When a cyber incident happens, the emergency response should be immediate and swift. Time is of the essence, and the reaction period between detecting the event and responding to it can make all the difference to shutting down an attack – or being overwhelmed by it.
IT Governance reported that 97,456,345 records were compromised during 112 public security incidents in August 2022.
So, what should our response be when faced with a cyberattack? It can be hard to think straight in those first moments of panic and alarm. It’s the same as discovering that your house is on fire. When you first see the flames, you don’t have time to reflect on what could have been done to prevent it; it is all about containing the fire. Fast. Another comparable scenario is when a burglar breaks into your home – often a well-planned, meticulously executed attempt to steal something valuable. What’s your first move?
What’s your first move?
Call for help!
When you discover signs of a cyberattack, the very first thing you should do is call your cyber security response team. Many organisations can be tempted to try and address the crisis themselves. However, the reality is that internal teams often don’t have the specialist knowledge required to deal with these types of emergencies properly. Even if they do, they may not have access to the right tools or technology.
That’s why we leave putting out fires to the fire service and catching burglars to the police. They have been appropriately trained and equipped to respond. Likewise, cybersecurity experts have the most suitable set of skills and expertise. Professional cyber security teams can often complete the same amount of work in a matter of hours, as people outside the industry can only get it done over a month or even longer. A month is a long time for a fire to be left to rip through a building or a burglar to remain on the run with your valuables.
After you have let the experts know what has happened, you must leave on all your computers and devices. While it may seem intuitive to power down your machines immediately, do not switch anything off. Shutting down your device could destroy evidence that could be used in an investigation. If an attacker has already compromised a single workstation, a full system shutdown might destroy valuable evidence that could be used later on for forensics.
Instead, simply unplug the cable from the device, breaking its physical contact with the wider IT network. This allows login evidence to be retained on the affected machine and prevents the attacker from accessing other workstations or parts of the network or system. Switching a device off can often reset it, which also clears valuable evidence of where and how the attack was able to take place, such as login details or encryption codes that were used to access the system.
Assess – Gather the Facts and Evaluate the Risks
After your cybersecurity expert has taken the initial immediate steps to reverse the attack and begin to repair the damage, it’s time to gather the facts and evaluate the risks, including the extent of potential harm to affected individuals. Where possible, this is also the stage when experts will take action to remediate any risk of further harm or repeat attacks.
The assessment stage uses software tools installed on machines to bulk search for cyber threats and determine the attack entry point. This software checks documents and files downloaded onto the server, looking for specific file extension codes that could cause damage or render a system vulnerable to attack. Broad searches are conducted across servers and individual machine endpoints. Ransomware often has its own distinctive file designation, making it reasonably easy to spot once the initial signs of its presence are identified.
(If you have EDR software installed and actively monitor consoles for alerts, the attack indicators may be visible.)
Identify and Contain Data Breach to Prevent Further Compromise
As part of the identification and containment process, the response team will run several simulations to predict where these attackers went on the server and whether they are still in the system. In some instances, only a few servers may be affected, and these can be contained as soon as they are identified. Once contained, the perpetrator’s ability to spread their attack surface to the rest of the network is stopped immediately.
Key to this stage is identifying access points to critical assets. These can include personally identifiable information (PII) from customers or employees, software source codes, and sensitive information, such as financial data, passwords or confidential reports. Experts can determine if any bulk data has been exfiltrated from the system and implement remediation if this proves to be the case.
Report After a Breach
Depending on your business’s region, specific legal obligations must be adhered to after a data breach.
For example, you may need to issue a statement that outlines the situation and critical facts that the public needs to know.
This can include any or all of the following:
- A high-level description of the vulnerabilities that led to the attack.
- Summary of how the attack has affected the organisation’s systems and compromised personal details and other important or sensitive data.
- The response strategy that has been put in place to remediate the damage, if any, and what prevention strategies have been implemented.
Good practice dictates that a full review is carried out after the incident has been contained and all systems returned to a secure state with no further compromise or threat present. The review process will help the organisation revisit the security protection measures it has in place and how effective each one is when faced with a real-time threat.
ENHALO Cyber Emergency Response in Action
ENHALO specialises in providing rapid emergency response services to organisations facing a sudden cyberattack or data breach worldwide. We were called out very recently to assist a global recruitment agency operating in over 50 countries. A government security watchdog informed them about a series of very credible attempts from state threat actors to attack their internet-facing systems.
