by Kudelski Security Team | Feb 7, 2023 | Incident Response
It comes as no surprise to anyone who follows industry news that reports of cybercrime are increasing. While no security leader ever gets ‘used’ to being breached, the first time it happens is especially daunting.
This is a guide put together for new security leaders, based on discussions with our Incident Response team and CISOs from various backgrounds who have dealt with breaches more than once.
It’s worth saying that there is no one-size-fits-all answer to the question: ‘What should I do when a cybersecurity incident happens?’ The truth is there are no golden rules or magical solutions as every breach will be unique.
Breaches may vary in terms of what attack vectors were used in addition to the type of technologies utilized by a company. There are, however, simple-to-follow guidelines to set you on the right path to recovery.
Watch Darrell Switzer talk on Four Things His Clients Wished They’d Done Before Getting Breached.
Step 1: Remain Calm
Staying calm may be easier said than done when you get that sinking feeling that your company has been hacked. It’s not just the hack, it’s how it could potentially impact your business, the brand, and the bottom line. It’s all about staying calm. And not doing the following things that make it hard for an incident responder to investigate a case properly.
Things to avoid include:
- Deleting valuable data (preservation of artifacts is key!)
- Resetting any passwords or disabling any accounts without a plan
- Attempting to contact the threat actor
- Attempting to fix the problem or patch a system without a plan
Step 2: Determine the Scope of the Breach
Response to a breach is better after an initial analysis of the full incident. Ask yourself the following:
- ‘Have I identified what was comprised?’
- ‘How did it happen?’
- ‘When did this occur and over what time period?’
- ‘What actions did the threat actor perform?’
Answers to these questions will help the responders decide how best to proceed in containing and eliminating the attack.
Step 3: Make a First-Steps Response Plan and Act
When it comes to addressing a cyber-attack, we all know time is of the essence. It is crucial to act swiftly but also, to be guided by the process. The information you extract or gain about the incident should be enough to help you plan your first steps. By no means does this plan need to be fully comprehensive with assigned roles and timelines but it should include a clear step-by-step process for the preliminary stages of the response.
Obviously, the most important thing to say here is incident preparedness. Cyber playbooks and planning can – and should – be done well in advance of the breach. In the first months as a new security leader, you should organize red teaming and purple teaming exercises, cyber crisis simulation, and incident response readiness plans and playbooks.
One of the major threats you will have to face at some point in time is ransomware. This threat is worth spending focused time on. There are plenty of resources out there – you may find the guides below, which we compiled with a wide range of incident response practitioners, useful:
Download ‘What to Do in the First 24 hours’ of a ransomware attack for advice on immediate response.
Download the Ransomware Response Playbook, a detailed guide to planning and preparing for a ransomware attack, with technology, people, and processes considered in full.
Step 4: Containment
With any security incident, a key step is to ‘stop the spread’. Several factors need to be considered, for example:
- Does the company have an Endpoint Detection and Response (EDR) system that could be used to contain the asset remotely or does this need to be done physically by pulling the network from the asset?
- If the asset must be physically contained, can you locate it based on the information available?
- Are you dealing in the first instance with a user’s workstation or a server?
- A workstation is easier to take offline with the impact limited to a single user. If we’re talking about a server, the impact widens.
- What services are impacted if this server were taken offline?
- This is worth careful consideration. If the organization affected is a manufacturing plant, any downtime would lead to material financial losses.
If threat actors have already been in the network for many months, it could be unwise to begin containment. This can alert the threat actors to the fact that they have been discovered and can trigger them to launch their end game – e.g., destruction of data, ransomware deployment, etc.
You’ll gain much more if you observe their behavior and discover how much of the network they have infiltrated. Then, you can make a plan on how to effectively contain the breach all at once and minimize damage.
Step 5: Find an Expert
Breaches can cause significant financial damage. How the incident is handled can further impact the depth of that damage. Regardless of your company’s security posture and maturity, it’s always worth reaching out to respected experts, a tried-and-tested cyber emergency response team, whose experience and know-how could save time and money.
