Cyber Crisis – Know Your Risk, Act Swiftly
When a cyber incident happens, the?emergency response?should be immediate and swift. Time is of the essence, and the reaction period between detecting the event and responding to it can make all the difference to shutting down an attack – or being overwhelmed by it.
IT Governance?reported that 97,456,345 records were compromised during 112 public security incidents in August 2022.
So, what should our response be when faced with a cyberattack? It can be hard to think straight in those first moments of panic and alarm. It’s the same as discovering that your house is on fire. When you first see the flames, you don’t have time to reflect on what could have been done to prevent it; it is all about containing the fire. Fast. Another comparable scenario is when a burglar breaks into your home – often a well-planned, meticulously executed attempt to steal something valuable. What’s your first move?
Let's make sure you can manage your next cyber crisis. Contact ENHALO today. Get in touch
Call for help!
When you discover signs of a cyberattack, the very first thing you should do is call your?cyber security response team. Many organisations can be tempted to try and address the crisis themselves. However, the reality is that internal teams often don’t have the specialist knowledge required to deal with these types of emergencies properly. Even if they do, they may not have access to the right tools or technology.
That’s why we leave putting out fires to the fire service and catching burglars to the police. They have been appropriately trained and equipped to respond. Likewise, cybersecurity experts have the most suitable set of skills and expertise.?Professional cyber security teams?can often complete the same amount of work in a matter of hours, as people outside the industry can only get it done over a month or even longer. A month is a long time for a fire to be left to rip through a building or a burglar to remain on the run with your valuables.
After you have let the experts know what has happened, you must leave on all your computers and devices. While it may seem intuitive to power down your machines immediately, do not switch anything off. Shutting down your device could destroy evidence that could be used in an investigation. If an attacker has already compromised a single workstation, a full system shutdown might destroy valuable evidence that could be used later on for forensics.
Instead, simply unplug the cable from the device, breaking its physical contact with the wider IT network. This allows login evidence to be retained on the affected machine and prevents the attacker from accessing other workstations or parts of the network or system. Switching a device off can often reset it, which also clears valuable evidence of where and how the attack was able to take place, such as login details or encryption codes that were used to access the system.
Assess – Gather the Facts and Evaluate the Risks
After your cybersecurity expert has taken the initial immediate steps to reverse the attack and begin to repair the damage, it’s time to gather the facts and evaluate the risks, including the extent of potential harm to affected individuals. Where possible, this is also the stage when experts will take action to remediate any risk of further harm or repeat attacks.
The assessment stage uses software tools installed on machines to bulk search for cyber threats and determine the attack entry point. This software checks documents and files downloaded onto the server, looking for specific file extension codes that could cause damage or render a system vulnerable to attack. Broad searches are conducted across servers and individual machine endpoints. Ransomware often has its own distinctive file designation, making it reasonably easy to spot once the initial signs of its presence are identified.
(If you have EDR software installed and actively monitor consoles for alerts, the attack indicators may be visible.)
Identify and Contain Data Breach to Prevent Further Compromise
As part of the identification and containment process, the response team will run several simulations to predict where these attackers went on the server and whether they are still in the system. In some instances, only a few servers may be affected, and these can be contained as soon as they are identified.?Once contained, the perpetrator’s?ability to spread their attack surface?to the rest of the network is stopped immediately.?
Key to this stage is identifying access points to critical assets. These can include personally identifiable information (PII) from customers or employees, software source codes, and sensitive information, such as financial data, passwords or confidential reports. Experts can determine if any bulk data has been exfiltrated from the system and implement remediation if this proves to be the case.
Report After a Breach
Depending on your business’s region, specific legal obligations must be adhered to after a data breach.
For example, you may need to issue a statement that outlines the situation and critical facts that the public needs to know.
This can include any or all of the following:
Good practice dictates that a full review is carried out after the incident has been contained and all systems returned to a secure state with no further compromise or threat present. The review process will help the organisation revisit the security protection measures it has in place and how effective each one is when faced with a real-time threat.
领英推荐
ENHALO Cyber Emergency Response in Action
ENHALO specialises in providing rapid emergency response services to organisations facing a sudden cyberattack or data breach worldwide. We were called out very recently to assist a global recruitment agency operating in over 50 countries. A government security watchdog informed them about a series of very credible attempts from state threat actors to attack their internet-facing systems.
The government watchdog had performed vulnerability scans ahead of our involvement and identified several vulnerabilities that these threat actors were able to exploit. Following this discovery, the agency found malicious web-hook software on one of their internet-facing systems. They decommissioned it immediately and believed that this swift response was enough to contain the threat. But the government cyber security watchdog insisted that a reputable cyber security consulting firm be engaged to determine the extent of the attack and whether data had been compromised or exfiltrated. The agency reached out to ENHALO to investigate.
Cyber Security Risk Approach
The ENHALO team deployed scans across the organisation’s technology estate, revealing numerous web-hooks attached to other servers, which the internal team’s software hadn’t detected. We immediately took all of the agency’s systems offline and decommissioned them. Our next move was to establish a list of critical assets and strategically position them in a secure area for protection and monitoring. These assets included personal information about individuals and where they were placed in high-privilege environments.
Cyber Risk Process
Next, we?isolated the network segments?to contain any further spread. We set up a security information and event management (SIEM) and a security operation centre (SOC) to capture and log where the attackers were and had been.
We then performed a series of targeted attack simulations to determine how the perpetrators gained access and whether they had managed to access the agency’s critical assets. ENHALO experts logged and implemented emergency changes for major vulnerabilities and shut down unauthorised access to these assets. Proverbial windows and doors were swiftly closed to reduce further risk. Finally, the firewall and other data sources were extracted to determine if any signs of data exfiltration existed.
Cyber Risk Reporting & Response
The government security watchdog required a detailed report covering the emergency cybersecurity response plan and the actions taken. This included answers to whether sensitive PII was extracted and what the agency was doing to mitigate the risk of a repeat attack.
This event had a positive ending thanks to our team’s rapid, detailed and expert response. We were able to provide supporting evidence that no data was exfiltrated or had appeared on the dark web.
Postmortem After a Cyber Attack
But what was the takeaway from this attack? What was missing from this agency’s cyber defence that allowed this attack to happen:
What Makes Organisations Like These Vulnerable to Attacks?
There are areas of vulnerability that can be addressed before an emergency to help reduce the risk of being attacked. Here are some key risk factors that are common to many organisations:
Network threats
The human element
Budget and resource constraints
What you were ready for yesterday may be the last thing cybercriminals have in mind for you today. Use the lessons from other “victims of cybercrime” and deploy the expertise required to navigate your unique, yet evolving, risk landscape.
Contact ENHALO now?to find out more about our cybersecurity emergency response services.
The post highlights the expertise of Enhalo Cybersecurity, emphasizing their comprehensive approach in the realm of cybersecurity. The term "Full Circle Cyber" signifies their commitment to providing end-to-end solutions that cover every aspect of cybersecurity, addressing potential vulnerabilities from various angles. Enhalo's dedication to safeguarding digital landscapes is evident in their holistic approach, ensuring protection against a wide array of cyber threats. By taking a "full circle" approach, Enhalo aims to create a robust and resilient cybersecurity environment. This underscores the importance of a comprehensive strategy in today's evolving digital landscape. For more information visit https://www.dhirubhai.net/feed/update/urn:li:activity:7095295842474991616
Realtor Associate @ Next Trend Realty LLC | HAR REALTOR, IRS Tax Preparer
1 年Thanks for Sharing.