The government watchdog had performed vulnerability scans ahead of our involvement and identified several vulnerabilities that these threat actors were able to exploit. Following this discovery, the agency found malicious web-hook software on one of their internet-facing systems. They decommissioned it immediately and believed that this swift response was enough to contain the threat. But the government cyber security watchdog insisted that a reputable cyber security consulting firm be engaged to determine the extent of the attack and whether data had been compromised or exfiltrated. The agency reached out to ENHALO to investigate.
Cyber Security Risk Approach
The ENHALO team deployed scans across the organisation’s technology estate, revealing numerous web-hooks attached to other servers, which the internal team’s software hadn’t detected. We immediately took all of the agency’s systems offline and decommissioned them. Our next move was to establish a list of critical assets and strategically position them in a secure area for protection and monitoring. These assets included personal information about individuals and where they were placed in high-privilege environments.
Cyber Risk Process
Next, we isolated the network segments to contain any further spread. We set up a security information and event management (SIEM) and a security operation centre (SOC) to capture and log where the attackers were and had been.
We then performed a series of targeted attack simulations to determine how the perpetrators gained access and whether they had managed to access the agency’s critical assets. ENHALO experts logged and implemented emergency changes for major vulnerabilities and shut down unauthorised access to these assets. Proverbial windows and doors were swiftly closed to reduce further risk. Finally, the firewall and other data sources were extracted to determine if any signs of data exfiltration existed.
Cyber Risk Reporting & Response
The government security watchdog required a detailed report covering the emergency cybersecurity response plan and the actions taken. This included answers to whether sensitive PII was extracted and what the agency was doing to mitigate the risk of a repeat attack.
This event had a positive ending thanks to our team’s rapid, detailed and expert response. We were able to provide supporting evidence that no data was exfiltrated or had appeared on the dark web.
Postmortem After a Cyber Attack
But what was the takeaway from this attack? What was missing from this agency’s cyber defence that allowed this attack to happen:
- There was no multi-factor authentication in place to access the development environment.
- The digital infrastructure was not appropriately segregated or air-gapped. This meant that products being tested and developed could be easily accessed and compromised.
- No Security Incident Event Management (SIEM) was in place to detect and trigger a response.
- There was no SOC in place to oversee the correlating of events and launch an emergency cyber response.
- The anti-malware solution that the agency had invested in was incapable of detecting all threats, and no 24/7 triage, remediation or response service was in place.
What Makes Organisations Like These Vulnerable to Attacks?
There are areas of vulnerability that can be addressed before an emergency to help reduce the risk of being attacked. Here are some key risk factors that are common to many organisations:
- Outdated, unpatched software. Many successful cyberattacks are carried out against unpatched computers. Organisations are often not even aware that vulnerabilities exist on their systems, and this unawareness makes them prime targets for cybercriminals. Fix that, and you are suddenly a good deal safer and protected.
- Weak passwords and single-factor authentication. Cutting multiple copies of a front door key and then dishing them out to the neighbourhood means the whole community can come and go as they wish. Oh, and did we mention that the same front door key can open the safe in the bedroom too? The same key opens all the doors and allows access to the organisation’s crown jewels. This is the scenario for organisations that don’t bother with two-factor authentication to critical systems and admins using the same email/username and password to log into desktops/workstations and servers.
The human element
- Employees take shortcuts to make life easier for themselves. They may know the right course of action to maintain robust cybersecurity protocols but fail to carry it out because there is an easier way to do things, or they think it is optional.
Budget and resource constraints
- Senior management can often be reluctant to spend too much on cyber security because they are rewarded if they save the organisation money. However, short-term savings can turn out to be a false economy if valuable data and systems are compromised.
- Anti-virus software can undoubtedly provide some protection, but it is not enough. Organisations often operate under the illusion that they’ve spent enough on cybersecurity and are adequately protected simply because they have anti-virus software. This illusion needs to be revised to identify and prevent the wide gamut of cyberattacks and compromises.
- Cybersecurity tools are purchased and implemented, but no one monitors them, making them worthless. Never assume that the purchase price has also secured 24/7 monitoring by experts ready to leap into action at the first signs of a cyberattack. The terms and conditions of such a purchase need to be carefully checked. It is dangerous to assume that a service provider is monitoring systems just because their licensed software has been acquired.
What you were ready for yesterday may be the last thing cybercriminals have in mind for you today. Use the lessons from other “victims of cybercrime” and deploy the expertise required to navigate your unique, yet evolving, risk landscape.
Contact ENHALO now to find out more about our cybersecurity emergency response services.