Managed Detection and Response providers have the benefit of exposure to a broader spectrum of technologies and environments as well as threat intelligence than a single-focus incident response firm. A good provider will be well placed to respond to an incident in any environment and work effectively in every unique situation.
Step 6: Reporting the Breach
Business leaders must handle the reporting stage on any incident with caution as there are financial and reputation implications, ranging from public perception to fines and penalties. It is imperative that all aspects and angles of the breach are discussed. You’ll need to cover all topics, including:
- Technical details of what was achieved by the threat actors
- Possible ramifications of those actions
You must consult Public Relations and Legal teams to devise a proper course of action and messaging for media, shareholders, and staff.
Depending on the impact of the incident, there will be questions from various stakeholders and scrutiny of how the company handled the incident, so you need to get this right.
It goes without saying that it’s best to avoid denial of facts, which may later come to light later on and lead to a backlash. Note that if you are in a highly regulated space, such as finance, public utilities, or education, you’ll likely have compulsory reporting processes to the government or other regulatory bodies, which you need to adhere to.
Step 7: Recovery
The recovery process depends on the scale of the incident.
For minor incidents, recovery could simply include:
- Removing malicious artifacts from the system
- Patching a vulnerability and updating all software to their latest releases
- Deploying an endpoint detection and response (EDR) agent
Larger incidents may need you to redeploy infrastructure or build a clean environment from scratch, which will have considerable time and financial implications.
Regardless of the situation, it is best to prioritize what requires the least amount of time to implement while securing the environment against further attack. This process includes putting in place targets that will help you achieve other goals to strengthen the overall security posture of the business.
Step 8: Post-Mortem
Regardless of whether you were able to stop the attack before deep damage was done, or whether you were only able to contain and eliminate the threat after data exfiltration took place, the post-mortem is a key step that will help ensure you build resilience.
You need to ask some simple questions:
- What were the root causes of the incident?
- How could the incident have been prevented?
- What changes can be made to minimize the risk of a similar incident occurring in the future?
And regardless of the scenario, preparation for the future is key. In an incident, an attacker reveals the holes in the security of the business, and this is the perfect opportunity to address them and work towards increased cyber resilience.
Schedule compromise assessments and penetration tests as well. These will show any future active threats in your environment and enable you to stay ahead of the curve.
Think about getting in touch with your Incident Response service provider to ensure they are providing you training in the form of threat simulations, playbooks, and scenario planning.
As said earlier on, preparation is key.
No-one judges a CISO on being unable to stop an incident, but they will look closely at how you respond to it. And good preparation will help ensure you’re not left scrambling to get a robust response plan together.
by Kudelski Security Team | Nov 2, 2022 | CISO, Cyber Resilience, Incident Response
Building an effective cyber incident response plan requires more than having the right tools in place or engaging the right cyber incident response services. As a security leader, you’re responsible for building the right security foundation and fostering a culture of teamwork and open dialogue during a crisis. Summarizing a recent webinar, this article will explain:
- 3 Common Pitfalls in Cybersecurity Incident Response
- 8 Practical Tips for Building an Effective Incident Response Team
- 4 Technical Fixes to Reduce the Likelihood of a Breach
It almost goes without saying that everything is connected to the internet these days. It’s a business enabler and a necessity in the global economy. But it’s also a playground for cybercriminals.
The good news is the impact of cyberattacks like ransomware can be minimized or entirely prevented with an effective incident response plan in place. And it doesn’t require fancy techniques like AI and machine learning. Don’t get me wrong AI and machine learning can help detect attacks. But they are frequently overrated. It won’t do the job we would all like to think it can do.
Based on our team’s experience investigating breaches for clients, here are the common pitfalls we see CISOs fall into during an incident and some practical tips for avoiding them.
Three Common Pitfalls in Cybersecurity Incident Response
There are three characteristics that come up again and again in organizations that experience an incident, and they are all totally avoidable.
#1 Speed-Based Trust – Thinking Security Vendors Will Do the Full Job for You
Collectively, we have a culture of outsourcing trust. Where we used to trust our peers or institutions, we are now in an era of outsourced, “speed-based” trust. We assume trust in exchange for convenience.
