You’ve Been Hacked — Now What? The Cybersecurity Incident Response Guide
Data breaches are on the rise — and hackers aren't particular about their targets. Attackers are carrying out large-scale hacks of healthcare and hospitality companies, industry-level breaches across utility and service providers and even targeting SMBs. This means it's no longer a question of if companies will be hacked — it's a matter of when.
Beyond obvious worry about the timing and severity of data breach, it's often difficult for companies to create effective incident response plans when they don't know what's coming. Without a plan in place, however, businesses are left woefully unprepared to meet infosec challenges, lacking both the infrastructure to mitigate incident impacts and the underlying processes necessary to reduce the risk of ongoing compromise.
The bad news? You've (probably) been hacked already. The good news? In this step-by-step guide, we'll tackle the four critical facets of any great incident response: Plans, personnel, processes, and prevention.
Hacked-Plan to Fail
As noted above, it's only a matter of time until hackers target your business. Despite the increased risk, more than 75 percent of companies don't have a formal data breach incident response plan in place, and 57 percent of business leaders say the sheer volume and complexity of attacks makes them harder to detect and remediate a breach. The disconnect? For many organizations, the variety of potential attack vectors — from phishing to ransomware to crypto miners and even old-school macro malware — makes it challenging to create company-wide plans.
Solving this problem starts with by answering the question: What is a security incident response plan? While it's often a tough pill to swallow, incident response plans aren't designed to prevent attacks but limit their overall business impact. This realization helps shift plan priorities — instead of prioritizing the prevention of attacks, incident response plans are designed to contain, minimize and remediate the damage.
In practice, response plans should include:
• Chain of command — Who's in charge when things go wrong? Who do C-suites call if there's a problem? Who comes in after-hours during an incident? Creating a detailed chain of command reduces the risk of response failure.
• Recovery time objectives — What's the maximum amount of time servers can be offline, or data can be inaccessible? What are your (reasonable) goals for getting servers back on track? Making recovery time objectives (RTOs) part of your incident response plan is critical to meet these goals in practice.
• First steps — Quarantine typically tops this list: Organizations need to isolate infected software or hardware and stop it from spreading. If quarantine isn't possible, plans should include contingencies for cloud-based or other off-site backups.
• Testing schedules — Under stress, even best-laid plans quickly go off the rails. Any data breach or ransomware incident response plan should include time for regular testing and evaluation to ensure infosec teams know their role and can execute under pressure. Both in-house and outsourced pen testing and staged attacks can help improve testing outcomes.
Next on our list of incident response plan steps? Put the right personnel in place. Top priority is ensuring your IT teams, CIOs and CISOs (or their virtual equivalents) have the depth of experience and expertise to handle IT threats. Given the cost of top-tier infosec pros and the growing skills gap, it's often worth considering outsourced security management to help offset the in-house shortfall.
Also critical? Teams. Here, the most straightforward approach is a two-team structure:
1. The A-Team — Your security experts; network and infrastructure defenders on the front-line that may include in-house talent, outsourced professionals and managed security service providers (MSSPs). Ideally, the A team is the one calling you when they discover a potential breach. If you're the one who encounters an issue, they should be your first call.
2. The B-Team — PR, marketing leaders, and legal advisors make up your B-team, and they should be looped into the conversation ASAP. PR teams can start working on ways to engage customers and stakeholders without further compromising corporate security, while marketing leads can help craft consistent brand messaging. Finally, legal experts can offer advice about compliance issues and reporting obligations. Bottom line? Reputational damage control is the top B-team priority — the more data they have about what's happened, the better your outcome.
Creating an effective cyber incident response plan also means leveraging processes that inform critical actions — and reactions — to potential security breaches. Top priorities here include:
• Don't Panic — It can't be overstated: Do. Not. Panic. This is a challenge during a security incident but is critical for companies to minimize overall IT impact. Here's why: Panic drives a fight-or-flight response, encouraging infosec pros to deal with the most immediate and overt threats. But in some cases visible attack impacts aren't top priority — consider DDoS attacks which may be used to mask more subtle data theft efforts. Drafting network priority diagrams and regularly testing response plans can help IT teams stay calm under pressure.
