The fallout of a substantial breach at Yahoo!, in which the names, email addresses, passwords, telephone numbers and more than half a billion customers had been compromised by hackers is continuing to pile pressure on the company. This highlights the delays in breaches being detected and the time it can take an organisation to identify the scale and take appropriate steps to remediate. How, when and who does the organisation notify on discovering the breach?
With the Office for National Statistics recently reporting that almost six million fraud and cyber-crimes were committed last year in England and Wales alone, breach incidents have become almost inevitable. Malware and ransomware are staples of the mainstream press. That means organisations need to be prepared for the worst. They need to invest not only in commonly deployed detection solutions and defensive controls, but also in the ability to take action as and when an attack is occurring. Immediate action can limit a hacker's ability to access data, and also helps firms avoid large fines, negative headlines and shareholder and customer discontent.
Recent data indicates that there has been little improvement in firms' preparedness against breach incidents. This is despite a sharp increase in spear-phishing attacks and internal threats. These can be difficult to defend against, as they can often comprise of external and internal abuse of access to corporate data. Sometimes this abuse is intentional, often it is completely unintentional.
As the scope for attacks continues to expand and cyber-criminals become more sophisticated in their techniques, organisations are faced with new risks. It is now virtually impossible to guarantee that data is ever immune from a breach. Never has it been more important to have a well-planned, comprehensive incident response procedure in place to minimise damage.
Despite bearing witness to the negative impact an attack can have on an organisation, and being exposed to an almost constant stream of negative headlines about high profile breaches, there are still several areas where companies consistently fall short in their capabilities to respond to an incident effectively.
As a starting point, all organisations must ensure that there is an incident management process in place. Often, organisations have limited guidelines describing how to declare and classify incidents, yet this granularity is vital, as it will dictate the speed and scope of the response. Depending on the type of attack, potential impact, and other factors, response activities can vary immensely.
The routine compilation of the various procedures and operations to be carried out by system administrators should also be developed. These ‘run books' address how common incidents should be handled in their environments. For example, if an organisation is particularly vulnerable to DDoS attacks, it's wise to develop a specific DDoS run book that explains the procedures the designated response team should follow, based on the tools and capabilities available.
It is also important that the effectiveness of the response procedure is carefully monitored and evaluated. Regular test scenarios are a crucial factor of these evaluative processes. By carrying out ‘post-mortem' reviews, the response team can identify and build upon those response activities that worked well. It can also spot and remediate any processes in need of improvement.
As organisations expand, and people's roles change, it's essential that documentation related to who is involved in incident response activities is updated to reflect these changes Time is a critical element to incident response. If a firm isn't able to rapidly mobilise the correct people, it can seriously hinder its effectiveness to recover from a breach. It is also worth noting that updating contact information for third-parties such as the ISP, external incident response support and other providers is equally important.
In order to make appropriate decisions, and identify impacted systems, comprehensive and up-to-date information about the network must also be available. When preparing technical documentation in readiness for incident response, it is necessary to include DNS information, IP ranges and host names, as well as the ingress and egress points between networks. On top of this, the software and operating system names, versions and patch levels, plus user and computer roles should also be included. This “known good” information will assist in the recovery from the breach.
By adhering to the above guidelines an organisation can rest assured that it is in the position to act quickly and efficiently should a cyber-security incident take place and reduce the potential fallout that follows these incidents. Only when a firm is fully prepared to respond to incidents can it hope to effectively mitigate the potential impact.
Contributed by Rory Duncan, head of security business unit, Dimension Data UK&I