The list of hacked organizations and enterprises grows daily, while the cost of data breaches is also on the rise. Every company hopes it won’t happen to them, but the reality suggests otherwise.
In the wake of an attack, here’s the sequence of actions you can should after identifying that an incident has occurred.
Step 1: Stay Calm
There are few things more panic-inducing than the realization the enterprise has been compromised. Nevertheless, turning circles in your office while shouting “it’s a disaster!” isn’t going to help things (and, depending on the number of windows in your office, may cause your staff to question your sanity).
Take advice from those omnipresent “Keep Calm and…” T-shirts your staff wears on casual Fridays. Reacting impulsively in the face of internal panic could do more harm than good. Focus instead on minimizing the consequences by taking a measured, thoughtful response to the problem at hand.
Keep in mind also that just as you wouldn’t want anyone to disturb the crime scene in a television drama, evidence of the breach should remain intact. The team investigating the compromise shouldn’t erase or alter any logs in a hurried attempt to “do something.” This forensic evidence may be needed later by investigators or in a court of law.
The sooner you respond, the more money you can save. According to a 2016 IBM & Ponemon Institute study, “leveraging an incident response team was the single biggest factor associated with reducing the cost of a data breach – saving companies nearly $400,000 on average (or $16 per record).”
Verifying the attack involves:
- Identifying which systems have been compromised
- Determining which IP addresses were used in the attack
- Confirming the type of attack (Virus? Malware? Unauthorized remote access? Something else?)
Once a threat or vulnerability is detected, have a protocol in place for immediately informing users on the network. For instance, warning other users on the network to discard rather than download an email ostensibly from HR with a link to “new vacation day availability” can help stop the spread of a well-crafted social engineering attack.
Step 3: Quarantine the Offender
Much like you keep a sick child away from siblings, isolate infected computers. By acting quickly to take the source computer or impacted applications off of the network, you can better contain the breach by preventing any virus or malware from spreading.
While the initial reaction may be to take down your entire network, Cisco notes that could actually hurt you more than the hacker even dreamed by disrupting your operations and causing reputation damage with customers and in the marketplace.
Your incident response team should identify the damage done and also check for backdoors which hackers may have set up to enable future access to your system. It may also be that a trusted supplier was hacked and the compromise originated there. In that case, be sure to block all of that supplier’s accounts until they resolve the issue on their end.
“The average time to identify a breach was estimated at 201 days, and the average time to contain a breach was estimated at 70 days.” — Ponemon Institute
Step 4: Allow Recovery Time
The attacked computers or servers will need some R&R time, just as your sick kid does. Prioritize the order for cleaning and restoring based on how critical each component is to the business. You’ll want to install your most recent clean backup and change passwords for all impacted systems.
Of course, this step requires you to actually have a backup of your important files. So we hope you’ve been heeding our regular advice to consistently back up sensitive and critical information to an offsite device that is not connected to the network.
During system restoration, company-wide passwords should also be changed. Take this opportunity to confirm that there aren’t any systems still using default passwords or something obvious like “admin.” Learn more about choosing effective passwords in this post.
Step 5: Disclose the Breach To Necessary Parties
Stemming the internal damage from the breach is only part of the process. Companies must also share their information with law enforcement and/or regulatory officials. There may be regulatory mandates to follow and even fines to pay, but resolving these quickly can help alleviate industry concerns on hearing of the attack.
Plus, the company may need to go public with the information to customers and stakeholders. In weighing the public relations cost of admitting a breach, consider how much worse things are for the company that tries to keep the attack secret and is later discovered to have withheld information. Remember: from a PR standpoint, it’s always better to be in control of the message rather than have some enterprising journalist break the story for you.
Despite the risks to reputation or stock price of going public, transparency about a breach can also help raise awareness and save others from experiencing the same issues. For instance, in the case of the global WannaCry malware attack earlier this year, North American companies were able to proactively warn users of the threat due to victims in Asia and Europe having already reported incidents.
“70 percent of U.S. security executives report they don’t have incident response plans in place.” — Ponemon Institute
Step 6: Plan Against the Next Attack
It’s a tough pill to swallow: this could happen again. It’s the last thing you want to hear when your company is already dealing with an attack, but it’s true.
Try to learn as much as possible about how the attack came about in the first place and why you may have been a target. Was the attacker trying to gain access to certain information, disrupt business, or take over systems to enact a larger attack? Better understanding the motivation for the breach can help you in formulating the updated, and improved security plan.
If you didn’t already have an incident response plan in place, consider this experience as the wakeup call you needed. Considering the average company loses $158 per compromised record — with healthcare records reaching as much as $355 — it should be easier to justify the expenditure to establish a response team and plan proactively.
Step 7: Educate Employees
Respond to the attack with new training for employees to avoid putting your business’s data and sensitive information in danger. Plan to address:
- Keeping passwords secure
- Avoiding password repetition
- Sharing too much personal information
- Clicking on links and downloads
- Updating antivirus and malware protections
Educate employees also that the impulse to trust others is one of the social engineering hacker’s key tools. Reiterate the importance of following protocol and questioning credibility before acting.
RedTeam Can Help
Don’t assume a security breach won’t happen to you. According to the IBM 2017 X-Force Index, the average client organization experienced some 54 million security events. This suggests you might already have encountered a cyberattack without even knowing about it!
RedTeam Security Consulting can identify and fix vulnerabilities at their root within your organization. With our application, network, physical, and IoT device penetration tests, our team of experts has the suite of defensive tools necessary to secure your business. Schedule a consultation to speak directly with one of our security experts about your unique needs.
Before You Go… Six Signs You’ve Been Hacked
The 2017 X-Force Index identified these top indicators of compromise (IOCs):
- Unusual outbound network traffic
- Anomalies in privileged user account activity
- Large numbers of request for the same file
- Geographical irregularities
- Database extractions
- Unexpected patching of systems
Profile network traffic patterns to gauge what’s “normal” for your organization so you can better document attack tools and methods if the need arises.