People and organizations tend to focus on methods to prevent cyber attacks on their digital systems. While prevention is an important aspect of cybersecurity, it does not address an equally important piece of the cybersecurity puzzle – what to do when an attack is attempted or a breach actually occurs. When an attacker has breached or attempted to breach your systems, they have jeopardized the confidentially, integrity, or availability of your information. If this should occur you need a predetermined plan of action that should be implemented immediately. Your business needs a formal documented procedure for addressing a cybersecurity incident.
Larger companies may have a formal Cybersecurity Response Team established to respond to any incident or suspected incident. Team members will vary according to your business type. Typically you need members from Cybersecurity, Information Technology, Physical Security, Human Resources, Engineering, and Operations. Additional team members will be added to this core team on an as needed basis. These are individuals such as specialized contractors, legal experts, and senior level management.
The assembled team will determine if this is an actual cybersecurity attack, mitigate the attack, and recover from the attack. Logical steps to be prepared are:
1. Develop your documented program.
2. Select core cybersecurity Team members.
3. Train Cybersecurity Team members on the program.
4. Conduct practice drills on responding to incidents.
5. Put contracts in place with companies who you may need for technical support.
There are many ways an attack can be discovered. A user may report something suspicious such as a system not operating correctly or an Intrusion Detection System (IDS) may alert to an attack. Network Traffic levels may be abnormal or anything deviating from normal operations should be investigated immediately. Hopefully the anomaly will not be related to an attack, but an investigation must start early to limit damage should the event be a real one. Once indications point to an attack then your Response Team can be activated and begin reacting to the attack.
At this point in the attack you were prepared for the attack and you have detected an attack is ongoing. The Response Team must analyze what is happening, contain the attack, eradicate the attack mechanism, and recover to normal. They will collect data including:
• Incident Title
• Date/Time Discovered
• Type of Incident (virus, hacker, etc.)
• Entry Point into your system
• Who is the perpetrator (If Known)
• System/Hardware/Software Impacted
• Description of the attack
• Narrative of problems it caused the organization
• What was done to contain it
• How was the problem eradicated/removed
• How was recovery achieved
• What was done to prevent recurrence
• Any reference documents used
Real attack protection requires preplanning, a trained team, drills to ensure competency, 24/7 monitoring of systems, quick action when an attack is even suspected, and a method to recover your systems. Recovery is usually handled by having a good backup methodology which will be discussed in a future article. Remember that no system is breach proof and despite due diligence, breaches do occur. Having an action plan in place and a dedicated Incident Response team ready to take action can mean the difference between the an incident or a business catastrophe.
Keep yourself informed on current aspects of cybersecurity by receiving our blogs in your feeds…..join us on Twitter and Facebook!