While organizational leaders and IT owners keep a watchful eye on emerging threats and trends from the previous year, much of their cybersecurity strategy will need to be founded on how well their businesses can respond to an attack. While the risk of cyberattacks is an undeniable reality, cyber preparedness can significantly differentiate successful businesses from those struggling to manage after a cyber event.
In particular, Chief Information Security Officers (CISOs) will be building plans to ensure a quick and effective return to normal operations in the face of attack. This post covers how to evaluate the business’s current cyber preparedness, how to plan for a cyberattack and what to do after an attack has occurred. It offers guidelines on the key elements CISOs and IT leaders will need to focus on as they bolster their defense strategies in light of the current threat landscape.
The Increasing Threat of Cyberattacks to Businesses
All sectors in the last few years have grappled with the threat of cyberattacks. Healthcare, education, government, and critical infrastructure are among those that have taken the hardest hits. Targeting underprepared or poorly-funded victims has become a lucrative business model for malicious threat groups and opportunistic actors.
Modern adversaries do not discriminate targets by size or sector; consequences from one attack can affect the organization and its vendors and providers. The last 12 months have seen little respite in the wave of ransomware attacks and data breaches even as the Biden-Harris Administration’s Executive Order on Improving the Nation’s Cybersecurity and official Shields Up campaign have raised awareness of the severity of the threats facing businesses.
From an insurance standpoint, the cost to remediate attacks has increased, spiking the price of cyber insurance premiums. Insurance carriers recognizing the risk from attack have subsequently adjusted their requirements for security.
In such an environment, it makes sense for businesses to prepare for the possibility of a compromise or cyber attack. An effective incident response plan that has been openly communicated and tailored to the needs of the business increases the organization’s chances of recovery and rapid return to normal operations.
Evaluating Cyber Preparedness | Is Your Business Ready?
Cyber preparedness ensures that enterprises have a plan in place to respond to imminent threats. For small to medium sized businesses (SMBs), properly implemented incident response and emergency management can mean the difference between recovery and insolvency. While cyber risk cannot be eliminated completely, enterprises can manage risk effectively with the right people, processes, and technology.
The first step to building a strong cyber incident response plan (IRP) is evaluating the organization’s level of preparedness.
- Response Team: Is it clear who the incident response team members are? Does the response team include: a technical lead, data analysts, communications/PR advisor, human resources specialist, etc.?
- Stakeholders: Are both internal and external stakeholders clearly identified? Are key contacts for third-parties, vendors, clients, and providers identified? Are all public-facing members of the Board and C-levels all well versed in addressing the media?
- Roles & Responsibilities: Does everyone in the organization understand their role in the IRP? Have all expectations been explained, trained, and documented?
- Communication Matrix: Is a communications plan in place and in an easily accessible format/location should networks go down? Does it include central points of contact for each team in the organization?
- Policies: Do the incident response policies align with the organization’s overarching policies and compliance requirements? Have senior leadership reviewed, approved, and communicated to all employees?
- Continuous Improvement & Lessons Learned: After every practice, drill, or actual incident, are takeaways and feedback documented and stored in an easily accessible platform? Are action items and deficiencies assigned and communicated to directors and managers? Are post-incident reports used for training and onboarding processes?
- Post-Event Assessments: Is there a managed service or security operations center (SOC) that can provide in-depth incident response (IR) assessments? Do these assessments pinpoint evidence within the environment?
- Backups: Are backups regularly scheduled, stored offline, or stored in a secure cloud? Are backups regularly reviewed and protected with passwords and encryption? Are backups accessible for modification or deletion from the primary network?
- Data Forensics & Incident Response (DFIR): Does the organization’s security stack include digital forensics analysis, incident response, and/or security consultations in the event of an attack?
- Contextual Information: Is the security stack capable of detailed log collection? Is log data stored read-only with standard encryption in place?
What to Do to Prepare for a Cyberattack
One of the most important things cybersecurity executives can do to prepare for a cyberattack is to establish a task force and name specific individuals responsible for responding to a breach. This task force should include key members of the organization, such as IT professionals, legal counsel, upper management, and any external partners or service providers that may need to be involved in the response.
