Risk & Security

How to Respond to a Cyber Breach

After several devastating cyberattacks on U.S. businesses, incident response strategies are getting new respect.

Data breaches are occurring at a relentless pace. Their impact on people’s daily lives, as well as on business resilience and national security, is now undeniable.

In the past few months alone, cybercriminals have hit the world’s largest meat processor, shutting down major meatpacking plants in the U.S.; crippled the nation’s largest gas pipeline, causing panic buying; and breached 300 companies and nine federal agencies in the largest cyberattack in U.S. history. (See SolarWinds attack)

For businesses and government, the battle is no longer simply about protecting credit card numbers and other personal data. It’s about protecting the nation’s economic interests and, perhaps more important, society’s ability to function.

[Read also: How incident response tools resolve breaches before they cause harm]

Many of the high-profile attacks carried the capacity to severely damage the nation’s “economic engine,” says Maggie Wilderotter, the former Frontier Communications CEO and a board member of several tech companies. The threat is so dire that on June 2, the White House sent an open letter to “corporate executives and business leaders,” saying they had a “key responsibility” in strengthening the nation’s cyber resilience, while noting “no company is safe [from ransomware], regardless of size or location.”

But enterprises that operate as if their defenses alone will keep them secure accept more risk than they realize. At some point, attackers will succeed. (Consider that cyberattacks have spiked 600% since the pandemic began.)

Breached organizations might find core business operations shut down through a ransomware attack. Those incursions come with a cost to a company’s reputation as well as its bottom line: Companies spend an average $3.86 million to mitigate a breach.

Enterprises must shift from playing pure defense to preparing for a successful attack and limiting the damage. Here are five ways to do that.

Train and prepare

You don’t want to be learning incident response while you’re actually responding to a breach. That sounds obvious, but a lot of companies don’t prepare. “Your team has to be ready, and they have to know exactly what they are going to do,” says Fernando Montenegro, a principal analyst on the enterprise security team at 451 Research, a part of S&P Global Market Intelligence.

Your team has to be ready and know exactly what they are going to do.
Fernando Montenegro, security analyst at 451 Research

“I don’t mean knowing what they should do theoretically should something happen,” he adds. “I mean understanding exactly what they need to do depending on the precise situation.”

That means looking at people, processes, and technologies. Montenegro says to start by identifying the people who need to be notified when an incident occurs.

“Who do you call at 3 in the morning to escalate something about a particular application?” he says. “Or who do you call if you can’t reach the primary contacts?” 

Bringing those people into the mix during training builds important relationships and collective knowledge of what needs to be done, by whom, and how. In addition to security and IT, the response teams might include people from human resources, public relations, legal, product, and both internal and external communications.

[Read also: The U.S. ransomware crisis can be solved]

Montenegro advises that incident response teams practice, perhaps each quarter. Running drills can help security teams identify holes or outdated guidance in their incident response strategies, increasing the confidence and speed in which the team responds.

“You want to make sure you’re fresh and not dusting off old response playbooks from a virtual shelf that hasn’t been touched in a year,” he says.

Create situational awareness 

To ensure rapid incident response, enterprises must constantly look for indications that hackers or malicious software have compromised their system. You don’t want to learn about a compromise from an affected partner or customer, law enforcement, or a cluster of servers suddenly encrypted by ransomware.

“Once an attacker is operating with a credential or some type of multifactor authentication bypass, you are compromised,” says Gal Shpantzer, founder of virtual CISO consultancy Security Outliers.

Security teams need processes that can spot new communications between computing devices and determine if they belong there.

To detect a breach early, security teams need processes that can spot new signs of malware that reach computing devices or other endpoints and determine if they belong there. “You want to be looking for communications between desktops that are unusual, or servers trying to reach other servers using weird or new protocols, or in ways that establish new relationships on the network,” says Shpantzer. 

You want to put tools, such as intrusion and anomaly detection systems, in place that will spot unusual activity as quickly as it can reasonably be spotted. “Novelty in communications and novelty in binaries are important clues,” says Shpantzer.

Understand the business impact

When a security incident does begin to unfold, most organizations fail to understand the business impact of that incident. But every incident is a business disruption to some degree. 

“The differentiator is to what degree it disrupts the business,” says David Elfering, information security director at ReSource Pro. The escalation of an incident from a service-desk concern to one that demands a high-level response is a process that is “fundamentally broken in most companies,” he says.

The escalation from a service-desk concern to one that demands a high-level response is a process that is broken in most companies.
David Elfering, information security director at ReSource Pro

That’s because most companies don’t have an inventory of their core processes. That means they don’t know the value of their processes. So they can’t assign true criticality. So when IT assigns something as critical or low risk, lots of time, says Elfering, “they’re just guessing.”

To better understand the impact of cyber incidents, organizations must stop assessing their IT environments from the bottom up. Instead of listing how IT systems support the business, it’s better to start from the top, says Montenegro.

“Identify your major business processes and identify the technology that keeps them running,” he says. “That helps keep it simple from a value standpoint to decide what incidents are critical to the most important business operations.”

Embrace the remote security operations center (SOC)

Many enterprise security teams began operating remotely during the pandemic. As organizations face a security skills shortage, they are now seeing remote work as an advantage, allowing them to tap into a geographically wide candidate pool

“Typically, SOC-ops worked in a physical environment with screens everywhere with everyone looking at alerts,” says Scott Crawford, information security research head at 451 Research. “We’ve learned that you can have analysts looking at consoles from anywhere and they can work collaboratively.”

That remote work environment also appeals to many workers who prefer to live where they want and avoid the expense and hassle of commuting to an office.

“That will make it much easier to retain the security expertise you need to respond effectively to incidents,” says Crawford.

Automate where it makes sense

When it comes to gathering data and reviewing logs, there are numerous processes that can and should be automated. “You want to automate as much as possible,” says Shpantzer. “You can create playbooks that call for pushing a big red button that uploads a set of indicators of compromise (IOC) and scour your logs to find every machine the IOC has touched and see every URL the DNS proxy logs.”

[Read also: Why security and automation belong together]

You want to make that job less manual, especially if someone is doing that task repeatedly. Automation is not only faster, but it also reduces manual human error. This is crucial, says Shpantzer, during the stress of an incident in progress. It’s also critical to determine how long to store logs. Many attacks will occur over weeks and even months, so you need to determine where logs should be stored and then create the workflow to access and parse them quickly when needed.

“You want to be able to click a button and pull those logs, or click buttons that are clearly labeled” with the appropriate data, says Shpantzer. That could include labels like “input spreadsheet with IOCs for DNS,” “input spreadsheet with IPs,” “input spreadsheets with hashes.”

With those, he says, the endpoint detection and response platform will pull it all together. “This way, you will be able to quickly scope what happened, where it happened, and what was affected,” he says.

While data breaches are all but inevitable, a when not if proposition, we can at least take steps to prevent them for as long as possible and then be ready to make sure the impact is minimal when they do happen.

George V. Hulme
George V. Hulme is an information security and business technology writer. He is a former senior editor at InformationWeek magazine, where he covered the IT security and homeland security beats. His work has appeared in CSO Online, Computerworld and Network Computing.