Heavyweight boxer Mike Tyson once said, "Everybody has a plan until they get punched in the mouth."
A significant cybersecurity incident is an equivalent punch in the mouth to the cybersecurity team and perhaps the entire organization. At least at first.
Developing an Incident Response plan is undoubtedly smart, but it only gets the organization so far. Depending on the severity of the incident and the level of cybersecurity expertise within the breached organization, a cybersecurity incident often leads to panic and turmoil within the organization – plan or no plan.
It's very unsettling to have systems and data locked by ransomware or not knowing whether a potential intruder hidden on the network is continuing to do damage and exfiltrate data.
One of the first things most breached organizations do is call in a seasoned, 3rd party Incident Response team. Many IR providers follow a structured 6-step process defined by the SANS Institute in a 20-page Incident Handler's Handbook. The six steps outlined are:
- Preparation—review and codify an organizational security policy, perform a risk assessment, identify sensitive assets, define critical security incidents the team should focus on, and build a Computer Security Incident Response Team (CSIRT).
- Identification—monitor IT systems and detect deviations from normal operations and see if they represent actual security incidents. When an incident is discovered, collect additional evidence, establish its type and severity, and document everything.
- Containment—perform short-term containment, for example, by isolating the network segment that is under attack. Then focus on long-term containment, which involves temporary fixes to allow systems to be used in production while rebuilding clean systems.
- Eradication—remove malware from all affected systems, identify the root cause of the attack, and take action to prevent similar attacks in the future.
- Recovery—bring affected production systems back online carefully, to prevent additional attacks. Test, verify, and monitor affected systems to ensure they are back to normal activity.
- Lessons learned—no later than two weeks from the end of the incident, perform a retrospective of the incident. Prepare complete documentation of the incident, investigate the incident further, understand what was done to contain it, and whether anything in the incident response process could be improved.
One of the leading global Incident Response providers is BugSec. Organizations reach out to BugSec when there is a compromise, but the company (and their current security providers) cannot figure out precisely what the problem is.
Maybe the company has been infected with ransomware, but can't figure out how it was deployed and whether the adversary has access to the network. Perhaps the company became aware of stolen intellectual property and didn't know how the information was exfiltrated.
The BugSec team's first order of business is to figure out what malicious actions have transpired and how the adversary was able to compromise the organization. Once BugSec can identify and contain the incident, they can fully eradicate all attack components and artifacts and then fully restore operations.
How does BugSec accomplish the difficult task of identifying, containing, and remediating the full scope of a cyberattack?
The one such tool BugSec relies on for virtually all IR engagements is Cynet 360. Cynet offers its platform for IR providers for free. The Cynet agent can be deployed to thousands of endpoints in a matter of hours and immediately provide visibility into endpoints, processes, files, network traffic, user accounts, and more.
The platform automatically detects anomalies and can quickly pinpoint an attack's root cause and expose its full extent.
Moreover, Cynet removes active threats "on the fly" and can be used for more complex remediation across the environment. Customized remediation playbooks can be easily configured and deployed to fully eradicate complex attack components across the environment so operations can be quickly restored. More information about how BugSec works with Cynet can be found here.
You may get punched in the mouth by a very capable cybercriminal someday. Just remember that specialists are ready to help you recover when your IR plan seems to be falling apart.