Before a breach occurs, it’s essential to develop a comprehensive cyberattack survival protocol that outlines the steps to take during an attack. This should include information on identifying, containing, and recovering from the attack. It should also include details on communicating with relevant stakeholders, including employees, customers, and the media.
In addition to establishing a task force, there are a few other vital steps to increase preparedness for a cyberattack:
- Conduct regular security assessments: Regular security assessments can help identify vulnerabilities in systems and networks that attackers could exploit.
- Implement robust security controls: This includes network and cloud security, endpoint security software, user identity protection, and encryption to protect systems and data.
- Train employees: Educating employees about the importance of cybersecurity and how to identify and report potential threats can go a long way in protecting an organization from an attack.
- Establish incident response protocols: Having a plan in place for how to respond to a cyberattack can help minimize the damage and get systems and operations back up and running as quickly as possible.
- Perform a forensic incident response simulation: simulations help manage the aftermath of a cyberattack. The findings can provide valuable support in navigating the complex legal and technical challenges that often arise in the wake of a breach.
What to Do After a Cyberattack
The overall goal of the post-attack process is to mitigate any exploited vulnerabilities, ensure the threat has been neutralized or eradicated, and restore affected services to operational normalcy.
After a confirmed cybersecurity attack, the following steps will help ensure that the incident is appropriately contained and minimize data losses.
1. Assess the Extent of the Attack
The security team’s first order of business is to determine the attack’s extent and identify which systems, data and/or users have been affected. The following will help determine the type of attack and assess the extent of the damage:
- Determine the type of attack: An effective response first needs to understand the specific kind of attack that occurred. Types of attack include phishing attempts, Denial of Service attacks, ransomware/data exfiltration and account/user takeovers. If malware was used, identify the specific kind of malware. This can often lead to a better understanding of other elements of the attack.
- Identify the source of the attack: It is important to identify the initial vector of compromise. Threat actors may have gained a foothold or presence in other parts of the network that have not yet come to light. To do this effectively, work with a forensic incident response team to analyze the attack and trace it back to its origin. Understanding the source of the attack also helps inform the company’s security strategy so that measures can be implemented to prevent similar attacks from occurring in the future.
- Assess the extent of the damage: Once the attack has been contained and the type of attack has been identified, it’s time to assess the extent of the damage. This may include evaluating the impact on systems and data and identifying any sensitive information that may have been compromised. Understanding the full scope of the attack will help the organization to plan an effective response.
2. Contain the Attack
The next step is to prevent attackers from gaining further access to the network. Some recommended steps are:
- Isolate infected systems and devices: Any system or device that may have been compromised should be isolated from the rest of the network to prevent the attacker from spreading to other systems. Organizations with SentinelOne installed can use the quarantine network feature to block any other communication to and from endpoints that may have been compromised.
- Disconnect from the network (if necessary): In some cases, it may be required to disconnect the entire network from the internet to prevent the attacker from accessing systems.
- Shut down affected services: If certain services (e.g., email, web servers) have been compromised, it may be necessary to take these services offline across the organization to prevent the attacker from using them as a foothold.
- Implement any necessary emergency measures: Depending on the severity of the attack, it may be required to activate the incident response plan, which should outline the steps needed to contain the attack and minimize damage.
3. Eradicate the Threat
After containment, the next step is to remove any malware or other malicious software installed during the attack and to ensure that the initial infection vector is blocked.
- Remove malware or other malicious software: Organizations that deploy SentinelOne can set a policy that removes malware automatically, or it can be done remotely if the policy was not already set. Organizations without SentinelOne may need to manually remove malware from infected systems or rebuild the system from scratch.
- Patch any exploited vulnerabilities: If the attacker exploited software vulnerabilities to gain access, these will need to be patched as soon as possible. This may require applying patches or software updates, reconfiguring network settings, or replacing outdated or unsupported systems. Patching vulnerabilities may involve downtime, which can be disruptive to business operations. However, it’s essential to prevent attackers from exploiting the same infection vector again and interfering with the recovery process.
- Reset passwords: If any user accounts or service credentials were compromised before or during the attack, ensure that these are reset and that user identities are confirmed and protected using biometric keys, MFA and other authentication techniques.
