When we talk about cybersecurity breaches, we often refer to them as “the boom.” That’s probably because when an attack against an organization is successful, its destructive forces travel far, wide, and fast. But through advance preparation, including developing and maintaining an enterprise-level incident response plan, businesses can significantly reduce the impact of the next cybersecurity threat. This preparation requires a combination of education, process development, and technology deployment – and as with any good enterprise IT initiative, it’s important to plan ahead.
This blog will touch on the current climate of cybersecurity to emphasize why careful planning is so important. Then we’ll provide some key considerations to guide your preparation, including your incident response plan to be sure you’re ready before and after the next boom.
Today’s Cybersecurity Climate
Cybercriminals aren’t slowing down in 2018. Just poke around on the web and you’ll find that there’s no shortage of recent security breaches; including stolen credentials, data theft incidents, and ransomware attacks, that are causing some serious damage out there. In a recent incident1 in Atlanta – attributed to the SamSam ransomware strain – the state government was forced to shut down its computer systems. For days following the attack, employees had to rely on manual forms and processes to do their jobs. As you can imagine, work by city employees just about came to a standstill. While the original ransom was only for $50,000, the total damages of the attack ended up costing the city nearly $2.7 million2.
Below we’ve identified some of the top trends we’re watching out for in the coming year:
- Additional big, bad breaches – massive attacks that affect millions or even billions of users will only continue
- More sandbox-evading malware – new strains of malware that can recognize when they’re inside a sandbox and delay executing their malicious code until outside of it
- Increasing crypto heists – cybercriminals that were once focused primarily on traditional currency are now making the transition to stealing Bitcoin and other digital currencies
- Additional extortion shakedowns – ransomware strains like WannaCry will continue to evolve and remain a widespread issue
- New state-sponsored attacks – countries are heavily investing in their online attack capabilities, and new governments are getting involved
- Innovative AI powered attacks – 91%3 of security professionals are concerned that cybercriminals will use AI to launch even more sophisticated cyberattacks, such as malware that can bypass machine-learning antivirus software
- Mounting exploitation of the Internet of Things – cybercriminals will more frequently target medical devices, smart cars, home appliances, and more
Despite these threats, a 2017 survey by Experian and Advisen4indicated that 75% of their small business clients were either “not prepared at all” or “not very well prepared” to respond to a cyber incident. The survey also noted many companies aren’t doing anything to prevent them in the first place. But that won’t be you. Because when the boom hits, you’ll be ready.
Before the Boom – A Preparation Checklist
Before we dive into the details of cyber threat preparation, there are a few basic boxes to check. These include assigning responsibility for your incident response plan across business units and geographies, establishing the criteria for activating external support resources and points of contact, creating a feedback loop for the plan, and defining the language that will be used to drive the overall program. We’d also strongly suggest reviewing the National Institution of Standards and Technologies (NIST) Publications to provide a procedural foundation for your incident response program – NIST 800-61 is widely accepted as an industry standard for incident response.
With these basics in mind, you can begin to think about exactly what will be included in your preparation. Below, we’ve identified the 11 most vital actions you can take before the boom:
- Conduct a cybersecurity risk assessment – with the many hats your IT staff is likely to wear, it may be beneficial to bring in a third-party that specializes in risk assessment to be sure nothing falls through the cracks
- Patch, patch, patch – sometimes the simplest of IT hygiene is the easiest to miss, so be sure your software is up-to-date
- Implement the right prevention and detection technologies – the enterprise can be vast, so choose comprehensive security solutions that cover your network, users, and cloud platforms
- Monitor your alerts – many organizations have the technology to sound an alert, but they don’t have anyone monitoring for them, rendering the alerts useless
- Segment your network – this way, if attackers get in, it will be much harder for them to locate and steal your intellectual property or get to your most critical systems
- Educate your employees – structured training programs can help employees identify threats, and know what to do if they’re targeted
- Lock down your access – using a least privilege approach will limit access, stopping attacks where they start, and preventing them from spreading throughout the entire network
- Encrypt your critical data – if data is stolen, it’s unreadable to the cybercriminal so confidential information doesn’t get into the wrong hands
- Back up your data – a good backup-as-a-service provider not only handles regular backups, but offers top-notch recovery services, too
- Test your controls – we recommend penetration tests, red teaming, and breach and attack simulation technologies to help verify that your security controls are working
- Obtain an emergency incident response retainer – it’s a good way to make sure you have the resources you need to quickly contain and eliminate any threats that penetrate your defenses
Once you have a good preparation plan, it’s critical to disseminate it to all of the team members who will be tasked with executing it within your organization. It’s also a good idea to share it with your external support contacts and stakeholders. Additionally, we’d advise maintaining service level agreements and relationships with external emergency incident response experts who can be brought in to help. The final step before putting your preparations to the test is reviewing state and federal data breach laws to ensure your preparation plan factors in the legalities that can often accompany a cyberattack.
After the Boom – A Response Plan for Rapid Resolution
With preparations taken care of, you’re as ready as you can be for the boom. So, let’s discuss what happens afteran incident to be sure you’ll know exactly the actions to take for an effective response. To us, the three keys to an effective incident response program are that they’re defined, repeatable, and sustainable. By defined we mean decisive, clear, and well thought out. Repeatability should come from accurate, consistent, and predictable incident response activities. And sustainability means the flexibility of processes, strong post-incident reviews and after-action sessions, and a scalable, modular approach to technology and business practices.
In this phase, we’ve got a set of best practices to share that will help counter any incident effectively and keep losses to a minimum:
- Stay calm, but act quickly – give yourself and your team time to assess exactly what has happened and what needs to be done
- Follow your enterprise incident response plan – you’ve built it for a reason, don’t deviate now
- Save valuable network traffic, packet captures, and log data – these assets are the forensics evidence you’ll need to investigate the incident and fortify your defenses
- Communicate quickly, effectively, and continuously – if information stops flowing, the whole incident response program can break down
- Identify the cause and the impact of compromised assets – quick insight enables effective coordination and precise action for swift damage control
- Bring in your third-party incident response team – they can add valuable horsepower and expertise to your response, and get you back in business fast
- Track your response so you can learn from it – this is critical for continually evolving your incident response plan
That last step is crucial. By keeping track of exactly what happened during a response you can build and improve upon your preparations for next time. Analyze where your response was the strongest and weakest. Evaluate your overall visibility into the response. Identify any blind spots that need to be addressed. Together, all of this insight will help identify where your incident response program stands, and where the opportunities are to improve it.
When it comes to the boom, it isn’t about if it’s going to happen, it’s about when it’s going to happen. That’s why preparation and response programs are so important. If you don’t handle incidents properly, the damage can linger and even spread, and the losses can pile up fast.
To be sure you’re ready for the next cybersecurity threat, make a plan that begins well before an incident and extends well beyond it. This can help ensure that even the most sophisticated threats don’t catch you off guard and keep your program ahead of attackers who are always looking to create havoc with the next boom.
To learn more about building your own enterprise-level incident response program, please visit https://veristor.com/it-security/
1 CNN, “https://www.cnn.com/2018/03/27/us/atlanta-ransomware-computers/index.html”
2 WSB-TV Atlanta, “https://www.wsbtv.com/news/local/atlanta/ransomware-attack-cost-city-27-million-records-show/730813530”
3 CSO Online, “https://www.csoonline.com/article/3250086/data-protection/7-cybersecurity-trends-to-watch-out-for-in-2018.html”
4 Advisen/Experian, “https://www.advisenltd.com/2017/05/24/2017-cyber-risk-preparedness-response-survey/“