• Make Decisions with Data — If companies are victimized by ransomware, it's often tempting to pay up in hopes of getting data back quickly. The problem? Even with cash in hand, there's no guarantee that hackers will honor their end of the bargain. Organizations must create data-driven processes to inform decision making: What's been compromised? To what extent? What type of attack is underway? Does it have a publicly-available resolution? Data-driven processes help prevent knee-jerk reactions.
• Do Your Research — Not all attacks work the same way. The result? They may require different mitigation strategies. Here, process-driven research is critical; make sure you're familiar with common attack vectors such as:
– Phishing — Cybercriminals send legitimate-looking emails to corporate accounts that fool users into downloading attachments or clicking on links. They may also use counterfeit webpages masquerading as familiar login portals to steal user credentials. Here, end-user education is critical to help prevent getting hooked.
– Ransomware — Malicious code obfuscates and encrypts essential data and attacker demand payment for decryption. The big threat? They'll destroy data if payment doesn't arrive. While ransomware is always evolving, many strains can be defeated by modern security tools.
– Distributed Denial-of-Service (DDoS) — Attackers spam networks with huge traffic volumes to cause widespread failure. While preventing these attacks is virtually impossible, recognizing them early can help limit traffic from specific sources and reduce overall impact.
– Fileless Malware — If hackers gain access to standard Windows command tools such as PowerShell, they can leverage it to grab malware payloads without the need for initial code infections. Organizations should turn off access to this and other command-line tools by default.
• Engage End-Users — Customers and stakeholders will only wait so long for a response from compromised organizations, and under laws such as GDPR, speedy response times are mandatory. Before a breach happens it's a good idea to draft public-relations processes that help streamline incident reporting: Be clear about what's happened, provide knowledge rather than speculation and don't make any promises you can't keep.
• Evaluate IT Systems — After incidents have been addressed and remediated, businesses must develop processes to evaluate their current IT posture and discover potential weaknesses. Left unchecked, attackers will compromise the same weakness time after time.
Prevention is Worth a Pound
There's no “silver bullet” for IT security. But it's not all bad news: Companies can take steps to reduce their total risk by implementing tools and technology that help prevent frequent attacks and improve time-to-detection. Some of the most effective on the market include:
1. Next-generation Firewalls — With perimeter security no longer effective, these firewalls target application behavior and resource calls to help identify potential attacks and reduce network risk. By replacing static, whitelist protections with active and agile monitoring of app behavior within your network as a whole, next-gen firewall solutions provide a dynamic defense.
2. Information Security Automation — Automating essential data collection, reporting, and quarantine tasks can both reduce overall stress on IT teams, reduce error rates and increase total efficacy. While personal insight remains critical in the fight against evolving malware attacks, automation can help streamline the defense process.
3. Managed Security Services — Despite the importance of effective cyber incident response plans, many companies don't have the time and budget to create full-time IT teams capable of handling critical network failures. Managed security services providers combine IT expertise with 24/7 support and predictable cost models to help companies stay ahead of malicious actors.
4. Cloud-based Backups — Sometimes the best-laid plans go awry. The result? Companies need both multimedia and cloud-based backups to ensure critical business operations are uninterrupted. Disaster recovery (DR) solutions are also essential. If hackers can compromise networks and gain access to operational data, the combination of cloud-based backup and DR solutions are often enough to get organizations back up and running until more permanent remediation is complete.
In today's digital-first environment, getting hacked is just a matter of time. Make sure your business is prepared with a cyber incident response strategy that includes detailed plans, trained personnel, critical processes, and preventative technologies.
ArmorPoint is a security information and event management solution that provides a cost-effective and reliable way to continually protect your business from emerging threats. Through its customizable service pricing model, ArmorPoint’s cost-effective packages and dynamic levels of expert management support the security strategies of all companies, regardless of available budget, talent, or time. And since ArmorPoint offers 24/7 security support with a team of dedicated specialists, they can provide you with the manpower you need to expertly manage all of your cybersecurity initiatives. See how ArmorPoint can make a difference in your security posture with a risk-free 30 day free trial.