As businesses around the globe are more reliant on technology than ever before, the threat of cyber-attacks has become more increasingly prevalent. Every business should have cybersecurity measures in place to defend their networks, systems, and applications from being infiltrated. Considering this, businesses need to make provisions for cyber breaches, detection, and response to provide the best possible defence against external threats.
When should a breach be reported?
One of the important questions that we ask is, “How do you decide when to report a risk?” In the event of a phishing email, for example, we look to ascertain when exactly this threat should be reported:
- Should the breach be reported after clicking on the phishing link?
- Should the breach be reported when they discover the phishing email?
- What if the link has been clicked already and the user is not sure if it is a threat or not?
One of our goals is to determine at what moment a breach should be reported and what is classified as a risk. We believe that every business should have security policies and protocols in place to safeguard their systems. In instances where staff use their work devices to access information using public Wi-Fi hotspots, for example, that should be reported as a risk.
At Samurai Security, we believe anything that could be a potential risk should be reported and documented. This is an extremely important point of reference because if there is a breach in the future, you could refer to your previous reports to find a pattern or link.
If you find evidence of any sort of attempted breach, even though it has not yet happened, that is enough cause to be concerned. As an example, if you notice multiple unsuccessful login attempts from a user, that should be a concern as the system is attempted to be breached, or could already have been breached. These are indicators of attempted compromise of the system that must be taken seriously.
If things are happening on your network or systems that cannot be explained, that is a clear sign of risk. Although something serious has not occurred yet, there is a real possibility that your network or systems could be breached in the future. This should not be taken lightly and must be acted on with the urgency that it deserves.
Roles and Responsibility Matrix
Every business with a solid cybersecurity plan in place should have a role and responsibility matrix that defines who is responsible for what duties in the event of a breach. This forms part of the incidence response planning protocols of the business and dictates how different levels of threat should be handled. The incidence response plan typically follows the hierarchy below:
Chief Security Officer (CSO)
This is the person who is chiefly responsible for security protocols at the business. We at Samurai Security like to work closely with this individual as they usually have the best overview of where the risks and vulnerabilities of the business may be. A key part of our discussion here will be to define when risk is reported.
Incidence Response (IR) Team
This is the team that responds when a breach has occurred and performs its function reactively. When something bad happens, this team reacts to the threat and works their way through the incidence response plan to mitigate the threat.
Identify and Access Team
The Identify and Access team serves a more proactive purpose and monitors anything out of the ordinary on the network and systems. In the event that they detect possible threats, they will inform the IR team who will react to those threats using the incidence response plan. They also manage all access and authentication on the network and system.
IT Operations
The IT Operations team ensures that all software on the network is patched and up-to-date. Some of the key reasons for how systems and networks get compromised are users not being adequately trained and/or the system not being patched and updated appropriately.
Is Cyber Insurance the Answer?
From our experience of companies who have cyber insurance, usually find themselves under one of three scenarios at the claim stage following a breach:
- The cyber insurance does not pay at all;
- Cyber insurance pays out a limited amount compared to what they expect; or
- Cyber insurance pays out fully, usually when the cost of the pay-out is exceptionally low.
Once the costs become substantial with cyber insurance companies, they start looking for loopholes through the myriad of intricate clauses in their contracts to repudiate the claim or pay out as little as possible. We are of the opinion that cyber insurance companies analyse the amount of reputational damage it will cost by not paying a claim before deciding if they will pay-out, and if so, to what extent that payment will be. We don’t discourage businesses from getting cyber insurance as it isn’t particularly expensive, but you must be aware of the loopholes that exist in your contractual agreement with the insurer, especially when claims are lodged.
Identifying a Breach
Once you have planned for your incidence response provision, you need to ascertain how you effectively identify a breach within your organisation. The breach must be identified effectively and in a timely manner.
Some tools that businesses can use to build up the identification protocols are:
- Endpoint
- Endpoint Detection Response that alerts you to malicious activity
- Logs
- Anti-virus enabled
- System Performance
- User Activity
- Emails
- Anti-phishing measures
- Data-loss prevention protocols
- Customer-reported breaches – users must be educated on what process to follow when reporting suspicious incidents.
- Network
- NIDS
- Netflow – monitoring the network
- Firewall logs
- WAF logs
- Proxy logs
- Servers
- EDR
- System logs
- Application logs
- Audit logs
- Anti-virus
- User
- User reported incidents
- Behaviour monitoring
For effective identification of a breach, it’s about the quality of the information received and how that information relates to the incidence response plan. We recommend that if you identify a breach of threat to your network, the best thing to do is record all activity, even if it does not appear to be relevant to the threat. In instances where external parties, such as Samurai Security, are brought in to assist with the threat, this recorded information will prove invaluable you and your team may have forgotten important details while attending to the matter under pressure. Moreover, you will have a clearer idea of how to structure your response to the threat when referring to all recorded content pertaining to the breach.
Containment
The main goal of containment is to limit or prevent further damage to the network and/or systems. It is vital that you remain calm when a breach has occurred. Panic can cause irrational thinking which will affect the decision-making process when you need it the most. Having a well-structured incidence response plan will go a long way in preventing panic.
It is not a good idea to just turn off compromised machines hoping to solve the problem. If the machine has been infected with ransomware and turned back on, the ransomware could encrypt all files once the machine is on again. Simply turning off the machine will mean losing all the evidence of the breach, doing more harm in the process. Turn off the network services instead.
There could be a case where a user does something out of the ordinary, like clicking on an unfamiliar link and then thinking afterwards that it may have been a problem to do so. They may later reconcile themselves to the fact that it’s no big deal and ignore the problem, hoping that it goes away. This is dangerous ground to be treading on, as the breach could unknowingly have occurred without any incident response being alerted or implemented.
