Part 2 – Make the Shift: A Cohesive Approach to Incident Response is Mission-Critical

Part 2 – Make the Shift: A Cohesive Approach to Incident Response is Mission-Critical

In the first of this two-part series, Olivier Spielmann VP of managed security services EMEA at Kudelski Security discussed the factors that drive the need for a more comprehensive approach to Incident Response. The question of how to prevent cybersecurity attacks is never straightforward, but as cyber security attacks increase – especially over the festive period – there are five things that every security leader can do to improve their incident response capabilities and limit the impact of a breach.

Top 5 Tips for Bolstering Incident Response Capabilities

Generally speaking, many of the same technologies and capabilities that contribute to a strong and mature cybersecurity posture also improve your ability to conduct rapid and effective incident response. As shown in the previous blog post, the overlap between the best ransomware prevention strategies and cybersecurity hygiene is significant.

Training your teams to follow well thought-out incident response plans — even when under immense pressure — is essential. So is the ability to detect incidents rapidly with 24/7 security monitoring and proactive threat hunting.

It’s also vital to involve senior management and the board in incident response planning since the business implications of a large-scale crisis are extensive.

Beyond this, we have five specific pieces of advice.

#1: Take a holistic approach. We’ve mentioned this already, but it bears repeating. A proactive approach to incident response involves a broad array of cybersecurity functions and capabilities — from readiness assessment, ongoing security monitoring to vulnerability management, threat intelligence, red teaming training and program remediation. It’s essential to assess and strive to improve your security operations in their entirety.

#2: Continually assess and improve your capabilities. In a world of rapidly evolving technologies and even faster-evolving threats, change is the only constant. The only way your security program can hope to keep pace with these developments is to perform ongoing self-assessment and strive for continuous improvement.

#3: Be ready to respond to current real-world threats. The threat landscape and latest attack tactics are changing on a daily basis. Infusing current, high-fidelity threat intelligence that’s relevant to your organization’s size, industry and unique risk models into your incident response planning can help you prioritize effectively.

#4: Today’s ransomware attacks demand new backup strategies. In the past, backup solutions were often designed to make it as quick and convenient as possible to restore data. Ransomware operators now try to take advantage of that capability – for easy, speedy restores – and leverage it to encrypt or destroy backups. What’s needed today are immutable backups that even users with administrative credentials cannot delete.

#5: Understand that the move to the cloud introduces new challenges. Making use of containers, Kubernetes and microservices-driven architectures can introduce new efficiencies and greater flexibility into your operations. However, if your team hasn’t been trained on how to manage your new cloud environment securely, you’re likely to increase your risk exposure. The move to the cloud will require new approaches to secure identities, data, and applications as well as new backup strategies, and a new understanding of configuration management.

A solid approach to incident response can take time to get right. It includes a wide range of activity from risk exposure limitation and good governance, to continuously improving technical infrastructure and security controls. Here at Kudelski Security, our Cyber Fusion Centers (CFCs) have helped more than 250 organizations manage serious incidents over the past year and helped hundreds more get better prepared. This means we’re managing major incidents on an almost daily basis, and we’ve gathered extensive experience along the way.

Discover what we’ve learned by listening to a recent cyber summit conducted by five of our business leaders and top incident response experts. During the webinar, you’ll get a closer look at current attack tactics, best practices for incident response readiness, and some of our customers’ most frequently asked questions.

Part 1 – Make the Shift: A Cohesive Approach to Incident Response is Mission-Critical

Part 1 – Make the Shift: A Cohesive Approach to Incident Response is Mission-Critical

In this two-part series, Olivier Spielmann, VP managed security services EMEA at Kudelski Security discusses why incident response needs to widen its scope and what every security leader can do to make it happen.

Despite the recent good news about the U.S. F.B.I.’s takedown of the REvil ransomware group, whose associates were likely responsible for several high-profile cyberattacks over the past year, the ransomware threat continues to pose significant business and financial risk for organizations of all sizes.