Just as we trust Uber to get us to the right location safely, we trust our security vendors to keep our organizations safe. None of these security vendors, however, can fully address our security issues. We’re going to have gaps.
We call this a Swiss Cheese Model of security. While an MSSP or EDR solution may have you covered when it comes to detection and response, you’re still going to have to assume responsibility for applying patches to close any backdoors that may go undetected and ensure that your systems have secure configuration.
#2 Not Doing the Basics (It Was Never Going to End Well for the Titanic)
Almost worse than the Swiss Cheese Model of security is the Cyber Titanic Model. In the Cyber Titanic Model, you believe you have built a ship that can’t sink. You believe so much in the tools you have invested in, that you let your guard down. Maybe you even relax your security requirements.
Eventually, the boat will sink, and you will not be prepared.
Investing in endpoint detection and network security makes sense, but you need to balance it with basic security practices. If you don’t have a solid foundation of patching, configuration, segregation and hardening, you will just be investing in a sinking boat. Too many times we see breaches that could have been prevented if the basics were in place.
#3 Not Understanding Where to Harden vs. Add New Solutions
To put a finer point on this, detection technology isn’t the end-all-be-all when it comes to preventing an attack. Often security vendors will use the MITRE attack framework to show you how much coverage they can give you across the phases of the attack. This can be helpful but also misleading.
Detection is not the only way to prevent attacks. You can also use MITRE to understand where you need to harden your system to make it harder or impossible to breach your security at each phase of an attack, to begin with.
Watch the webinar “Common Pitfalls Every C-Level Should Know About – Stories From Our Incident Response Team”
Tips for Building a More Effective Incident Response Team
Building a more effective incident response team requires more soft skills than technical skills. Leadership, communication, and policy are critical to improving response outcomes. Here are my top tips.
#1 Understand Organizational Bias
We all have bias because we have experience in certain areas and blind spots in others. Having bias is not the issue. It becomes a problem when you do not recognize the bias.
As a CISO, you will have to understand the bias of your team. They may have a limited view of an issue because they are specialized in a specific area of security. You need to identify the biases, articulate them, and map them. This is foundational to addressing incident response blind spots.
Watch out, especially for the more expert or senior team members who may be very confident in explaining an issue, but don’t have the whole picture.
#2 Bridge Skills to Avoid Bias
One way you can break through the bias is by bringing different teams together to solve a problem. Ask questions that require teamwork to answer. Instead of “Are we secure?”, ask “How bad could it get?”
Then put together a purple team to work together to create a joint report with agreed-upon points of action. This creates a culture of exchange. Teams with better communication will be much better equipped to respond in a crisis situation.
This can cause the organization to focus on a very narrow component of security without addressing the entire ecosystem.
#3 Develop KPIs with Value
Bad KPIs run rampant in security. Security can be hard to report on. But because we want to prove our value, we end up reporting on KPIs that don’t actually mean anything.
We say we blocked one million attacks on our firewalls, or we processed three trillion events because we want to look like we are effective. But what do these numbers actually tell us? If we say we blocked one million attacks on a firewall, all that communicates is that we configured a firewall. If you’re asked for those numbers, challenge the requester, and ask what they’re really trying to understand.
Instead, I recommend going smaller and more actionable with your metrics. Rather than how many attacks we blocked, try reporting on metrics like these:
- # of common attack vectors removed
- # of new techniques added to detection coverage
- % decrease in the attack surface
#4 Shrink Your Digital Footprint
Think about all the data stored in email, your Google accounts, and your mobile apps. All that data can be exfiltrated. Reducing your personal and corporate digital footprint also reduces the impact of a successful attack.
When data is no longer needed, delete it rather than archive it. If you have a legal requirement to keep the data, encrypt it and store the keys off the server. Encrypted data leaks have little to no impact on security, as long as the secret keys remain secret!
Further, how you store data is important. If you have a document on SharePoint called “Insurance Policies” or “Digital Assets Value”, you are giving an attacker a flashing arrow to the documents they need to hold you ransom. If they know your insurance policy is for one million dollars and that one day of disruption would cost your company ten million dollars, they know exactly what to ask for.
