How to Build a Cohesive Approach to Incident Response
In this two-part series, Olivier Spielmann, VP managed security services EMEA at Kudelski Security discusses why incident response needs to widen its scope and what every security leader can do to make it happen.
- The Importance of Robust Incident Response Processes
- Trends in the Current Threat Landscape
- Taking a Proactive Approach to Incident Response
- Read Part 2
Table of contents
The Importance of Robust Incident Response Processes
Despite the recent good news about the U.S. F.B.I.’s takedown of the REvil ransomware group, whose associates were likely responsible for several high-profile cyberattacks over the past year, the ransomware threat continues to pose significant business and financial risk for organizations of all sizes.
As long as cybercriminal operations remain profitable, they’ll continue to grow in size and scope. Even though recent inter-governmental and public-private collaborative efforts to fight ransomware hold promise, stakeholders must not assume that the threat will go away by itself. Nor should they assume that their cyber insurance policies will cover the full extent of the losses the organization will incur if a real-world attack succeeds.
Instead, it’s vital to remember that preparedness is the best defense. With the holiday season nearly upon us — when cybercriminal activity tends to reach an annual peak — organizations should expect to be targeted. Boards, senior leaders, and risk managers need to think holistically about the risks that the organization faces, and plan accordingly. Building robust incident response processes is key for mitigating otherwise unavoidable risk.
Trends in the Current Threat Landscape
Ransomware attacks continue to attract media attention, but they also remain enormously profitable for criminals. Research indicates that more than half of ransomware attack victims will ultimately make a payment to the criminals, with the average ransom amount skyrocketing to nearly $250,000 in early 2021. Ransomware operators are increasingly targeting larger companies, taking a precise and highly professionalized approach that enables them to extract the greatest-possible profits from their victims.
More than half of ransomware attack victims will make a payment to the criminals, with the average ransom amount skyrocketing to nearly $250,000 in early 2021.
Of course, ransomware is by no means the only significant cyber threat that today’s organizations face. Traditional malware-based attacks are still prevalent, as are social engineering and business email compromise (BEC) schemes in which bad actors attempt to trick victims into initiating fraudulent funds transfers.
Cryptojacking, in which cybercriminals steal access to servers and processing power in order to illegitimately mine cryptocurrency, is also on the rise. It’s particularly prevalent whenever cryptocurrency valuations reach new market highs, since this provides a better profit margin for the criminals.
Cybercriminals have long been opportunistic, and the global coronavirus pandemic has provided them with numerous new attack vectors to exploit. When remote work suddenly became a necessity for large numbers of employees around the world, threat actors sought to target vulnerabilities in Office 365 and collaboration tools like Zoom, WebEx, or Microsoft Teams. There was also an immediate surge in pandemic-related phishing attempts.
Taking a Proactive Approach to Incident Response
The reality is that once your files have been encrypted and you’ve received a ransom payment demand, it’s generally too late to avoid major operational disruption. Even organizations with uncorrupted backups typically experience significant downtime during the process of restoring from those backups. And they still face significant incident management challenges in the attack’s aftermath.
All ransomware victims will experience stress and uncertainty as the attack sequence unfolds. Many will have to contend with media attention as well as questions from partners and vendors along with customers, employees and other stakeholders.
Cybercriminals generally try to launch attacks at the most inopportune and unwelcome times. Whether it’s a request for an emergency funds transfer that takes place late on Friday afternoon or ransomware infection that appears right before Black Friday, attackers time their activity to maximize the pressures that their victims will experience. For this reason, it’s essential to train your teams to be ready to respond to ransomware and other cyberattacks and to practice the worst-case scenarios.
Cybercriminals generally try to launch attacks at the most inopportune and unwelcome times to maximize the pressures their victims will experience.
In all instances, taking a holistic approach to incident response and preparedness is key. The overlap between solid ransomware prevention strategies and good cybersecurity hygiene in general is extensive. We recommend that organizations follow a three-part approach that includes:
- limiting your risk exposure
- exercising good governance, and
- implementing the right technical infrastructure and security controls, with continuous improvements.
For example, research indicates that remote desktop protocol (RDP) remains the most commonly-used attack vector in today’s ransomware attacks, while email phishing and malicious attachments take second place. You can limit your risk exposure by eliminating the use of RDP within your environment. You should use this sort of contextual threat intelligence to assess your current systems and their digital footprint more broadly.
Good governance includes practicing for a ransomware attack scenario by conducting tabletop exercises and simulations, as well as creating plans, policies, and playbooks for handling any major security incident. From a technical perspective, the right security infrastructure will help improve your team’s ability to detect attacks rapidly (which, in turn, will enable rapid response). You should also retain immutable backups that are isolated from your network so that even an attacker with administrative credentials wouldn’t be able to delete or compromise them.
A proactive approach necessitates a broader approach. In part two of this series, Olivier Spielmann shares five actions that you can take to bolster incident response capabilities.