From small school districts and not-for-profit organizations with limited cyber defense budgets to major Fortune 500 companies with sophisticated cyber defense teams, understanding what to do in the first 48 hours following a significant cyber event is essential in protecting your organization and limiting the potential damage.
Here are some of the questions organizations may have after a cyber incident:
How do you operate your organization if its computers and servers are encrypted?
Should you engage an Incident Response or Digital Forensics Firm? When?
If you have Cyber Insurance, what exactly will your Cyber Insurance pay for?
Should you engage an attorney with cyber incident experience?
Will your organization pay the ransom or not?
How do you find out what data was stolen (exfiltrated) from your network?
What happens if you don’t pay the ransom?
This blog will review the steps your organization needs to take to minimize the downtime and cost of a significant cyber incident.
Incident response lifecycle
NIST and SANS have laid out the following steps to the Incident Response lifecycle:
Preparation and planning
This first part of the IR lifecycle is all about planning what to do after an incident. But, before you even start thinking about what happens after an incident, you should have processes in place that would limit the probability of it happening.
Thus, preparation involves two things:
Preparing to handle incidents
Creating an incident response plan can help you navigate a cyber incident effectively and with a clear sense of direction.
A crucial part of handling cyber incidents is knowing the capability of your cyber defense team. Is this something they can handle, or do you need to look for outside help? What are the metrics for determining whether the incident is minor or significant? These are all questions you should have an answer to within hours of learning about the incident.
Since there are so many different types of incidents, it’s impossible to have an action plan for all. But, businesses can recognize the common attack vectors and build a plan for tackling those. Different incidents require different response strategies. Some common attack vectors include:
Email attachments
Compromised credentials
Distributed Denial of Service (DDoS)
Third-party vendors, etc.
All cyber incident policies should be documented and made readily available to employees. Documentation should also be a part of your post-incident plan. Documenting what happened during the incident will help you prevent future attacks.
Preventing incidents
An insufficient amount of security controls/measures can increase the number of cyber incidents. No matter how minor these incidents are, in significant amounts, they can overwhelm the response team and cause serious damage.
Thus, organizations must have security measures to lower the risk of experiencing an incident.
As part of prevention and planning, you should determine how you will protect your network.
Get clear on the type of firewall you’re going to use, how long you’ll keep its logs, and where they will be saved.
Do you have any network monitoring capabilities? If so, what do you do with the logs?
Are you implementing cloud cybersecurity solutions for email, data, and the web?
Are you keeping your data on the cloud or on-premises?
These are just some of the questions you need to address to improve your cybersecurity posture and lower the chances of an incident.
Detection and analysis
For many organizations, detecting an incident is the hardest part. Threat actors can sometimes spend weeks, months–and even years–inside a network without getting noticed. During this time, they will gather data, inside information, and everything that could be of value.
You should set up constant monitoring across all sensitive IT systems, infrastructure, and attack vectors to prevent that from happening.
Analyze events from multiple sources like:
Logs
Error messages
Security tool alerts to identify suspicious correlations.
In ransomware incidents, the attackers are less subtle and may engage you with messages like these:
=====================================================================
Welcome, this is Karacurt team.
=====================================================================
Your network has been breached.
Internal documents and files were stolen.
=====================================================================
PLEASE READ THIS SO YOU CAN CONTACT US!
=====================================================================
Ok, you are reading this – so it means that we have your attention.
Here’s the deal :
1. We breached your internal network and took control over of all your systems.
2. We analyzed and located each piece of more-or-less important files while spending weeks inside.
3. We exfiltrated anything we wanted (the total size of taken data exceeds !159GB!).
To contact us using this ID you should do the following :
1. Download Tor browser – https://www.torproject.org and install it.
2. Open link in TOR browser – https://<Redacted> ;
3. Insert Access Code inside the field on the page and click Enter.
4. The chat window will open, and we will be able to communicate through a secured channel.
This link is available via “Tor Browser” only!
——-ACCESS CODE——- <Redacted>
Containment and eradication
What steps should you take first if you suspect your network has been breached?
