Cyberattack Survival Series: Part II – Attack
Your response to a cyberattack will naturally depend largely on the nature of attack. Depending on if your organisation has been hit with ransomware, or has fallen prey to a phishing scam, there are a number of key factors that you will need to set out in order to have an effective response strategy.
Aligning this strategy and ensuring that all employees or potential members affected by the attack (including any partners or supply chain) have clear instructions for how to respond to the attack as soon as it is alerted is fundamental.
The first step in responding to attack is to ensure your incident response (IR) team is poised for action. Have a leader appointed that takes charge over every activity and is in direct communication with management, so that crucial decisions can be made promptly. It’s going to be important at this stage to ensure that you have a secure communications platform, completely separate from the infected network, to enable safe comms between incident response, employees and senior leadership. Responses to the crisis will naturally need to be communicated, and doing so on the infected server gives your cyberattacker full visibility on what your next move is going to be. To understand how Serbus can help to provide a secure communications system, you can read more here.
When the attack has been realised, it’s important to not immediately get wrapped up with trying to define the root cause of the attack – this can be identified post-breach, and will allow you to respond in a more agile and focused way against the actual threat.
This stage is key to track, monitor, identify, alert and report any security breaches to occur, which will provide better clarity on the impacted areas of your organisation’s network.
The most common reported security breaches come via phishing (75%), business impersonation (28%) and malware and virus attack (24%). Understanding the threat statistics, particularly in the context of your industry, may help in pre-empting your incident response and any investments/budget you may need to allocate to a cyber crisis.
There are a few noticeable indicators to ascertain the type of attack you could be facing in the early stages of the attack. A ransomware attack will often render files visible but un-openable, also scrambling file names with peculiar symbols embedded in the software code. An attack on your mail server will prompt random emails to enter and exit your exchange, and cause credential errors when attempting to access resources. A DoS/DDoS or online attack on your network will be obvious from slow performance on and rejected access to online resources.
There will be many other resources that will come in useful for gathering data from tools and systems to probe for deeper analysis of any indicators to suggest further compromise. Your IR teams will benefit from being trained and familiar with a live incident response – however these teams/individuals can be outsourced in the event of a breach incident, should your organisation not have this function in house. Until an incident is cleared and the evidence analysed, the extent of damage network and systems will not be realised, which is why it’s fundamental that breach incidents must be treated (in every instance) with the same due diligence, caution and severity.
If any customer data, financial details, employee personal information etc. should be found to be compromised, it’s vital that the relevant appointed member in your IR team responds immediately in setting up the next protocols to inform those affected what data of theirs is now compromised – it is likely they will need to go away and change passwords for other sites or contact their bank to check or change credentials.
During this step, it’s also important to ensure that no hasty or risky decisions are made that could potentially destroy evidence that you will need later to assess the breach cause and responsibility. Depending on the nature of the attack, there are a few generally safe ways you can begin to manage containing the breach:
- Disconnect all devices from the internet
- Disable any remote access to the network
- Check and maintain firewall settings
- Check for and install any pending security updates/patches
- Change all passwords of connected network users, ensure they are strong
The main goal is ultimately to neutralise the attack: by isolating components of the network where possible (changing passwords, disabling remote access etc.) the field of the cyberattack will get smaller, making it easier to neutralise and gain control of the network again. It may be prudent in the event of a particularly large-scale event that the whole business network must be taken offline in order to quarantine damage; this in itself will naturally incur unavoidable downtime costs, however it’s likely that the cost of downtime will outweigh the cost of a brand new network system.
One action to definitely avoid during an ongoing attack is turning off an infected device/computer. Sadly, things are not as easily remedied by ‘turn it off’ in the IT world, and doing so in an active breach event could lead to more damage, and the loss of important evidence needed post-breach to identify the cause and attackers responsible.
The majority of organisations that become subject to a breach incident, especially where the media is made aware, will be immediately judged on their response and how an attack could have been made possible in the first place. Whilst it is important to understand the steps to take during an ongoing breach incident, arguably your best success against one lies in the systems and preparation taken to ensure that one cannot occur, or that the effects of one if it were to breach your network would be minimal.
To find out more about the solutions Serbus can put in place to help secure your network devices and communications from cyber threat, get in touch today on +44 (0)1432 870 879, or email us at firstname.lastname@example.org.