The Fundamentals of Responding to Security Incidents

Follow me
Latest posts by Amy Potgieter (see all)

When it comes to recognizing your vulnerabilities and reacting quickly, having a remote workforce that is constantly expanding presents additional challenges, but this does not change the fundamentals, which are to identify, protect, detect, react, and recover from any potential breaches. 

As a result of COVID-19, your company will face more challenges, and hackers will have more opportunities to succeed. You and other online criminals are in a never-ending race for information security. We spoke with cybersecurity experts about the challenges that an increasingly remote workforce poses for businesses, how to respond to a cyber threat, and how the threats themselves are evolving. 

The ongoing pandemic caused by COVID-19 makes responding to a current threat more difficult. Being proactive is critical, and regardless of your company’s size, the best time to change your strategy to include a shelter-in-place workforce was yesterday. This is true for businesses of all sizes. 

What exactly is in jeopardy? 

There are numerous magnitudes and types of breaches. Although ransomware may prevent you from accessing resources and data, the game plan will differ depending on what has been compromised and what that infected point has come into contact with. Rebuilding the machine is the most common and straightforward method of decrypting a ransomware-encrypted workstation. 

This will cause some downtime, but nothing else. However, if a data center or critical servers are attacked, the results could be disastrous. Even if paying the ransom is only the beginning of your problems, the potential damage for many businesses is so great that it makes sense to give the criminals hundreds of thousands of dollars in bitcoin. 

“Even if you can find a way to pay, can afford to pay, and have a trustworthy enough criminal,” explains Drew Simonis, HPE’s deputy chief information security officer. “It still does not guarantee that you will survive the attack.” 

Even if you pay the ransom, it could take months to repair the damage caused by a ransomware attack using the security keys provided by the criminal. How much of a drop in productivity do you believe your company can withstand? Simonis believes that a large corporation can sustain this model. “For a relatively small business?” This could put them out of business.” 

The five pillars of effective cyber defense 

Unsurprisingly, the size of your company will have a direct impact on the types of threats you face and the resources you have available to you. Nonetheless, the critical steps you must take are derived from the National Institute of Standards and Technology’s (NIST) cybersecurity framework, and they are the same for businesses of all sizes. Identity, protection, detection, response, and recovery are the steps. 

It is a step-by-step process that includes determining how vulnerable your system is, doing everything possible to eliminate vulnerabilities, triaging the damage as soon as a breach occurs, getting back up and running, and, most importantly, eliminating those weak links in the future. 

Organizations differ in their strengths and weaknesses

“A large company has all of those resources in-house; they’ll have investigators, forensic capability, and the ability to develop and implement a plan based on the breach,” says Simonis. “They’ll also be able to create a plan based on the breach and put it into action.” Plans of action vary according to a company’s size and available funds, and many of the challenges that small and medium-sized businesses face are more formidable than they have ever been as a result of the ongoing pandemic. 

“Even if you can find a way to pay, if you can afford to pay, and if you have a trustworthy enough criminal… it does not mean you will survive the attack.” 

COVID is a type of factor

The increased prevalence of remote workers complicates every step of the response process. The COVID-19 outbreak has not changed the fundamentals, but it has provided new opportunities for cyber criminals. These new opportunities include an increase in content-oriented attacks that target your organization’s employees, particularly by appealing to their emotions. In April, the World Health Organization (WHO) reported a significantly higher number of cyberattacks than usual. 

“Security teams need to learn to sift through things they didn’t have to sift through before,” says J.J. Thompson, senior director of managed threat response at Sophos. 

Google’s Threat Analysis Group has issued a warning that phishing attacks targeting the general public are masquerading as legitimate government services. “In a world where there has been a pandemic, email and message boards, social engineering attacks… [but] they will have a much higher acceptance rate.” 

The COVID-19-related attacks, such as phishing attempts disguised as COVID test results, are extremely dangerous. The group consensus is that everyone now has a more permeable social engineering filter than they did previously. 

The problems brought to light by the epidemic may not even be new, and they are unlikely to go away anytime soon. “You must be able to function in an environment in which you cannot rely on communication from sources that are not affiliated with your organization.”

 “Always be cautious if someone from the outside approaches you with a request to perform a specific action,” advises HPE’s Simonis. One of his recommendations is to thoroughly investigate unusual requests, even if it means picking up the phone. 

Eliminating human vulnerabilities necessitates the development of systems that are designed to accommodate the unavoidable fact that people will make mistakes. According to Thompson, one should proceed with the assumption that all of those processes will fail. “No matter how many times you try to teach someone not to click on something, they’ll do it anyway,” the instructor said. The most important step is to install software that can continue where people leave off, such as recognizing anonymous logins even if a user’s credentials are valid. This is crucial to success. 

What you can do right now 

Even the most meticulous backups are no substitute for a well-thought-out crisis response plan

Some security flaws cannot be repaired simply by restoring to an earlier backup. According to Gary Campbell, HPE’s chief technology officer for security, almost all ransomware waits three days to go through two or three backup cycles before demanding payment. 

Even if you have backups, they may not be enough to stop the potentially fatal damage

“On average, it takes six days in the data center to re-image a server—assuming the backups are good,” he says. “The process may take even longer if the backups are bad.” If you have tens of thousands of servers, the cost and disruption of rolling back the update may be more expensive than paying the ransom. 

Developing a strategy to respond to an incident is a difficult task for any size business

Tabletop exercises are one of the most effective ways to prepare, and they can be performed by any type of company. During these exercises, which simulate a breach with paper, your team’s preparedness and decision-making ability will be put to the test. “Go through the process and identify your competence gaps because you’ll need to supplement those with third parties,” Simonis advises. “Go through the process to identify your capability gaps.” 

This could imply bringing in managed cybersecurity services for your entire system, or it could imply using boutique solutions to fill any gaps as they emerge. Finding difficult-to-find holes in your defenses that would otherwise go unreported during routine exercises can be aided by the assistance of a qualified third party during the vulnerability assessment process. 

“You have to have those answers in place ahead of time because there’s nothing worse than needing consultation and having to wait two or three weeks,” Simonis says. “Those solutions must be defined in advance.” “The truth is that the passage of minutes and hours is significant in these breaches.” The sooner you can investigate and eliminate, the sooner you can be confident that the task at hand has been successfully completed.” 

Taking action and regaining our footing 

According to Simonis, almost everyone has a strategy, but whether or not they can put that strategy into action is a different story. “No one executes their plans by drilling holes.” “They don’t carry out their strategies in a way that could be considered serious,” he claims. “More common than not having a strategy is having a plan that is very outdated and does not work,” 

When it comes to incident response, Simon Leech, senior adviser for security and risk management at HPE Pointnext Services, says that the small details, such as knowing who to call at 2 a.m. with bad news, can make all the difference. This is true whether you hired a third party to help develop it or are doing it yourself. This is true whether you hired a third party to help develop it or are doing it yourself. 

It is critical to correctly identify what caused a breach and then to patch the hole. “If you don’t have a process in place to make sure you’ve contained the infection before you start cleaning things up and getting them back on the network, you’re going to be chasing down servers that keep getting reinfected,” Leech says. “If you don’t have a process in place to ensure that the infection has been contained before you start cleaning things up and putting them back on the network, you’re just going to be playing Wha?” 

According to Simonis, knowing what to do when your plan is challenged is just as important as knowing what to do when your plan fails. He quotes boxer Mike Tyson, who famously said, “Everyone has a plan until you get hit in the mouth.”

Related Posts