CHAPTER 5: RESPONDING TO AN ATTACK

“If you fail to prepare you are preparing to fail.”

Source unknown

Introduction and overview

Even the best controlled organisations are attacked. All organisations must be ready for such an eventuality by planning accordingly and developing processes to detect and respond to an attack.

Preparing for cyber attacks

A key part of preparation is to:

1.Assess which electronic information is vital for the operation of the organisation (sales and staff contact details, key customer details), and ascertain where and how this is stored and can be recovered. Ensure that backup copies of these files are maintained securely and are retrievable (some ransomware attacks seek to destroy backup data before the threat is revealed).

2.Prioritise processes and systems so those with the highest importance can be safeguarded and recovered first if necessary.

3.Consider the reputational impact and how this can be minimised based on different types of cyber incident.

4.If you haven’t already, consider the need for cyber insurance, ransomware negotiation support, and access to cyber forensics (to help with evidence gathering and retention) and other specialists.

5.Have an up-to-date plan that is tested and rehearsed based on the most likely high-impact cyber attack or incident.

6.Ensure processes are in place for and key staff are trained in identifying and responding to cyber attacks.

Details of these arrangements should be included in the cyber incident plan.

Detecting potential cyber attacks

Security operations centre

A security operations centre (SOC) is a highly secure location where a team of security engineers monitors and reviews security tools on a 24x7 basis to identify potential attacks (attacks are rarely 9–5, Monday to Friday!). The team uses tools to monitor the IT estate of the organisation to detect any potential attacks and ensure it is ready to react accordingly. Because of the large volumes of data involved, the SOC uses technology or other predefined processes in accordance with the incident plan. A SOC monitors firewalls, servers, PCs, key applications and databases looking for unusual activity. The aim is to shorten the length of time between an attack and its discovery.

Because of the need for highly specialised and trained specialists, several organisations outsource their SOC to a managed security services provider (MSSP). This can have benefits but as with all third-party services, it needs to be properly scoped, selected and implemented. Where non-standard services or reporting are required, this can sometimes incur large costs.

One key tool used by SOCs is security information and event management (SIEM). This is early warning software usually embedded in high-risk servers hosting key applications and databases to look for specific unusual activity based on predefined use cases (e.g. brute-force attack), where many access requests are thrown simultaneously at an application.

Effective SIEM is:

•Properly configured (both for the device and the use cases to be reviewed);

•Monitored, with the output analysed; and

•Maintained to ensure it is updated for any configuration or requirement changes.

IT service helpdesk

IT helpdesk employees should be trained and aware of potential attacks – for example, where there is a sudden increase in calls about:

•Messages demanding a ransom for the release of files;

•PCs, etc. running slower than usual, even after following the normal processes to improve speed;

•Being unable to access accounts or documents;

•Strange emails (one organisation detected an attack because an email claiming to be from the finance department was too polite!);

•Redirected Internet searches going to unusual addresses, e.g. ending in numbers rather than .com; and

•Unexpected account activity (e.g. users seeing that their account was accessed while they were on holiday).

Helpdesks should also be contacted where the SOC suspects an attack (e.g. based on SIEM information).

Recovery following a cyber attack

Once a potential attack has been identified, the cyber incident plan should be initiated. This should include:

Assessing the impact

•Ensuring that evidence of the progress of the attack is recorded and held securely. This will be important for the analysis of the incident to prevent it reoccurring, and may be required for any cyber insurance claim.

•Investigating the nature of the attack, its scope, origin, size, location and the infrastructure impacted.

•Confirming what information may have been breached or changed during the attack.

•Notifying whoever is responsible for resolving the issue and considering who else needs to be informed (regulators, suppliers, customers and insurers).

•Understanding the potential impact on the organisation and ensuring every issue is escalated to the appropriate level of management.

Containing the issue

•Taking appropriate actions, e.g.:

Removing and cleaning all infected hardware;

Restoring services through backups (if secure);

Stopping/removing access used by the perpetrators;

Patching all software to the latest level; and

Changing passwords for impacted users.

•Reviewing logs to identify other potential targets that may already have been attacked.

•Running anti-malware.

•Checking for unauthorised changes to security software.

•Ensuring communication with the media, etc. is only via pre-agreed channels.

•Issuing warnings to users, regulators and law enforcement as required (e.g. the ICO within 72 hours if a breach of personal data has occurred).

Post-incident

•Reviewing and updating the incident plan based on lessons learned.

•Considering what controls and mitigations need to be strengthened.

Summary

Planning and being able to implement the plan quickly and efficiently should reduce the impact of an attack and ensure that full recovery can be achieved.