Guidelines for incident response: The most important steps in the lead up and aftermath of a cyber breach
Hackers see opportunity during global incidents. It doesn’t matter if it’s an earthquake or tsunami, attackers can use these worldwide events to springboard their campaigns.
And they’re capitalizing on the COVID-19 pandemic. According to the FBI, cybercrime cases have increased by as much as 300% since the start of the pandemic. Prior to COVID-19, the FBI’s Internet Crime Complaint Center (IC3) received 1,000 complaints a day. Now it’s receiving between 3,000 and 4,000 per day.
When an incident occurs, every moment counts. Too often, in those crucial moments, it’s easy for companies to make mistakes if they don’t have a plan in place for identifying, containing, and remediating the threat.
Here’s a look at how to approach incident response (IR), as well as how to prevent incidents in the first place.
3 things to do in the immediate aftermath of a cyberattack
There are three important actions to take after learning of a potential breach:
1. Scope the attack
One of the most common mistakes after an incident is to immediately rebuild your environment using your backups. It may seem like a quick path to recovery, but in the end it’ll cost you more time and headaches.
If you rebuild before you know how the threat actor got into your system in the first place, you’re back at square one. The same security flaws are still available to the attacker, even after all the hours you spent rebuilding the environment. For example, if hackers get into your virtual servers and you simply rebuild them, they’ll still have access and can lock you out of your entire environment.
If you don’t fully scope the attack, you’ll have no idea how to defend against it. You need to understand: How did the hackers get into your environment? How are they exerting control? What have they already done? Are they still in your environment?
Don’t fix anything until you know which vulnerabilities were exploited.
2. Craft and execute a remediation plan
Now that you understand what an attacker is doing, what access they have, and how they’re moving laterally, you can craft a remediation plan that expels them from your environment and fixes your vulnerabilities.
To make sure there are no loose ends and you cut the hacker out of your environment entirely, this needs to be a coordinated effort, with all actions completed at the same time on the same date.
That could mean changing all passwords. It could mean rebuilding a server. Whatever steps you take, you must do them at the same time. By denying access all at once, you prevent the attacker from adapting and maintaining control.
With the remediation plan, all parties involved know their roles, understand their assignments, and are working on the same timeline.
3. Cleanup and rebuild
Once you’ve closed off the hacker’s entry point, and locked them out of your environment, it’s time to rebuild. This can be a time-consuming step, but since you’ve already identified and remediated your vulnerabilities, you ensure you only have to rebuild once.
Take note of any lessons learned from the incident and what you can improve, whether it’s adding new security tools, scheduling user training, or hiring for new skills you need on your team. Continue regular testing and scenario training and take steps to prevent the next attack.
How to prepare for an attack before it hits
The quicker you react and respond to an incident, the less damage your data, devices, and network will incur. Of course, it helps to take preventative measures as well.
Here are some tips for getting in front of an attack before it happens.
1. Form an incident response plan and practice scenarios
Your IR plan should outline the actions your team will take in the minutes, hours, and days following an incident. How will they confirm a suspected incident is real? What are everyone’s roles and responsibilities once you’ve identified an incident?
Practice this plan. Run different scenarios to train your employees, from common ransomware to facing multiple attackers at the same time. Update, adjust, and reevaluate your IR plan as the cybersecurity landscape evolves.
2. Install a layered defense
The risk of human error – employees accidentally clicking on phishing emails – is high, so you want to make sure you’re restricting a hacker’s access to the rest of your environment.
That starts with a layered defense.
Limit domain administrator credentials across your entire environment. Remove local administrator privileges from user’s endpoints whenever possible. Do not allow individuals to assign local admin rights to groups of users on end-user desktops.
Make sure you have multi-factor authentication (MFA) in place on all accounts, especially executives. Keep remote desktop protocol (RDP) from being exposed to the internet unless you’re using remote desktop gateway servers.
Keep your eye on the endpoint. Endpoint detection and response (EDR) tools provide an additional layer of security by using machine learning threat detection modules targeting fileless attacks, suspicious one-line commands, and malicious application behavior. They act as a second line of defense, alerting you in real time of potential problems and helping you address sophisticated attacks.
Don’t ignore prevention. A next-generation antivirus (NGAV) that utilizes machine learning technologies (as opposed to easily bypassed signature-based technologies) will reduce the workload on your staff and better utilize your EDR systems. By preventing the majority of attacks from happening, a NGAV frees up the security team to search for more advanced persistent threats.
3. Work with a seasoned partner
If you lack the resources or experience to stay on top of security, consider bringing an experienced partner on retainer. Even a zero-dollar retainer — a contractual agreement establishing an hourly rate for help in the face of an incident — can help by greatly speeding your time to resolution.
Choose an organization that has a history of handling everything from ransomware to advanced persistent threats. It should employ individuals with diverse backgrounds, including forensics and programming, who are up to date on the current climate and understand the ins and outs of the cybersecurity landscape.
Selecting your IR partner early enables you to research and make the best decision as opposed to working with the first partner to answer the phone. Then, by placing your security in the hands of seasoned professionals, your organization can focus on what it does best while feeling confident your environment is protected.
Stay ready and stay alert
A recent study found that for organizations who have an IR plan in place, the average cost of a breach was $1.23 million less than for organizations that didn’t have a plan in place or hadn’t been testing.
By planning ahead with layered defenses and an IR plan, quickly analyzing and containing breaches, and taking a coordinated approach to remediation, you give yourself the best chance to limit the damage and get back up and running.
About the author
John Wood is a retired FBI agent with 23 years of service, who conducted incident response on national security cases at the White House, State Department, and both houses of Congress. He is currently the Managing Director of Worldwide Incident Response for Cylance.