As long as cybercriminal operations remain profitable, they’ll continue to grow in size and scope. Even though recent inter-governmental and public-private collaborative efforts to fight ransomware hold promise, stakeholders must not assume that the threat will go away by itself. Nor should they assume that their cyber insurance policies will cover the full extent of the losses the organization will incur if a real-world attack succeeds.

Instead, it’s vital to remember that preparedness is the best defense. With the holiday season nearly upon us — when cybercriminal activity tends to reach an annual peak — organizations should expect to be targeted. Boards, senior leaders, and risk managers need to think holistically about the risks that the organization faces, and plan accordingly. Building robust incident response processes is key for mitigating otherwise unavoidable risk.

Trends in the Current Threat Landscape

Ransomware attacks continue to attract media attention, but they also remain enormously profitable for criminals. Research indicates that more than half of ransomware attack victims will ultimately make a payment to the criminals, with the average ransom amount skyrocketing to approach $250,000 in early 2021. Ransomware operators are increasingly targeting larger companies, taking a precise and highly professionalized approach that enables them to extract the greatest-possible profits from their victims.

Of course, ransomware is by no means the only significant cyber threat that today’s organizations face. Traditional malware-based attacks are still prevalent, as are social engineering and business email compromise (BEC) schemes in which bad actors attempt to trick victims into initiating fraudulent funds transfers. Cryptojacking, in which cybercriminals steal access to servers and processing power in order to illegitimately mine cryptocurrency, is also on the rise. It’s particularly prevalent whenever cryptocurrency valuations reach new market highs, since this provides a better profit margin for the criminals.

Cybercriminals have long been opportunistic, and the global coronavirus pandemic has provided them with numerous new attack vectors to exploit. When remote work suddenly became a necessity for large numbers of employees around the world, threat actors sought to target vulnerabilities in Office 365 and in collaboration tools like Zoom, WebEx, or Microsoft Teams. There was also an immediate surge in pandemic-related phishing attempts.

Latest Attack Tactics Demand a Proactive Approach to Incident Response

The reality is that once your files have been encrypted and you’re received a ransom payment demand, it’s generally too late to avoid major operational disruption. Even organizations with uncorrupted backups typically experience significant downtime during the process of restoring from those backups, and still face significant incident management challenges in the attack’s aftermath. All ransomware victims will experience stress and uncertainty as the attack sequence unfolds. Many will have to contend with media attention as well as questions from partners and vendors along with customers, employees and other stakeholders.

Cybercriminals generally try to launch attacks at the most inopportune and unwelcome times. Whether it’s a request for an emergency funds transfer that takes place late on Friday afternoon or ransomware infection that appears right before Black Friday, attackers time their activity to maximize the pressures that their victims will experience. For this reason, it’s essential to train your teams to be ready to respond to ransomware and other cyberattacks, and to practice the worst-case scenarios.

In all instances, taking a holistic approach to incident response and preparedness is key. The overlap between solid ransomware prevention strategies and good cybersecurity hygiene in general is extensive. We recommend that organizations follow a three-part approach that includes:

  • limiting your risk exposure
  • exercising good governance, and
  • implementing the right technical infrastructure and security controls, with continuous improvements 

For example, research indicates that remote desktop protocol (RDP) remains the most commonly-used attack vector in today’s ransomware attacks, while email phishing and malicious attachments take second place. You can limit your risk exposure by eliminating the use of RDP within your environment. You should use this sort of contextual threat intelligence to assess your current systems and their digital footprint more broadly.

Good governance includes practicing for a ransomware attack scenario by conducting tabletop exercises and simulations, as well as creating plans, policies, and playbooks for handling any major security incident. From a technical perspective, the right security infrastructure will help improve your team’s ability to detect attacks rapidly (which, in turn, will enable rapid response). You should also retain immutable backups that are isolated from your network so that even an attacker with administrative credentials wouldn’t be able to delete or compromise them.

A proactive approach necessitates a broader approach. In part two of this series, Olivier Spielmann shares five actions that you can take to bolster incident response capabilities.