It is extremely important that the compromised machines are disconnected from the network. If users are working remotely, they will need to use specific tools to disconnect those affect machines from the network. By disconnecting the compromised machines, there is little chance of them infecting other machines on the network.
Equally important is to protect those machines that have not been affected. This can be done with the use of Endpoint Detection Response and Anti-malware software. Response teams must monitor these unaffected machines to ascertain if they exhibit the same symptoms as the compromised machines have.
Tools such as SIEM can be used to monitor the situation to see if the situation is getting worse. Businesses must launch the incidence response plan and get it implemented as soon as possible once a breach has occurred. The plan is created for a reason after hours of thought and reason, so it should work better than an on-the-spot decision that was made to try and stop the breach.
Traffic to the network must be restricted and this includes measures such as firewalls, IPS, and whitelisting. Businesses should then call in professional Incident Response partners like Samurai Security if they don’t have in-house capabilities.
Investigation
The process of investigation can be a long and arduous journey. If there are lots of devices on the network, if data is not of good quality, or if the cyber-attack has comprised the entire network, this could affect the investigation time – up to months. In these instances, businesses must weigh up the assurance of what went wrong the first time together with understanding the root cause of the breach versus the operational costs of not being able to deliver services while the investigation is going on.
It is important to understand to what extent the network or system has been compromised. The investigation must be able to identify if any sensitive data was obtained and whether that data was extracted to an attacker’s devices.
Understanding data inputs are very important during the investigation. Investigators also need to find out what the attacker did once the system was breached. For organisations that have lots of data on their network and systems, investigators need to ascertain to what extent that database has been compromised. During the investigation, there must be a focus on quality over quantity, and appropriate logging of breach details is absolutely necessary.
Eradication
There are two types of eradication that must be done in this step.
Firstly, the malware must be eradicated completely. Response teams must ensure that the root cause of the compromise is fixed and that it is completely eradicated from the system, otherwise, it may occur again. Moreover, they must ensure that stealthy access points have not been added. Cyber attackers usually add back doors and ghost accounts when the system is first breached, and these must be eradicated too.
Secondly, all risks must be eradicated. Businesses must segregate their networks so that the compromised networks are isolated while unaffected networks continue to operate. Fault-tolerant systems are also crucial as they can handle going down without compromising operations. Businesses must have proper backup solutions that help to recover information that was compromised and inaccessible, and this backup should be stored offsite. EDR and Anti-malware tools must be employed to aid in the eradication process.
Recovery
The recovery stage is the most challenging stage to get right as any deviation from this process will leave you back at square one if you get it wrong. A big part of this process is understanding what happened to cause the breach in the first place. Efforts must be prioritised to get the operational model of the business back to normal as soon as possible.
Short-term recovery
The main aim here is to get the business operational again as soon as possible.
The DIP tank method should be used as follows:
- Isolate – If the entire system has been compromised, a virtual network can be created as a temporary solution operating in isolation.
- Monitor – Once in that isolated state, IR teams can monitor the hosts using monitoring tools to check for symptoms exhibited by compromised parts of the network.
- Certify – The device must be certified after the monitoring stage. Security testing can be done prior to the certification of that device as an additional measure to strengthen the security of that server.
- Deploy – Once they are certain that the network and/or system is free of any malicious software, it can then be deployed to a known secure network.
Long-term recovery
The long-term solution is extremely important to ensure that such breaches are mitigated in the future. With long-term projections, businesses may take months to progress to a level of security that they will be comfortable with, knowing that future cyber-attacks will be identified and isolated from the very beginning.
Mistakes to avoid after recovery
When it comes to cyber-attacks on businesses, it is extremely important not to ignore bad things or things that appear out of the ordinary. Anchoring is another stumbling block, and IR teams must not fixate on just the breach in question and any other issues that may affect the network and systems. Businesses must always look at what they could learn from the current breach that could potentially help them with other breaches.
In terms of the ‘Choice Supportive bias’, when you have made some decisions regarding your response, it may be difficult to accept that some of those decisions were not the right ones. It is important to acknowledge where you went wrong and learn from those mistakes. Other issues that affect how businesses respond to cyber-attacks include Reactance bias, where businesses don’t listen to expert opinion and Self-servicing bias where key individuals refuse to take any responsibility for the breach and tend to blame others.
In addition, the ‘Status-quo bias’ can prove to be a big hurdle as some businesses choose not to favour decisions that cause a change. As opposed to strengthening the security of the network, and processes and policies, businesses may want to leave things as they naturally were because they are of the belief that their networks and systems will not get compromised in the future.
Final thoughts
At Samurai Security, we use an extremely high level of testing on your businesses networks, systems, and security protocols to determine how prepared you are to identify and react to a breach, as well as what you need to strengthen your network’s security to adequate levels appropriate for your operational model. Our evaluation is informed by past lessons learnt, root cause analysis, and industry best practices.
The testing process has three phases that we evaluate and these are people, processes, and technology. In terms of people, if there is a Phishing attack, it could be attributed to people not having the tools to identify phishing attacks in time. We address this in the form of cyber awareness training and phishing simulations. When looking at processes, we conduct a gap analysis and ensure that Incidence Response processes are up-to-date and ready to be implemented instantly. With regards to technology, we conduct Penetration testing and Vulnerability assessments to ascertain how secure the networks are against cyber-attacks.
Businesses must equip themselves with the highest level of security solutions to protect the interests of their business and their clients. At Samurai Security, our aim is to give your business the best possible protection against cyber-attacks in the most cost-effective manner without interfering with your operational model. Always remember that prevention is better than a response.