You’ve been breached. Now what?
Aside from preventing security incidences, a top challenge IT professionals face is planning and preparing to respond to a cyber security incident. Security professionals shoulder a mountain of responsibility working to protect their organization’s assets. Between protecting people, digital assets, physical infrastructure, and ensuring regulatory compliance, there is much to do and much at stake. Jobs are on the line. Livelihoods and reputations are at risk. In extreme cases, lives can be lost. So what is the first thing you do when you’ve been breached?
Sophisticated hackers and motivated attackers are determined to infiltrate cyber defenses to obtain private and sensitive data for monetary gain or other ill-intended purposes. Risks are always present and threats will not cease. It’s not just outsider threats that security professionals have to protect against; Disgruntled employees and inadvertent actors also add to a company’s risk profile. With a long list of potential dangers and such a high level of responsibility how do security professionals sleep at night?
A Strong Foundation Of Security
At a bare minimum, companies need to establish a strong foundation for IT security systems, processes, personnel and technology. Having a robust, multi-layered security system in place with accompanying policies, the right people, and technology in place can deter attackers. If your defenses are strong, hackers may opt to attack “low-hanging fruit” elsewhere. However, this does not preclude you from being the target of an attack.
Any gaps in security should be addressed and reinforced to avoid being easy pickings for attackers. Companies can also significantly boost their cyber defenses by having an army of educated and cyber aware employees and a team of experienced security personnel (whether in-house or external consultants).
Company leaders and decision-makers should accept that while they can take proactive measures to protect valuable assets, there is no such thing as a total guarantee of safety. No organization is 100% immune from the barrage of advanced persistent threats, cyberattacks, malware, ransomware, social engineering schemes, email spoofing, system & process failures, employee mistakes, or lost or stolen devices.
Companies should adopt a matter-of-fact approach to accepting that breaches will happen. By assuming that hackers will get in and that breaches do and will happen, the attitude towards incident response preparation and planning can move from reactive to proactive.
You’ve Been Breached. Now What?
If you are a security professional and have just been alerted that your company has been breached, what is the very first thing you would do? Who would you call? If it’s 2:30am do you wake up the CEO or wait until 9am? What next?
Refer To Your Computer Security Incident Response Plan
If you have a documented and up-to-date Computer Security Incident Response Plan (CSIRP), then you would know exactly what steps to take in the event of a breach. Every organization should have a formal, living document that clearly details exactly what to do in the event of a breach. This document should provide guidance and instruction on exactly what needs to be done to stop, contain, mitigate, and communicate a breach.
Having a CSIRP in place can help to alleviate the severity of security breaches by reducing the time taken to act in response to the breach. If a crisis hits you are prepared. You can quickly assemble your team to act immediately and work through a prioritized checklist of action items.
Response time is critical
Response time is critical when faced with an emergency. If you find yourself in the middle of a crisis and don’t have an updated CSIRP, there is more room for error and mis-steps and the window of attack is left open for longer.
If your organization does not have a formal Computer Security Incident Response Plan, do not wait until you discover a breach happens before you put one together.
Be Prepared, Informed and Ready To Respond
Preparation will define what response looks like. Better preparation means the ability to detect and respond to attacks faster, more effectively and comprehensively. Companies that are informed about the threats they face, that actively threat-hunt, do penetration testing, and have considered multiple scenarios to better understand the threats and threat actors are better prepared to respond.
Your organization should have a designated person to call to notify when a breach is discovered. This person would then call on and assemble the incident response team – whether they are in-house or a team of external experts. Roles and responsibilities should be clear when it comes to stopping, containing, mitigating, and communicating a breach.
Gain Confidence In Your Technology And Be Ready For A Cybersecurity Incident
Improve your organization’s ‘state of readiness’ by addressing security vulnerabilities and developing a CSIRP. The security team should have a high level of confidence in their ability to defend against cyber threats, ability to quickly and adequately respond to a breach be prepared for worst-case scenarios.
Ascension Global Technology can help you assess and identify security gaps and strengthen your technology. Understand where your weaknesses lie, where you can strengthen your security posture and know what you’re up against. If you need assistance with your enterprise security strategy and incident response strategy, AGT is here to assist you.
If your organization already has a CSIRP, make sure it is up-to-date and reflects changes in the business. Stay informed so you know all the threats that you are up against, run through every possible threat scenario and put it to the test. Where possible and practical, get automated systems for blocking attacks and actively hunt threats.
There are some great resources available to guide the development of a CSIRP for your organization. For example, The National Institute of Standards and Technology (NIST) has published a “Guide for Cybersecurity Event Recovery” and The SANS Institute has published an “Incident Handler’s Handbook” to assist professionals and managers in creating their own incident response policies, standards, teams and checklists within their organizations.
Ultimately, there is no one-size-fits-all CSIRP. The way that any given organization will prepare and respond to an attack and assemble their response team will vary based on the nature attack, the size of a company, the resources available, the mix of security tools and technology and the events that occur.