Handling a cyber incident when an attack comes
An attack will come – you may already be under attack but unaware. Did you know that on average companies take 197 days to identify an attack and 69 days to contain a breach?
Source: IBM 17 Jun 2020
How you handle a cyber incident following the discovery of a cyber attack will determine how successful you are in addressing the issues and any considerations for reporting to the ICO and other regulatory bodies that may be required. There should be in place a ‘Cyber Incident Response Plan’ and in its simplest form, should address some key steps to ensure and enhance incident response and incident investigation.
Just like the crime dramas you may watch on TV, it’s about the preservation of evidence to support the post-incident analytics.
What not to do …
We’ve all been there – whether we’ve left an important item in the back of a taxi; crashed our car – that sinking feeling and panic that sets in that makes us do irrational things or we forget the basics and focus on the lesser important minutia.
Do not improvise – have a prepared plan
Your first instinct will be to begin the process of rectifying the issue – whether it is protecting your endpoints that were targeted or reverting to the last known good state backup to close the entry point used by attackers. STOP! Revert to your plan – if you’re reading this and don’t have one, then we urge you to get one soon. This is not something that you should create ‘on the fly’ – it’s crucial as part of your planning now that key contacts and actions are mapped out ahead of time and stored both digitally and, in the event of an incident, hard copy – this will support you to identify who will be responsible for which actions, who can authorise and who to notify and when.
Silence is not golden
You’ve been attacked, you have your Cyber Security Incident Plan – no-one outside of your inner circle knows what’s just happened and relax … nice image if only it were true.
You need to communicate with your staff, vendors, customers and any regulatory bodies to let them know what has been accessed, what you’re doing to remediate the situation and what plans you intend to take to ensure that this doesn’t happen again. All of these parties will need guidance about what to say or do in the event of a breach.
Your Cyber Security Incident Plan will have a section around ‘Communication’ which will determine who, when and what to communicate and will support you in a panic situation to control the messaging behind your response – ideally you will have a series of pre-prepared statements and very clear guidelines around who is responsible for communications – it could be someone within your organisation, or you may need to include your PR agency in your cyber response planning.
It will be a bumpy ride for a while – an ill-conceived or no communication plan at all will lead to an ongoing journalist fest, with your brand being the one pulled up in every article and ‘cyber security’ presentation damaging your reputation.
Honesty is your best policy
Although obvious, it is important to remember as panic sets in, that being accurate and honest when addressing the public and other interested parties is paramount. This protects your brand and is also beneficial to how much money you’ll recoup from your cyber insurance policy (if you have one).
Nuances of the English language are paramount – avoid words like ‘sophisticated attack’ or ‘act of terrorism’. Was it or were you simply the victim of an attack. Read your cyber insurance policy because the small print around what they pay out against, could be impacted by your press-release with non-covered terms.
Again, use pre-prepared statements but be sure to review and read this at regular intervals and especially, where you change insurance providers – read the small print!
Customer services – customers come first
It’s easy for leadership and IT teams to scramble together against an aligned plan – but this is not just about isolating a cyber incident. If a data breach impacts any online services, your customer experience for a non-functioning website will lead to some walking away or others’ calling in and placing a higher volume of calls to your Customer Service team members, who may or may not have an incident handling communication response. Ignore your customers at your peril – you may lose them.
When an incident occurs, especially where you have customer facing services – i.e. a Council’s service frontend portal; a Housing Association’s tenant payment portal; an educational establishment’s student and parent pay portal – these need to be handled with care and consideration placing the customer at the forefront of communication and remediation actions.
Quick – close the incident down
Close the incident down, so anyone looking into it can see how quickly we responded – wrong!
Picture this – you’ve closed down all of your endpoints and contacted your staff and any other relevant interested party including your customers. Your data is now recovered – hoorah, let’s pat each other on the back for a job well done. Not so fast. You’ve handled the initial crisis, now the real work begins. Here’s where you continue to proactively and aggressively monitor your network to ensure that there is no second or beyond wave of attack. The first may have been an initial push to see how you react … or worse still, was a means to plant a sleeping timebomb in your network.