If you suspect your network is under attack, the first step is to get the affected devices detached from your network immediately or as soon as possible.
If you suspect the entire network is corrupted, you may need to get your network separated from the internet, even if this means a service interruption to your constituents.
Crank the firewall access down – only critical and known friendly access in and out of the network (even that may not be enough depending on the type of attack you have suffered)
Only if you can’t get the affected devices off the network should you power them off.Activate your cyber emergency procedures and-hopefully, a pre-established cyber incident response plan.
Contact your digital forensics company to discuss the incident and your response options.
Negotiation
Negotiating with hackers is frowned upon by the authorities. The FBI believes that paying ransoms or giving in to their demands in any way only incentivizes further criminal behavior.
But, you still have to include negotiation as part of your incident response plan. Here are some of the questions you should consider:
Does your cyber defense team have the ability to negotiate with the threat actors?
Have you identified a company that can handle negotiations and payment?
OFAC Checks
Threat Actor Group identification through IOCs, TTPs, Malware, etc.
How can you be sure your data will be destroyed?
Will the Threat Actor give a valid decryption key?
Should you pay the ransom?
In a ransomware attack, organizations are faced with a difficult decision:
Pay the ransom and regain access, risking that hackers won’t keep their word, or
Don’t pay and risk further damage.
Neither of these options is particularly ideal, so what should an organization do?
Ideally, every company should have a policy on handling ransomware attacks. Cyber insurance policies are also becoming very popular in today’s business climate.
Whether you pay the ransom or not will largely depend on the value of the compromised data. Consider the consequences of having the data exposed. Would it cause reputational damage?
How do you get back in control of your network?
Regain the Endpoints: The perimeter must be defended.
An EDR solution needs to be in place to allow for the detection of intrusion and lateral movement.
Need to keep the threat actor from re-entering the network.
The perimeter must be monitored around the clock for the first three-to-seven days.
Control the Flow: Lock the network down.
Only essential traffic in and out of network, all IPs verified.
Can “GeoFence” Rules be applied to your internet-facing firewall connections?
Exit the Attacker: The threat actor must be purged from the network.
Do a machine-by-machine forensic search on affected devices to ensure the threat actor is not still in the network or has left a back door or other leave-behind to do damage.
Use forensic Investigation to determine how and when breach occurred.
Track the clues which follow until patient zero, the initial point of entry, is discovered.
Recovery and post-incident activity
Once the threat has been eradicated, it’s time for the recovery phase. There are three main post-incident recovery steps:
1. Rollback
If your system and files are backed up, restore the devices to a previous date. Many EDR solutions also allow rollbacks at the endpoint device level.
2. Rebuild
Depending on the level of damage caused by the threat actor, a rebuild may be pragmatic. Servers and machines can be rebuilt by your team or with an outside company assisting, depending on the size and scope of the project.
3. Migrate
If you keep your data on-prem (on the premises), you can transition to the cloud. Depending on the solutions you work with, transitioning to an alternate provider may make sense, but historical data needs to be accounted for.
How SecurityScorecard can help
The first 48 hours after a cyber incident are critical. SecurityScorecard is there to support you every step of the way, including:
Risk assessment
To truly understand your exposure, you need to obtain an accurate picture of your IT environment. Once you identify your organization’s biggest threats, you can prioritize remediation.
Digital forensics & Incident response
Through our recent acquisition of LIFARS, SecurityScorecard’s professional services enable you to take immediate action towards remediating incidents and mitigating risk.
Third-party risk management
Obtaining a complete picture of your cyber risk exposure requires visibility into all of your vendor and partner risks. We help you rate the security posture of any entity on demand so you can operate at scale.
About SecurityScorecard
SecurityScorecard is the global leader in cybersecurity ratings and the only service with millions of organizations continuously rated. Thousands of organizations leverage our patented rating technology for self-monitoring, third-party risk management, board reporting, and cyber insurance underwriting. But we don’t stop there. Through a customer-centric, solution-based commitment to our partners, we are transforming the digital landscape building a path toward resilience.
If you are seeing signs of a breach or suspect an incident, call us directly (212) 222-7061, or request consultation by filling out our form.