The fundamentals of security incident response—during a pandemic and beyond

Information security is a nonstop race between you and cybercriminals—and COVID-19 means more challenges for your organization and more opportunities for attackers.

We spoke with cybersecurity experts about the challenges a new remote workforce creates for organizations, how to respond to a cyber threat, and how the threats themselves are changing.

The ongoing COVID-19 pandemic makes it more difficult to respond to a threat in progress. Being proactive is crucial, and the best time to update your strategy to reflect a shelter-in-place workforce is the same for every business, large or small: yesterday.

What’s at stake?

Breaches come in different sizes and scales. Ransomware can keep you from resources and data, but the game plan is very different depending on what’s compromised—and what that infected point has touched. The solution to a workstation encrypted by a ransomware attack can be straightforward: rebuild the machine, which means downtime but not much else.

However, if a data centre or critical servers are compromised, the results could be catastrophic. For many companies, the potential loss is so great that sending hundreds of thousands of dollars in cryptocurrency to cybercriminals makes sense—even when paying the ransom is just the start of your headache.

“Even if you can find a way to pay, can afford to pay, and have a trustworthy enough criminal … it still doesn’t mean you’re going to survive the attack,” says Drew Simonis, deputy chief information security officer at HPE.

Even if you pay a ransom, repairing the damage from a ransomware attack with security keys provided by a criminal can still mean months of downtime. How much-lost productivity can your organization survive? “For a large company, it may be sustainable,” says Simonis. “For a small company? That could put them out of business.”

The five pillars of cybersecurity

Obviously, the kinds of attacks you face and the resources at your disposal depending on the size of your organization. But the crucial actions you must take are drawn from the National Institute of Standards and Technology’s (NIST) cybersecurity framework, and they are the same for businesses big and small: identity, protect, detect, respond, and recover.

It’s a step-by-step process for assessing how vulnerable your system is, doing everything you can to remove vulnerabilities, quickly triaging the damage when a breach does occur, getting up and running again, and—most important—eradicating those weak links for the future.

Not all organizations are created equal. “A big company has all those resources in-house; they’ll have the investigators, the forensic capability, the ability to develop a plan based on the breach and put that plan into action,” says Simonis.

Response plans differ depending on size and budget, and many of the challenges that small and midsize businesses face are more daunting than ever due to the ongoing pandemic.

The COVID factor

A growing remote workforce makes every step of response harder. The COVID-19 pandemic hasn’t changed the fundamentals, but it has created new opportunities for cybercriminals: an uptick in content-oriented attacks that target the people in your organization—especially with emotional pleas. In April, the World Health Organization reported dealing with five times more cyber attacks than usual.

“Security teams have to learn to sift through what they didn’t have to sift through before,” says J.J. Thompson, senior director of managed threat response at Sophos.

Google’s Threat Analysis Group warns that phishing attacks directed at the general public are masquerading as government services. “In a post-pandemic world, it’s [still] going to be email and communication boards, social engineering attacks … [but] they’re going to have a much better uptake rate.”

COVID-19-related attacks—like phishing attempts disguised as COVID test results—are particularly dangerous. “We all have a more porous social engineering filter than we had before,” the group says.

The challenges brought to light by the pandemic may not even be new—and they certainly aren’t going anywhere. “What you have to be able to deal with is an environment in which you can’t trust messaging that originates from outside your organization. Any time someone from the outside asks you to do something, you should be suspicious,” says HPE’s Simonis. He suggests verifying unusual requests as much as possible—even if it means making a phone call.

Eliminating human vulnerabilities also means building systems that are prepared for the inevitability that people will make mistakes. “Assume all of those procedures are going to fail,” says Thompson. “No matter how many times you train somebody not to click on something, they’re going to do it anyway.”

The key is to put tools in place that pick up where people fail, like identifying anonymous logins, even if a user’s credentials check out.

What you can do today

Even meticulous backups are no substitute for a sophisticated incident response plan. Some breaches can’t be fixed by just reverting to a backup. “Almost all ransomware waits three days to get through two or three backup cycles before they actually ask for the money,” says Gary Campbell, security chief technology officer at HPE. And your backups may not be enough to prevent potentially lethal damage.

“In the data centre, it takes six days to re-image a server typically—assuming the backups are good,” he says. If you have tens of thousands of servers, the cost and downtime associated with rolling back may be worse than paying the ransom.

Devising an incident response plan is a tall order for companies of any scale. A tabletop exercise is one of the best ways to prepare, and it’s something any business can do. These exercises simulate a breach on paper and put your team’s training and decision-making to the test.

“Go through the process and see where your capability gaps are because you’re going to need to supplement those with third parties,” explains Simonis.

That may mean bringing in managed cybersecurity services for your entire system or filling gaps as needed with boutique solutions. The right third party can help with vulnerability assessment, unearthing harder to find gaps that might go unnoticed during your typical drills.

“You’ve got to have those solutions established ahead of time because there’s nothing worse than needing consulting and having to wait two or three weeks,” Simonis says. “The reality of these breaches is that minutes and hours matter. The sooner you’re able to investigate and eradicate, the sooner you’re likely to have confidence that you’ve done it effectively.”

Responding and recovering

According to Simonis, just about everyone has a plan—but being able to put it into play is another story entirely. “People don’t drill their plans. They don’t practice their plans in a serious kind of way,” he says. “[What is] more common than not having a plan [is] having a plan that is very dusty and doesn’t actually work.”

Simon Leech, the senior adviser for security and risk management at HPE Pointnext Services, adds that when it comes to incident response—whether you’ve turned to a third party to help develop it or you’re putting it in place yourself — the small details can make all the difference, right down to knowing exactly who to call at 2 a.m. with bad news.

Properly identifying what led to a breach, and making sure the hole is plugged, is crucial. “If you don’t have a process in place to make sure you’ve contained the infection before you start cleaning things up and getting them back on the network, you’re just going to be playing Whac-A-Mole, chasing down servers that keep getting reinfected,” says Leech.

Knowing what to do when your plan is tested—and knowing what to do when your plan fails—is just as important as having one in the first place, Simonis says, citing boxer Mike Tyson’s famous quote, “Everyone has a plan until you get punched in the mouth.”

Security incident response: Lessons for leaders

  • Making a plan is just the first part. Putting it to the test with drills and tabletop exercises is a top priority. When you uncover capability gaps, fill them with third-party expertise.
  • Don’t rely on backups—or the means to pay out in the event of a ransomware attack. For smaller businesses, these attacks can be fatal.
  • Stick to the fundamentals.

Leave a Reply

Your email address will not be published. Required fields are marked *