, particular steps would be of primary importance. User accounts should be secured. Banks should be informed of the possibility of unverified transactions.
Do not reboot
As for the rebooting, there used to be an opinion that booting a computer during an attack might tamper with an attacker’s desire to look at one’s screen, but modern ransomware overwrite encryption keys while a PC is rebooting, it can also cause ransomware relaunch if its remains weren’t detected which would re-encrypt the recovered assets. Today specialists suggest that users hibernate their computers instead.
This also concern the advantages from back up. Back up helps you restore your data but in case of a wrongly treated ransomware situation the retrieved data can get encrypted again.
Backup ensuring is the first “to-do” one in the list which gets treated by both remediation plan mechanisms and information security. Covering all chances to avoid losing sensitive data, it is strongly advised against backing information with only one type of backup. Files should be insured onsite and offsite, the more different storages save the copies the lesser the risk of never retrieving them. It proves to be helpful storing a few copies on a bunch of your servers while trust a third-party center or cloud service with at least one copy as well to make sure that in case it “rains outside” there are some umbrellas waiting above, as if it leaks inside only the comprehensive information security plumbing, including prevention, monitoring and investigation tools can ensure that such a thing almost never happens.
Monitor and alert
The capability of monitoring all traffic may play the role of an occasional saviour – monitoring doesn’t neutralise a cyberattack, but it helps to notice it when the first alarming processes are triggered.
Notify top management and employees who could be responsible for the affected assets and users first, then think of how to provide customers with correct and timely information as quick as possible, it can help them to rescue their information and money in case its integrity wasn’t or was partially ruptured.
Investigation is commonly considered as a final step or rather a long-term phase in which every incident is destined to fade into. A third-party investigation team is usually hired to conduct an in-depth analysis which can take up months of research to inform of the key findings which would have been useful straight when the incident got detected.
Thus, investigation – which usually gets launched after containing a cyberattack and reporting and can be truly time-consuming – is really the process the results of which are highly required right at the beginning of dealing with the consequences. These are the missing facts which can be extracted only from a “probe”. It doesn’t have to be detailed from the very start, but ongoing investigation already deployed in a corporate system helps an enterprise get its bearings significantly faster and with a good deal of transparency unavoidable when managing assets security risks.
All things considered, investigation seems to be not just a first and foremost step to take after a cyberattack occurs but a pre-incident measure which would make every further step a bit more cool-blooded and definitely much more elaborate and mature.
Remediation or recovery has its own program under the whole business continuity and disaster recovery plan. This is another measure which should be taken rather in advance, but goes a long way and reminds of itself as the final step to make after an information security incident. Data protection and risk management are well suited for integration with the overall business continuity approach.
Taking a hard look at the current security situation within an organisation, what is implemented and how many sensible measures there are to take yet is part of the continuity approach. Deploying a monitoring solution in an enterprise will alert to the issues which were never addressed and would give an opportunity to configure security policies and establish internal regulations which genuinely correspond with the company’s needs, thus helping enhance risk assessment.
It is advised to ensure data visibility and user activity transparency as well as human behavior smart control allowing to prevent an incident at an early stage or predict a violation, mitigate human error and detect aiding hackers.
A post-breach remediation step fully depends on how well-thought-out the risk management program is and how efficient it had proved itself before. Knowing what time length of a recovery period a certain company can afford, the extent of damage affecting finance due to a forced downtime, loss of data taken hostage or stolen, reimbursing impacted customers is essential for quick and full recovery. Often companies have to splash out on security solutions only after a disaster happens, which multiplies financial loss.
Solid monitoring rules out the possibility of poor communication within a team when an incident occurs, as a specialist responsible for risk mitigation will be promptly alerted to a suspicious event and report it to the management. Corresponding regulations or instructions should be adopted within a company, thus everyone must know his or her role in the breach offset process.
About the Author
Sergey Ozhegov, CEO, SearchInform. He has been contributing to the company’s development, handling strategic decision making since 2015. Co-founder of the annual SearchInform Road Show series of conferences. He has been working in IT and information security for 15 years. Sergey can be reached online at firstname.lastname@example.org, www.linkedin.com/in/sergey-ozhegov-6b625681/ and at our company website https://searchinform.com/.