[BreachExchange] In the Aftermath of a Cyberattack

[Destry Winant]

https://informationweek.com/strategic-cio/security-and-risk-strategy/in-the-aftermath-of-a-cyberattack/a/d-id/1329760

Last month it was Devil’s Ivy, today there’s a completely different
malicious malware or ransomware on the prowl. Tomorrow there will
likely be another aggressive “Cyberattack du Jour.” Let’s face it. We
live in an era of escalating vulnerability exploitations.

We’re no longer prey to basement hobbyist. Today’s hackers are
sophisticated and determined. They’re likely to be well-funded by
foreign governments and tightly organized into targeted hacking
organizations.

For them it’s big business. They brazenly sell their base code on the
dark web along with do-it-yourself instructions on how best to package
and release the attack. The process is so easy to follow that even a
novice hacker can launch it. They’re using a pyramid business model
where the lead hacking businesses, the code sellers at the top of the
pyramid, get royalties from the buyers below. Now we’re even seeing
organized hacking companies complete with offices, target lists and
bonus structures just like any legitimate sales organization.
Employees get paychecks deposited into regulated bank accounts and pay
taxes on their income. It’s become quite a lucrative industry and it
just keeps growing.

As hackers continue ramping up their attacks – targeting software,
hardware, even web services toolkits – we need to shore up our
defenses. And by “we” I not only mean manufacturers who embed
cybersecurity features into their products, but also the integrators
who install the systems and the customers who use them.

It all comes down to three fundamentals: mitigate, respond and adapt.

Mitigation

What sort of defensive mechanisms can we put in place to protect our
digital assets? There are volumes written about IT and end user best
practices. Don’t use default passwords and user names. Hackers love
exploiting this low hanging fruit. Turn off or delete unused services
and protocols that might otherwise provide a gateway into the network.
Maintain an inventory of all devices on the network and keep their
software and firmware up-to-date with the last malware protections.
Anticipate the inevitable and have a remediation policy in place that
can be activated quickly to minimize your exposure. This includes
regularly checking your suppliers’ lists of known vulnerabilities,
attacks and remediation.

Response

If an event is detected, shut down services to that node immediately
to prevent widespread infection and exposure. Find out what your
suppliers know about this attack and how to get rid of it or
quarantine it. Manufacturers and developers are likely to hear about a
possible vulnerability in a product or service before you do and will
have already been working on the patches and containment tools you
need. Follow their published best practices for cyber securing their
products and services.


Adaptation

Once you’ve implemented a stopgap measure learn what you have to do to
permanently fix the problem. It might be as simple as automating
anti-virus updates to software and firmware. Or it could be a matter
of instituting stricter firewall policies, restricting remote access
with digital certificate authentication or some other measure to
heighten cybersecurity.  But it doesn’t end there. Because the next
day – the next hour, the next minute – will inevitably bring another
attempt to exploit your ecosystem. And so the cycle begins anew.

Is the supply chain cybersecurity ready?

A customer’s supply chain needs to be the primary resource for
executing a cyber protection and response plan.  Manufacturers and
application suppliers should have web site portals, subscription lists
and/or push notification systems with the most up-to-date list of
known vulnerabilities and patches.  No system is 100% impenetrable and
the sign of a knowledgeable partner is that they acknowledge this and
are open and timely with alerts and remedies.

Customers should also know whether their solution providers support
standards-based cybersecurity or if they rely on proprietary
methodologies to cybersecure their solution(s).  There are benefits to
both approaches. Customers just need to know in advance if they can
deploy a unified cybersecurity plan or if pieces of their solution
will require separate support communications.

Never let down your guard

Whether you are deploying standard IT cyber protection measures, IoT
device authentication or some combination of both, you need to keep
doing your homework. Check with your component suppliers and your
solution provider to ensure that all the pieces in the cybersecurity
ecosystem fit together and you can support them.  Most importantly,
have a plan, check the plan regularly and refresh it accordingly. You
have to continue to evolve your defenses in parallel with the bad
guys. They’re never going to stop their attacks. So accept the reality
that you’ll always need to be devising new ways to defend against
them.