#5 Augment your team
Major incidents require more work than your day-to-day security operations. It would be difficult to scale your internal team for such a situation.
Bringing in external partners can help augment your incident response team. Remember to look beyond security when it comes to team augmentation. Your incident response plan will likely include system administrators, cloud administrators, etc.
As a rule of thumb, if you don’t have a dedicated team member working on a required security discipline on a monthly basis, you may need to find an external partner in the event of a breach. While thinking about this, don’t forget your IT. You’ll need to augment your IT operation capabilities. Rebuilding an infrastructure can absorb a lot of resources.
There are different options. Emergency response support, preparation and resilience support. The best option to go for is usually a 24/7 incident response retainer because you have guaranteed response support when things go wrong. It’s a safe investment – many companies will ensure the retainer can be reassigned to another program, if not spent on incident response services.
#6 Explore Different Response Paths
There is no one-size-fits-all incident response plan. It is up to you, the CISO, to explore different paths and choose the one that will work the best for the organization. In some cases, it may make sense to choose the plan that results in the least business impact. In other cases, it may make sense to err on the side of security.
Augmentation, as mentioned above, can help your team move faster and work on steps in parallel. After all, your incident response process should not be linear; that will only slow things down. If you do augment your team with an external partner or security provider, carefully consider their recommendations and the tradeoff between value and cost.
For example, forensic disk imaging might make sense as part of the plan, but it could overwhelm your IT team with time-consuming tickets. Additionally, security providers may take advantage of an organization’s desperation during an incident, knowing they’ll do anything to get the business back up and running.
Challenge every recommendation and request. Look at the types of requests, the costs, and the hours associated. Ask “Is this really necessary?” or “Could we do this differently?” Explore all the different response paths and choose a way forward.
#7 Foster Open Dialogue
Creating a culture of open dialogue during an incident is incredibly important. If people are afraid to speak up or ask questions, you will not be able to accurately assess the team’s understanding of the question. There are a number of reasons a team member may not feel comfortable asking questions:
- Fear of looking stupid
- Tensions within the team
- Power dynamics created by an authority figure or expert
“Asking questions may mean that you don’t understand something. But not asking questions, will mean that you remain ignorant.”
As a CISO, you need to be able to spot this behavior and act on it very quickly. You must ensure that everyone has the right level of understanding to do their work. It’s how you will turn an incident into a constructive, rather than destructive, experience where everyone is learning from each other.
#8 Show Your Appreciation
Breaches are stressful for everyone in the organization. As a C-level, you can send signals to your team that you understand the toll an incident takes on them and their families.
It could be as simple as providing food, drinks, and a place close to the office for the team to stay. For remote employees, you could provide a meal of their choice for themselves and their family. It sends a really strong message that you appreciate the work that they (or their mother, father, or spouse) are doing to help the organization. These types of signals can change the mood.
Learn more about Kudelski Security’s Incident Preparedness and Cyber Resilience advisory services
Four Technical Fixes to Reduce the Likelihood of a Breach
In addition to the nontechnical guidance above, I’d like to leave you with four of the low-hanging technical fixes that could significantly reduce the likelihood of a breach. In 70% of the cases we’ve investigated, one of these four best practices was missing.
#1 Proper Segmentation
Often in breach scenarios, we find the organization has a flat network, which makes it much easier for the threat actor to move through.
#2 Zero Trust
Understand the zero trust framework and how to apply it in your organization. Achieving zero trust won’t happen overnight. It’s very iterative work, so be patient.
#3 Timely Patching / Emergency Patching
Threat actors will quickly be there to exploit new vulnerabilities. For that reason, it’s important to have an emergency patching plan in place. Ask yourself “Do I want to have an operational issue or a security issue? Would I rather have a system down or data leaked?”
#4 Configuration
Misconfiguration can have a huge impact, and so, proper configuration can also have a huge impact. Sometimes it’s just a small detail that is overlooked that would allow an attacker to gain access to something they shouldn’t.