4. Restore Data and Services
Once the attack has been mitigated, the next step is to restore any systems or data that were damaged or lost during the attack. This may involve restoring from backups, rebuilding systems, or recovering data using specialized software. Priority should be given to the following:
- Restore systems and services: Bring back any systems or services that were shut down to contain the attack and any systems or services that were damaged or lost during the attack. It’s important to carefully test and validate these services to ensure that they are fully functional and secure before making them available to users again.
- Restore lost data (if necessary): If the attack resulted in the loss of essential data, restore it as soon as possible. This may involve restoring from known clean backups, using specialized data recovery software, or manually recreating lost data.
- Rebuild affected systems (if necessary): If the attack caused damage to systems that cannot be repaired, they may need to be rebuilt from the ground up. While this can be time-consuming, it’s necessary to ensure that all systems are secure and fully functional.
5. Report the Event
As the data forensics investigation progresses, senior leadership and other stakeholders should be kept informed of the team’s findings. When tasking the incident response team, ensure that reporting cadences are set.
During this stage, key communicators will reach out to law enforcement and insurance agencies. C-levels will work with media and public relations specialists to issue a press release and inform employees and affected clients and third-party vendors.
Organizations can maintain trust and transparency by providing regular updates on the situation and any progress made. Here are the steps to keep in mind:
- Set a report cadence and expectations around reporting: After the attack has been contained and the incident response team has begun its investigation, establish a report cadence and set expectations around how and when the information will be shared with stakeholders. This will help to ensure that the technical team can focus on their tasks without being interrupted by communication requests, which can waste valuable resources during this critical time.
- Identify the different reporting stakeholders: As part of the response and resolution efforts, it is important to keep employees, customers, and partners informed of the situation and any progress made. However, each stakeholder group may have different communication needs and preferences. For example, internal stakeholders may need clear, actionable feedback, while external stakeholders may require a more general update. Identify the different stakeholder groups and develop a communication plan that meets their needs.
- Work with media and public relations specialists: To maintain trust and transparency, issuing a press release or other public statements about the attack may be necessary. C-level executives should work closely with media and public relations specialists to carefully craft this statement and ensure that it accurately reflects the situation and the organization’s response efforts.
C-levels should also ensure that they are aware of any mandatory regulations that apply to their organization in the event of an attack. Depending on industry-specific federal laws and state legislation, many organizations are legally mandated to report cyberattacks and data breaches. Those that manage, store, and transmit personally identifiable information, for example, will be bound by HIPAA and PCI-DSS requirements to notify affected individuals.
6. Hold Post-Event Lessons Learned Sessions
Holding post-event lessons-learned sessions is an integral part of the cyberattack survival process because it enables organizations to reduce the risk of future attacks and better protect themselves and their customers.
Post-event lessons learned sessions help to improve incident response processes and procedures. By examining the events leading up to, during, and after the attack, organizations can identify any bottlenecks or inefficiencies in their incident response plan and take steps to streamline and improve response efforts. This can include revising team roles and responsibilities, updating communication plans, and incorporating new security controls or procedures.
- Learn from the attack: The investigation should have already identified what happened and how attackers gained access. Vulnerabilities should have been patched and mitigated. Ensure the findings of the investigation are used as lessons to prevent similar attacks in the future. This may also include mistakes or missteps made during the response effort.
- Update incident response plan: Based on the lessons learned from the attack, the incident response plan and the overally company security strategy should be updated to ensure they reflect the most current best practices and consider any new threats or vulnerabilities. This may involve revising IR team roles and responsibilities, updating the communication plan, and incorporating new security controls or procedures.
Given the growing risk of cyber threats on businesses of all sizes and industries, building cybersecurity preparedness has become an urgent goal for many C-level security leaders and IT owners.
Dealing with cybersecurity attacks will be a trying exercise for all involved, but leaders can do much to minimize damage and make the road to recovery as smooth as possible. Planning ahead and designing an incident response plan tailored to the business’s specific needs ensures businesses can retain sensitive data, client and public trust, and credibility in the long run.
CISOs, IT owners, and technical professionals trust SentinelOne’s Vigilance Response Pro to protect their businesses from advanced threat actors. Vigilance blends 24/7/365 managed detection and response (MDR) with comprehensive digital forensics analysis and guided security consultation to offer a full-service solution for enterprises operating in today’s cyber landscape. Learn more by booking a demo or contacting us today.