Nearly every day, it seems like you’re reading about another data breach in the news. Between ransomware attacks and nation-state actors, you can’t rely on the old “trust but verify” adage anymore. Cyber resilience isn’t about preventing all threats, it’s about creating a security program that allows you to identify, investigate, contain, and mitigate threats quickly and effectively. As you build out a more robust security program, you need to keep in mind what to do if you think your company has been hacked.
1. Look For The Threat
The first step to figuring out if you have been hacked is figuring out if your security has truly been compromised. While you’ve been monitoring your security controls and eliminating external vulnerabilities, you also need to uplevel your threat detection capabilities.
Threat hunting and red teaming help you mature your security posture. With threat hunting, you actively look for indicators of compromise (IoCs) in your environments. IoCs are the behaviors known to be associated with attacks seen in the real world.
What is threat hunting?
Threat hunting is the process of using information about malicious actor tactics, techniques, and procedures (TTPs) to actively look for anomalous behavior that matches these known patterns.
Benefits of threat hunting
Since malicious actors try to remain hidden in systems and networks, threat hunting helps you take a proactive look at your environments to see if someone has infiltrated your systems or networks.
Threat hunting can help protect against:
Advanced Persistent Threats (APTs)
2. Contain The Threat
Follow your incident response plan to contain the threat. If during the threat hunting process, you discover anomalous activity and think that you’ve been hacked, you need to have the appropriate incident response capabilities. Further, incident response is included in many compliance mandates. This means it’s not just a way to be more cyber resilient, it’s also mission-critical for your senior leadership and board of directors.
What is incident response?
Incident response consists of the set of policies, processes, and procedures used to detect, investigate, contain, remediate, and recover from a security incident.
It’s important to remember that not all security incidents are data breaches. A data breach is when cybercriminals manage to steal - or exfiltrate - sensitive data. A security incident is when you have a malicious actor in your systems or networks and can occur before you experience data loss.
Benefits of a mature incident response program
Having the ability to rapidly respond to a security incident helps reduce dwell time, the amount cybercriminals spend in your systems and networks. By reducing dwell time, you’re able to limit the impact an incident has on your business.
For example, your incident response program enables you to:
Recover systems and networks to a secure state
Meet compliance requirements
3. Collect Digital Forensics
If the security incident leads to a full-blown data breach, you’ll find yourself having to document everything that happened. In the aftermath of a data breach, you might find that you’re involved in legal proceedings - both civil and criminal. You'll want to collect digital forensics in the aftermath of a hack.
What is digital forensics?
Digital forensics is the process of collecting all data around the recovery and investigation activities that led to containing a threat actor. A distinct branch of forensic science for cybercrimes, digital forensics is usually used for legal proceedings, but it can apply to other use cases like meeting compliance mandates.
The process involved the following steps focused on digital evidence:
Benefits of digital forensics
Often, companies need to contact law enforcement agencies after a breach occurs. Depending on what led to the attack, they also may find themselves the subject of legal proceedings. For example, if consumer data is leaked, then they may be sued under various privacy laws.
If you have digital forensics capabilities, you’re able to:
Provide court-admissible evidence that follows the appropriate chain of custody to prove data authenticity
Offer expert testimony during trial
Analyze malware mechanics to understand how an attack was perpetrated
Three Challenges Companies Face
All of these steps are important if you think you’ve been hacked, but they’re not easy to follow. Many companies face similar challenges trying to put in place the people, processes, and technologies needed to be cyber resilient.
1. Cybersecurity Skills Gap
Hiring the right people with the right skills is expensive, and many companies can’t afford to hire a full-time security team. Although the cybersecurity workforce is growing, the supply still can’t keep pace with the need. According to the (ISC)2 Cybersecurity Workforce Study, 2021, 47% of respondents say they need more staff who can analyze threats, protect their organizations, and defend against malicious actors.
2. Immature Incident Response
Most companies have some incident response processes. However, the lack of personnel often means that everything is done on a reactive, ad hoc basis. Without repeatable, consistent processes, organizations will take more time to detect, investigate, respond, contain, and recover from threats.
3. Cybersecurity Stack Complexity
Putting together a cybersecurity technology stack can be difficult. Organizations need solutions that help them build a robust security program, but the cybersecurity technology market is saturated. In some cases, organizations have been adding new technologies to address individual security problems without creating a holistic solution. This means that teams struggle monitoring appropriately across multiple security tools.
How SecurityScorecard Can Help If You Think You’ve Been Hacked
With SecurityScorecard, you can build out a more robust incident response program using incident response and digital forensics capabilities. We give you the security operations center (SOC) team you need by either providing complete services or supplementing your current team.
Our services help you manage the response and remediation process for rapid containment by providing:
Daily threat hunting for high fidelity alerts
Manual review of critical alerts to help prioritize activities
Response recommendations to contain threats
Remediation partnership to help your team rectify the issues for alert
In today’s digital world, cyber resilience requires risk intelligence - the information that allows you to gain full contextual business risk visibility. Monitoring risk needs to include actively looking for threats so that you can mitigate the impact to your business.