Here's a guest post from Daniel Saunders, Senior Incident Response Consultant, who is in my team:
Cybersecurity incidents are increasing in record numbers and it could only be a matter of time until it lands on your doorstep. Whether hit by a Distributed Denial-of-Service (DDoS) attack, or infected by malicious programs or even becoming a victim to ransomware, the first-responder actions will often determine the output of the security incident. Whilst there are greater prevention efforts in raising awareness from warehouse staff to boardroom level, there is still a lack of preparation and planning for the inevitable.
Far too often we are witness to media coverage of the latest network intrusion stories, which hit organizations of all shapes and sizes – often due to the lack of security awareness or planning. Default or non-complex passwords, out-of-date anti-virus (AV) and poor cyber threat awareness, as well as lack of security implementations and prevention systems are just some of the common trends which enable threat actors to exploit and disrupt an organization’s IT systems.
You do not have to venture far to see some of the most high-profile attacks, whether it’s the widespread WannaCry infection, which crippled the UK’s NHS systems, or a private healthcare company’s internal data breach and data exfiltration. Both could have been mitigated much quicker given efficient policies and tested processes were in place. Whilst the authorities continue to pursue and disrupt those who commit computer misuse offences – such as taking down the largest DDoS booter/stresser service webstresser.org which crippled IT infrastructure across Europe and beyond with in excess of four million attacks – organizations need to take responsibility and plan for such scenarios in order to prevent business shutdown and legal repercussions.
- How much damage is done?
- Has any sensitive data been stolen?
- How did the attacker gain access?
The aforementioned questions are often posed by senior management during the early phase of a cybersecurity incident in attempt to understand the scale of the issue and it’s often down to computer emergency response team (CERT) / incident response (IR) practitioners to contain the incident and carry out the root cause analysis. To enable this to occur, an effective response needs to be conducted within the initial 24 hours of the incident, in cooperation with the organization’s IT department.
Triaging the incident as it unfolds can provide a head-start in the remediation and post-incident investigation attempts. Some key considerations to assist with this include:
- Initial Detection – how and when the incident was first detected can provide a starting point within the timeline, however be mindful the systems may have been compromised months prior. Are firewall logs being utilized to their full potential to identify the initial compromise or are other SIEM solutions in place which could provide vital clues?
- Infrastructure – Not only where the servers or/and endpoints are physically located is important to provide an effective response, but also the setup considerations, i.e. operating systems, storage, virtualization as well as security configuration, i.e. user groups/permissions. These can provide an instant insight for an external IR team to carry out compatible technical work and familiarise themselves with the IT systems in situe. Consider a network map.
- Initial Remediation/Containment Actions – Providing accurate contemporaneous notes on handover to the IR team of the initial activities and steps carried out would prevent any cross-contamination or wrong-leads being looked into. This forms part of communication which must be maintained throughout the course of the incident response plan and also to ensure that IT, CISO and IR single point of contacts (SPoC) are fully engaged with one another.
- Logs – Log files contains thousands of lines of code which means nothing to many users, but can be crucial in terms of identifying indicators of compromise (IoC). It’s important to ensure logging is fully enabled and retention periods are applied, to avoid losing crucial evidence. These should be provided at the earliest opportunity to allow for a thorough review to determine IoCs.
- Preservation – Regardless of whether external authorities are engaged, it is important to treat each incident on a case-by-case basis and ensure that preservation of artefacts identified within data are maintained for thorough post-incident forensic analysis, to build a timeline of exactly what occurred. One should also be mindful that, if external authorities are engaged, reports could be entered as evidence, therefore continuity of such material should be maintained.
Recognizing that cybersecurity incidents will occur and preparing for them whether this being via mitigation exercises will be pivotal in the remediation of a cyber threat. By implementing an effective plan and activating an efficient response in the early stages of the breach, will allow you to recover from the situation and manage the compromises, whilst causing minimal disruption.
The bottom line? When a security incident happens, make the first 24 hours count.