Download the Infographic: 15 Practical Tips for More Effective Cybersecurity Incident Response
Get in Touch
It is my hope that if you follow the advice presented in this article, that you will never need our services. However, if you do experience a breach or if you would like a pre-emptive review of your current configurations, architecture, or incident response plan, please get in touch with our incident preparedness and response team here.
by Olivier Spielmann | Nov 29, 2021 | Incident Response
In the first of this two-part series, Olivier Spielmann VP of managed security services EMEA at Kudelski Security discussed the factors that drive the need for a more comprehensive approach to Incident Response. The question of how to prevent cybersecurity attacks is never straightforward, but as cyber security attacks increase – especially over the festive period – there are five things that every security leader can do to improve their incident response capabilities and limit the impact of a breach.
Top 5 Tips for Bolstering Incident Response Capabilities
Generally speaking, many of the same technologies and capabilities that contribute to a strong and mature cybersecurity posture also improve your ability to conduct rapid and effective incident response. As shown in the previous blog post, the overlap between the best ransomware prevention strategies and cybersecurity hygiene is significant.
Training your teams to follow well thought-out incident response plans — even when under immense pressure — is essential. So is the ability to detect incidents rapidly with 24/7 security monitoring and proactive threat hunting.
It’s also vital to involve senior management and the board in incident response planning since the business implications of a large-scale crisis are extensive.
Beyond this, we have five specific pieces of advice.
#1: Take a holistic approach. We’ve mentioned this already, but it bears repeating. A proactive approach to incident response involves a broad array of cybersecurity functions and capabilities — from readiness assessment, ongoing security monitoring to vulnerability management, threat intelligence, red teaming training and program remediation. It’s essential to assess and strive to improve your security operations in their entirety.
#2: Continually assess and improve your capabilities. In a world of rapidly evolving technologies and even faster-evolving threats, change is the only constant. The only way your security program can hope to keep pace with these developments is to perform ongoing self-assessment and strive for continuous improvement.
#3: Be ready to respond to current real-world threats. The threat landscape and latest attack tactics are changing on a daily basis. Infusing current, high-fidelity threat intelligence that’s relevant to your organization’s size, industry and unique risk models into your incident response planning can help you prioritize effectively.
#4: Today’s ransomware attacks demand new backup strategies. In the past, backup solutions were often designed to make it as quick and convenient as possible to restore data. Ransomware operators now try to take advantage of that capability – for easy, speedy restores – and leverage it to encrypt or destroy backups. What’s needed today are immutable backups that even users with administrative credentials cannot delete.
#5: Understand that the move to the cloud introduces new challenges. Making use of containers, Kubernetes and microservices-driven architectures can introduce new efficiencies and greater flexibility into your operations. However, if your team hasn’t been trained on how to manage your new cloud environment securely, you’re likely to increase your risk exposure. The move to the cloud will require new approaches to secure identities, data, and applications as well as new backup strategies, and a new understanding of configuration management.
A solid approach to incident response can take time to get right. It includes a wide range of activity from risk exposure limitation and good governance, to continuously improving technical infrastructure and security controls. Here at Kudelski Security, our Cyber Fusion Centers (CFCs) have helped more than 250 organizations manage serious incidents over the past year and helped hundreds more get better prepared. This means we’re managing major incidents on an almost daily basis, and we’ve gathered extensive experience along the way.
Discover what we’ve learned by listening to a recent cyber summit conducted by five of our business leaders and top incident response experts. During the webinar, you’ll get a closer look at current attack tactics, best practices for incident response readiness, and some of our customers’ most frequently asked questions.
by Olivier Spielmann | Nov 22, 2021 | Incident Response
In this two-part series, Olivier Spielmann, VP managed security services EMEA at Kudelski Security discusses why incident response needs to widen its scope and what every security leader can do to make it happen.
Despite the recent good news about the U.S. F.B.I.’s takedown of the REvil ransomware group, whose associates were likely responsible for several high-profile cyberattacks over the past year, the ransomware threat continues to pose significant business and financial risk for organizations of all sizes.
