By Kevin Smallen, Chief Information Security Officer, PenChecks Trust®
A cyberattack on your business is like a serious auto accident. It only happens to someone else – until it happens to you. Fortunately, several initiatives can help prevent or significantly reduce your organization’s chance of becoming a cyberattack victim. That said, you can’t completely secure your network or reduce the risk of successful cyberattacks to zero. Your best protection is to prepare for the possibility by planning how to respond if your business gets attacked. Scenarios like a ransomware attack that renders your data useless with encryption or data theft need to be part of a discussion that results in a written Incident Response Plan (IRP).
The National Institute of Standards and Technology (NIST) has created a framework for putting together an IRP that incorporates seven steps:
Start by preparing for each type of cyberattack. For example, when preparing for a ransomware attack your team must first ask the question of whether to pay. The initial response for most companies is not to pay. If you take this approach you will need a detailed backup/restore strategy that answers these questions:
- How quickly can you restore from backup?
- Do you have documented procedures that cover all facets of your enterprise restore processes?
- Do you test your backups at least monthly to ensure that restores will work and give you the desired results?
- Because most backups are point-in-time, have you calculated the business impact that losing a possible day’s worth of data will cost your business?
Unless you have the staffing to handle a robust and staged response to any incident (most small to medium size companies do not), your team conversation needs to incorporate external expertise to fill any gaps in your IRP.
2 and 3. Detection and Analysis
As I began to touch on in “Preparation,” does your company have the technology, people, and process to detect incidents promptly? When establishing your detection and analysis capabilities, consider the following categories and include them in your IRP.
- Monitor and analyze all sensitive IT systems and infrastructure metrics. As we move to the cloud, we must have mechanisms that push or pull logs, error messages, alerts, and misconfigurations to a central repository, such as a security incident and event management (SIEM) tool.
- Identify incidents by correlating data from all those data sources with immediate reporting.
- Implement a notifications process for the Incident Response Team.
- Document, Document, Document! Track everything incident responders are doing every step of the way. If you have an IT ticketing system, use that as the record of reference from beginning to end as you keep track of and answer the who, what, when, where, why, and how questions.
4 and 5. Containment and Eradication
The containment phase mitigates the root cause of the security incident to prevent further damage or exposure. It attempts to limit the impact of an incident before an eradication and recovery event. The SANS Institute, a nonprofit cybersecurity think-tank, considers containment from three perspectives:
- Short-term containment – limiting damage before the incident worsens, isolating network segments, taking down hacked production servers, and routing to failover.
- System backup – taking a forensic image of the affected system(s) and wiping and reimaging the systems. This will preserve evidence from the attack that can be used in court and for further investigation of the incident and lessons learned.
- Long-term containment – applying temporary fixes to make it possible to bring production systems back up. The primary focus is removing accounts or backdoors left by attackers on the systems and addressing the root cause. For example, fixing broken authentication mechanisms or patching a vulnerability that led to the attack.
The eradication phase involves removing the threat(s) from the environment. This can include anything from identifying and removing malware to disabling user accounts involved in a breach. During this phase, it is crucial to identify all affected systems (workstations, laptops, servers, etc.) within the organization so they can be remediated.
The recovery phase is where you restore the affected systems and return to normal day-to-day operations after an incident occurs. It’s also where your backup strategy will need to shine. In the case of a ransomware scenario, having the right backup strategy is key to the proper restoration of systems and data. Implementation of the 3-2-1 strategy should be the goal of any organization:
- Have three (3) copies of each backup (one primary and two copies).
- Copies should be stored on two (2) different types of media (e.g., backup device, disk, removable hard drive, cloud, etc.).
- Maintain one (1) copy off-site and offline so it can’t be changed (“air-gapped”).
Execution of the following actions can occur as appropriate:
- Rebuilding systems
- Installing patches
- Changing passwords
- Restoring systems from clean backups
- Replacing affected files with clean versions
7. Post-Incident Activities
The post-incident activities phase is often called the “Lessons Learned Session” or post-mortem. Start this phase by identifying and understanding how and why the incident occurred. This will help you avoid a similar situation and point you to new controls to help mitigate future incidents. Then evaluate how effectively your team moved through each IRP phase.
An IRP is arguably the most critical information security tool within an organization. If you don’t have one or don’t know how to proceed, look for a specialist to help you formulate the best plan for your business. If you have an IRP in place, test it at least annually and conduct IRP tabletop exercises quarterly.
As mentioned, it’s not possible to make your systems 100% immune from cyber attackers. In the event you become a cyberattack victim, having an IRP plan that includes the NIST-recommended steps will enable you to respond quickly and with clear direction to minimize the damage and get your systems up and running again as soon as possible.
Kevin Smallen MS, CISSP, ITIL-F is PenChecks Trust’s Chief Information Security Officer with more than three decades of experience in the Information Technology and Data Security field. Roles in systems engineering/architecture and technical management have enabled him to become a well-rounded information security specialist. Kevin holds a Master of Science in Cybersecurity from Liberty University and continues to approach cybersecurity objectives with Confidentiality, Integrity, and Availability (CIA) as the main tenants of how an organization handles data when it is stored, transmitted, and processed.