Once a cyber-attack incident is confirmed and a compromise detected, a common misstep is pulling the power cable. While shutting off power may seem a good thing from a containment standpoint, it makes the job of the responder much harder. If the attack is wholly memory-resident, shutting that host down can completely remove the evidence of how the attacker accessed the endpoint, and impedes gathering intelligence on the attack’s origins and potential objectives. This policy should be continually communicated to all employees. Another critical importance is that of identifying the main contacts for incident response teams.
When organisations have not done this – and an incident is live – a lot of time can be wasted figuring out who the owner is of systems, who the responders need to speak to in terms of escalation, and signing off the necessary budget required for dealing with a response. It is often necessary to take defensive actions to protect the business, such as taking down critical elements of the infrastructure. If a business isn’t prepared for that in advance it can be difficult to debate the pros and cons while an attacker is live on the estate. Also, while the impulse to get the attacker off your estate as quickly as possible is understandable, it is not always the right move. This is particularly important when dealing with sophisticated attackers, alerting them to the fact that they’ve been detected can either be the point at which they deploy ransomware, or they leave the estate to come back with a stealthier method. A measured, coordinated response can ensure that assets are protected and the attacker is expelled without recourse.
On the subject of breaches – while stressful and potentially damaging – they can sometimes lead to good things, such as security improvements across the organisation, hiring of additional resources and an improved and wider understanding of the security that needs to be embedded in every facet of an organisation. However, it is crucial to action recommendations on post-incident improvements that can reduce the impact of future attacks. A good example of this is the research done in Active Directory security using the Red Forest architecture, which is something that – once implemented properly – can have a major impact on the effectiveness an attacker has if they have compromised that environment. While it requires investment in time and money, the backend of an incident is often an opportunity to make such improvements. However, it is sometimes the case that organisations don’t action recommendations, reverting back to the same risk profile they started with before they were attacked.
Cybersecurity is also a lifecycle and ideally one should build in continuous improvements and assessments. One of the best ways to ensure you are bolstered against the threat landscape is to take lessons learned from investigations and build a programme that can implement those recommendations. Constraints to budgets and time make it difficult to implement every single recommendation. However, 10% readiness is better than no readiness. It is not purely about monetary investment, but about making internal improvements to your processes and procedures.