As long as cybercriminal operations remain profitable, they’ll continue to grow in size and scope. Even though recent inter-governmental and public-private collaborative efforts to fight ransomware hold promise, stakeholders must not assume that the threat will go away by itself. Nor should they assume that their cyber insurance policies will cover the full extent of the losses the organization will incur if a real-world attack succeeds.
Instead, it’s vital to remember that preparedness is the best defense. With the holiday season nearly upon us — when cybercriminal activity tends to reach an annual peak — organizations should expect to be targeted. Boards, senior leaders, and risk managers need to think holistically about the risks that the organization faces, and plan accordingly. Building robust incident response processes is key for mitigating otherwise unavoidable risk.
Trends in the Current Threat Landscape
Ransomware attacks continue to attract media attention, but they also remain enormously profitable for criminals. Research indicates that more than half of ransomware attack victims will ultimately make a payment to the criminals, with the average ransom amount skyrocketing to approach $250,000 in early 2021. Ransomware operators are increasingly targeting larger companies, taking a precise and highly professionalized approach that enables them to extract the greatest-possible profits from their victims.
Of course, ransomware is by no means the only significant cyber threat that today’s organizations face. Traditional malware-based attacks are still prevalent, as are social engineering and business email compromise (BEC) schemes in which bad actors attempt to trick victims into initiating fraudulent funds transfers. Cryptojacking, in which cybercriminals steal access to servers and processing power in order to illegitimately mine cryptocurrency, is also on the rise. It’s particularly prevalent whenever cryptocurrency valuations reach new market highs, since this provides a better profit margin for the criminals.
Cybercriminals have long been opportunistic, and the global coronavirus pandemic has provided them with numerous new attack vectors to exploit. When remote work suddenly became a necessity for large numbers of employees around the world, threat actors sought to target vulnerabilities in Office 365 and in collaboration tools like Zoom, WebEx, or Microsoft Teams. There was also an immediate surge in pandemic-related phishing attempts.
Latest Attack Tactics Demand a Proactive Approach to Incident Response
The reality is that once your files have been encrypted and you’re received a ransom payment demand, it’s generally too late to avoid major operational disruption. Even organizations with uncorrupted backups typically experience significant downtime during the process of restoring from those backups, and still face significant incident management challenges in the attack’s aftermath. All ransomware victims will experience stress and uncertainty as the attack sequence unfolds. Many will have to contend with media attention as well as questions from partners and vendors along with customers, employees and other stakeholders.
Cybercriminals generally try to launch attacks at the most inopportune and unwelcome times. Whether it’s a request for an emergency funds transfer that takes place late on Friday afternoon or ransomware infection that appears right before Black Friday, attackers time their activity to maximize the pressures that their victims will experience. For this reason, it’s essential to train your teams to be ready to respond to ransomware and other cyberattacks, and to practice the worst-case scenarios.
In all instances, taking a holistic approach to incident response and preparedness is key. The overlap between solid ransomware prevention strategies and good cybersecurity hygiene in general is extensive. We recommend that organizations follow a three-part approach that includes:
- limiting your risk exposure
- exercising good governance, and
- implementing the right technical infrastructure and security controls, with continuous improvements
For example, research indicates that remote desktop protocol (RDP) remains the most commonly-used attack vector in today’s ransomware attacks, while email phishing and malicious attachments take second place. You can limit your risk exposure by eliminating the use of RDP within your environment. You should use this sort of contextual threat intelligence to assess your current systems and their digital footprint more broadly.
Good governance includes practicing for a ransomware attack scenario by conducting tabletop exercises and simulations, as well as creating plans, policies, and playbooks for handling any major security incident. From a technical perspective, the right security infrastructure will help improve your team’s ability to detect attacks rapidly (which, in turn, will enable rapid response). You should also retain immutable backups that are isolated from your network so that even an attacker with administrative credentials wouldn’t be able to delete or compromise them.
A proactive approach necessitates a broader approach. In part two of this series, Olivier Spielmann shares five actions that you can take to bolster incident response capabilities.
