[BreachExchange] How to respond to a cyberattack

Audrey McNeil audrey at riskbasedsecurity.com
Tue Feb 23 20:53:30 EST 2016


http://www.itproportal.com/2016/02/23/how-to-respond-to-a-cyberattack/

Cyberattacks are dominating the headlines, and no business is safe from the
havoc and damage they have the potential to wreak. As attack methodologies
are becoming more sophisticated and those perpetrating them more organised,
the stakes are rapidly rising. Even high profile targets such as banks and
telecoms giants are finding themselves firmly in the firing line. However,
the actual attack is just the start and unless the response is handled
correctly, the resulting ‘cyber-incident’ may end up having a far larger
impact than the perpetrator intended.

Why is it so important for businesses to have a strong approach to
cybersecurity?

Whilst the Internet is undoubtedly a force for good and has revolutionised
the way we live our lives, it is also an extremely hostile environment in
which to do business. New vulnerabilities and new ways to exploit them are
being developed every day. Having a strong defensive stance sends a clear
message to potential attackers that you are not a soft target. With so many
potential targets to choose from, that may be enough to deter the attacker
from even trying.

Are there any common mistakes that organisations tend to make after
initially noticing that they have been attacked?

Fundamentally, the principles of responding to a cyberattack are no
different than responding to any emergency or crisis. There are, however, a
number of common mistakes that can end up compounding the problem:

• Wrongly classifying a cyberattack: The early symptoms of cyberattacks are
often misread as technical glitches, meaning that the attack often isn’t
identified in sufficient time to launch an effective response.

• Incorrectly determining what has been compromised: IT systems are complex
beasts, and while complexity can offer agility, cost-effectiveness, and
resilience, it also makes it harder to work out what has gone wrong and
what information may have been compromised.

• Leaving repairs to the tech team: Whilst it’s essential to have technical
experts managing an affected IT system, the response team must cover every
discipline within an organisation to get a holistic understanding of the
attack.

• Failing to arrange alternate working environments: Responding to an
attack by identifying and fixing any damage it causes isn’t an overnight
job, so without alternate working arrangements for staff while the
organisation recovers, the business may be left unable to operate.

• Putting out the wrong fire: Some attackers use diversion tactics like
DDoS attacks to draw the IT department away from the main target. Getting
sucked into one incident can leave other systems unsupervised, opening up
the opportunity for other forms of attack, such as hackers breaking in to
steal data.

• Underestimating liabilities: It’s all too easy to focus on damaged
reputation after a cyber-breach. Ignoring additional liabilities when
carrying out the cost benefit analysis of cyber-breach response measures,
such as ransomware and industry penalisations, could leave the business
with hefty fines and further weaknesses.

Organisations are often slow to respond to cyberattacks. Why do you think
this is?

If your building has been broken into or your basement is flooded, it is
fairly easy to spot what has happened. Cyberattacks, however, are often
harder to recognise and it is not uncommon for them to go undetected for
months before anyone notices. Research by Arbor Networks in May 2015
reported that retail organisations in particular took an average of 197
days to identify when attacks resulted in data breaches and, whilst
financial services organisations were better, they were still taking around
98 days to spot and react to a data breach.

Whilst these numbers may seem unbelievable at first glance, given the
ability for cybercriminals to operate with online anonymity, they quickly
begin to make sense. Conventional security regimes are often tailored to
detect large scale incidents rather than small frequent attacks; but with
the right approach, the chances of detection can be significantly increased.

Who should be dealing with an attack once it has been identified?

Traditionally, the responsibility to both identify and solve cyberattacks
rested solely on the shoulders of the IT department. Perhaps thanks to the
department’s tendency to use impenetrable language in describing the
events, it has long remained this way. This is far from ideal. For a start,
the failure to involve the wider organisation can cause delays in attack
identification. Effective incident management requires teamwork, task work,
and high levels of personal competencies, such as empathy and diplomacy, to
ensure the achievement of group goals.

Whilst it is absolutely essential to involve those with deep technical
expertise, the response team must reach across every discipline within an
organisation and be coordinated by someone whose competencies match those
of an emergency manager.

Are there any best practices to follow when it comes to attack mitigation?

The organisations best placed to survive a cyberattack are those following
two key principles: timeliness and a targeted response. Organisations must
act quickly. All IT systems need to be monitored continuously and all
anomalies should be reported swiftly to a central point. This isn’t
something to simply palm off to the IT department. The wider business must
be involved, regularly reviewing the organisation’s strategy to ensure that
attacks are spotted as soon as possible – most importantly before press,
customers, or other stakeholders are alerted.

A quick and targeted response will give businesses the best chance to
contain and eradicate an attack before too much damage is done. With this
approach, should a serious attack come to light, the business will be in
the best possible position to demonstrate that they are in control of the
situation.

How should the flow of information be managed when an attack occurs?

Effective communication of a cyberattack requires teamwork as well as open
and collaborative channels. This will ensure that information is passed on
quickly and coherently to the right points of contact.

Are there any other liabilities organisations should look out for after an
attack has been spotted?

Even if an organisation successfully navigates the recognition, response,
and recovery stages of a cyberattack, it may fall at the last hurdle by
underestimating further liabilities. There are a whole host of additional
liabilities, such as blackmail attempts and ransomware, that organisations
often overlook when carrying out the cost benefit analysis of cybersecurity
and cyberattack response measures.

Other costs include regulatory liabilities: both wide-reaching and
sector-specific. Within the UK financial services sector for example, their
own industry regulators have historically levied greater fines for security
breaches than the Information Commissioner.

Beyond technical fixes, are there any steps businesses should take to
ensure they reduce downtime?

The technical recovery from a cyberattack takes time and involves expert
resources. The typical steps required to contain a cyberattack are lengthy,
as are the processes that allow the system to be returned to its users.
Therefore, it is highly recommended that the organisation makes provision
for alternative working arrangements and backup systems to allow the
business to keep moving during the blocking and rebuilding stage.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160223/dcbe8c86/attachment-0001.html>


More information about the BreachExchange mailing list