Tim Bandos, Senior Director of Cybersecurity at Digital Guardian, discusses how good incident response always starts with answering six key questions.
Incident response is defined as the process by which an organisation handles a data breach or cyberattack. The goal of incident response is to efficiently manage an incident so that the damage is limited and recovery time and costs are kept to a minimum. Having an incident response plan in place is more important than ever at present as 2017 was the worst year in history for data breaches discovered Risk Based Security and 2018 is only likely to be worse. Furthermore, GDPR is coming closer, elevating the potential monetary costs of a data breach to bankruptcy levels.
A well thought out incident response plan should act as a guide for the incident response team in the event of a cyber incident. The plan will consider the definition of an incident, who within the company must respond to it and when they need to act. Below, you can find the six fundamental questions that should inform your incident response plan. These questions will help the incident response team to establish key facts and begin the remediation process:
If you can understand the mindset of the person attacking you, you stand a better chance of defending yourself next time. A good place to start your breach analysis is to consider who was behind the attack. With this knowledge, you will be able to build a better picture of the entire incident. Also, the tactics and targets of a lone cybercriminal will differ greatly to state-sponsored attackers, which will in turn differ to hacktivists.
There is a myriad of different attack techniques that target different weaknesses, so it is important to pinpoint exactly what caused the incident. Defacing websites has fallen out of fashion in favour of ransomware and data theft. DDoS attacks that either directly target a company’s digital infrastructure, or indirectly target its service providers, are also a growing concern. More recently, attackers have also started to implement mass data destruction attacks which can seriously damage a business.
Understanding the timing is all part of building a better picture of the incident. There are no holidays in the global hacking community, though particularly savvy attackers may purposely engage in a cyberattack during national holiday periods when they know security personnel could be short-staffed and on low alert. Timing is also an important factor to consider if you do need to notify business partners and customers that their data has been compromised.
Arguably, the most important questions to answer following an attack or breach is where it was targeted. This will involve an in-depth review of your entire attack surface; consider your network, your remote workers, your partners, your suppliers and even whether an infected USB stick could be to blame. Today, the most common entry point is email, for which hackers craft phishing attacks to target the weakest link in the security chain; the end-user.
The motive of an attack is an important piece of information for any external announcements that might need to be made. Having these details is also very helpful when it comes to justifying your incident response plan or recommendations for additional security spending to company executives. For the most part, financial motive is still the top reason for attacks against companies; even state-sponsored attacks are financially driven in some sense. It may take years and cost millions of pounds to develop the intellectual property and customer base that can be stolen in a mere matter of hours.
In order to effectively remediate you need to create a detailed step-by-step outline of exactly how the hacker attacked or breached your company. The tactics are evolving and some of the old tricks are making a comeback. Making matters worse, the black market for toolkits and ‘hackers for hire’ means that anyone can buy the technical savvy they need. Disgruntled employees, lost or stolen devices and unintentional sharing of sensitive information are other possible causes of an attack.
Without an incident response plan in place, panic can set in and the wrong decisions may be made, leading to severe consequences. By focusing on these six questions in the immediate aftermath of a data breach or cyberattack, incident response teams minimise the likelihood of emotional-drive actions or mistakes, allowing for more effective remediation.