The pressure on the IT teams to restore services following a breach are not to be underestimated here, however, as attackers move quickly through your network once they have a hold, do not assume that this is the end. Thorough investigation over and over again, will support you in understanding that this is most likely not an isolated attack – there is no easy, concrete determination that you’ve ‘isolated’ the issue – this is the warning shot across your bough that should raise the alarm, that the bad actors are already in your network and the technology and plans you have in place are breached.
There are gaps in your cybersecurity strategy that have been exploited and until these gaps are remediated fully, you remain an easy target and will be breached again.
Your Incident Response Plan must be treated as a living document – it’s not the one that you write, stick on the back shelf and review perhaps annually when you remember – it’s a key component of any cyber security process.
As staff change roles, leave your organisation or where mergers, acquisitions and shifts to managed outsourced third-party services and more change – so too do your plans.
“You see, but you do not observe.”
Arthur Conan Doyle – A Scandal in Bohemia
You’ve identified the issue and make good the problem – case closed. Alas not, as mentioned above, the initial finding may not be the only outcome – it is important to remember that when investigating any breach, documentation as evidence is critical.
The documented evidence gathering of a cyber incident, validates that a breach occurred, but also delivers a review of what systems were impacted. Was any data breached? What mitigation and remediation steps were involved and by whom?
Logging the results of an investigation are paramount for analysis post-incident and within your Cyber Incident Response Plan, even having a template supports the evidence collation and preservation when panic sets in and people have no idea what to collect.
Post-mortem reviews are a critical step to truly understand what has happened and should feed into your Risk Management Planning.
It’s key to ensure that anyone involved is interviewed post-incident and their responses are captured and carefully documented – this can include disk image captures; details on who did what/when and how; where the incident occurred and more – this will help you to review, post-analyse and formulate revisions of your data and risk mitigation plans.
Of course, it’s not just about your organisational needs – Regulators, Customers and other interested third parties, where possible legal consequences may ensue after the event, need to be shown this investigative and remediation steps. Finding out who was responsible and who was affected is a key one for any lawyer, called in to audit and investigate an incident, but understanding your network in terms of what was targeted and how that breach occurred is the responsibility of the IT and Cyber security teams.
Determining what technical areas need improvement, budget aligned and any data (the GDPR discusses ‘Proportionality’) impacts need to be investigated and aligned.
We don’t have time for plans
In many cases, planning is overlooked. Quite simply, IT Teams are so busy keeping the lights on, that resourcing a full review of an incident plan is not undertaken. I agree, in cyber security, planning only goes so far.
You create comprehensive incident response plans but don’t test them thoroughly – until a real-world incident occurs – only to find that they fail at the first step.
You don’t have time, so your plan is cobbled together as a one-off exercise rather than embedding as a continual review process which more often than not results in the information contained being out of date, people have moved on or services are decommissioned and no longer relevant.
Run your plans as though you were in a real situation – make time to undertake a table-top exercise with a regular frequency for your own organisation. Consider this as your cyber security fire drill and record it.
We don’t mean menus for those left handling an incident. When addressing any potential incident, the application of best practice incident response procedures (the ones you will have documented and reviewed) should include:
- Collect and remove for further analysis: any relevant artefacts and Logs and Data
- Implement mitigation steps – these need to be carefully managed as you do not want to tip off any adversary that their presence in your network has been detected
- Incident response handling – do it yourself or call in incident response support from a third-party security organisation to:
- Provide subject matter expertise and technical support for the incident
- Ensure that the threat actor is completely eradicated from your network
- Avoid residual risk that may result in follow-up compromises once the incident is closed.
Do not …
- Mitigate any affected systems before your responders can protect and recover data.
- Pre-emptively block adversary infrastructure
- Pre-emptively reset credentials
- Fail to preserve and collect log data that could be critical to identifying access to the compromised systems
- Communicate over the same compromised network as the incident is being conducted – ensure that your communications are held out of band.
- Just fix the symptoms – drive into the root cause
- Panic – Phoenix teams are here to support you!