[BreachExchange] How to manage a cyber attack

Audrey McNeil audrey at riskbasedsecurity.com
Wed Sep 7 18:49:02 EDT 2016


http://betanews.com/2016/09/05/manage-cyber-attack/

Given the rising frequency of increasingly malicious and innovative
cyber-attacks organizations have to be prepared and proactive. It is no
longer a question of if but when your organization will have to deal with a
cyber-attack. The cost of a cybersecurity breach is significant -- in terms
of money, business disruption and reputation. Depending on the magnitude of
the attack, a cyber incident can potentially put you out of business.

According to UK government research, two-thirds of UK big businesses have
been hit by a cyber-attack in the past year. UK telecoms group TalkTalk
suffered a high profile attack in October 2015 when hackers stole personal
data from customers. According to TalkTalk, the cyber-attack it suffered
wiped £15 million off trading revenue as well as forcing it to book
exceptional costs of £40m - £45m, and losing it up to 101,000 customers.

The best course of action for a business that is attacked is a swift and
effective response. A cybersecurity strategy with efficient incident
response (IR) capabilities coupled with customer engagement initiatives
helps limit the damage and ensures that the business is back up and running
as soon as possible. It’s also important to reach out and engage with
customers following to regain customer confidence. An effective IR strategy
navigates the following five phases.

Identify

Information on events is collected from various sources such as intrusion
detection systems and firewalls, and evaluated to identify deviations from
the normal. Deviations are then analyzed to check if they are sufficiently
significant to be termed an event. The use of automation tools ensures
swift detection and eliminates delays in moving to the next phase,
containment.

Once a deviation is identified as a security incident, the IR team is
immediately notified to allow them to determine its scope, gather and
document evidence, and estimate impact on operations. Businesses can
bolster this process by incorporating an effective security information and
event management (SIEM) system into their overall cybersecurity strategy.

Contain

Once a security event is detected and confirmed, it is essential to
restrict damage by preventing its spread to other computer systems.
Preventing the spread of malware involves isolating the affected systems
and rerouting the traffic to alternative servers. This helps limit the
spread of the malware to other systems across the organization.

Eliminate

This step focuses on the removal of the malware from the affected systems.
IR teams then conduct an analysis to find out the cause of the attack,
perform a detailed vulnerability assessment, and initiate action to address
the vulnerabilities discovered to avert a repeat attack. A thorough scan of
affected systems to eradicate latent malware is key to preventing a
recurrence.

Restore

In the restoration stage, affected systems are brought back into action.
While bringing the affected systems back into the production environment,
adequate care should be taken to ensure that another incident does not
occur. Once these systems are up and running, they are monitored to
identify any deviations. The main objective is to ensure that the
deficiency or the vulnerability that resulted in the incident that was just
resolved does not cause a repeat incident.

Investigate

This is the last step and entails a thorough investigation of the attack to
learn from the incident and initiate remedial measures to prevent the
recurrence of a similar attack. IR teams also undertake an analysis of the
response to identify areas for improvement.

Protect Your Organization From Attack

What enterprises need now are effective cybersecurity solutions to monitor
and provide real-time visibility on a myriad of business applications,
systems, networks and databases. There has been an increasing realization
that basic protection tools for important corporate information are no
longer sufficient to protect against new advanced threats. Furthermore,
enterprises are under tremendous pressure to collect, review and store logs
in a manner that complies with government and industry regulations.

Countering focused and targeted attacks requires a focused cybersecurity
strategy. Organizations need to take a proactive approach to ensure that
they stay secure in cyberspace and adopt a robust cybersecurity strategy.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160907/ce97a728/attachment.html>


More information about the BreachExchange mailing list