Organisations are compromised - time to Respond!
Organisations are compromised - time to Respond!

In the wake of successful cyber-attacks, and security incidents taking down some of the biggest brands on the planet, impacting critical infrastructure and banking systems alike, it may be asserted that, when it comes to technology, by evidenced implication, it would seem to be exposed, fragile and vulnerable.

However, as corporate focus on cyber-security stands today, incident response is observed as being an overlooked area of the corporate security radar, leaving many organisations devoid of adequate response capabilities.

Unconventional threats – conventional defences

The last 10 to 15 years has seen an evolution of cyber-defences being employed to protect organisations from the onslaught of cyber-adversity. However it may be a valued opinion that the successful nature of the cyber-criminals, and associated incursions are attributable to the use of imaginative, unconventional vectors of attack – leveraging what has been considered to be the myth of the APT [Advanced Persistent Threat] into a multi-faceted, capable electronic-munition to breach the conventions of deployed security mechanisms.

Mark Brown, executive director at E&Y shared his opinion with commenting: “An organisation in a state of readiness inhabits an entirely different mind-set, sees the world differently and responds in a way the cyber-criminals would not expect.

It requires behaviours that are thoughtful, considered and collaborative. It learns, prepares and rehearses.”

Robust incident response

At the time of identifying a cyber-attack, it is of paramount importance that organisations under stress have a robust implementation of an incident response programme deployed to assure that any breach is dealt with under a methodology, delivering the rigour of expert practices, and the attributes of law enforcement. For instance when artifacts are acquired, or on occasions when a contemporaneous chain-of-evidence needs to be established.

It is on occasions of an attack when it is essential to have fully-mapped documented processes in place, ranging from the top level policy, drilling down to the underpinning of run-books, procedures, and other such directions to drive the first responder toward a consistent approach, whilst at the same time assuring that any impact on the business operations are kept to a minimum where possible. For instance, it could be that the investigation discovers that a part of the company web site has been compromised, and that it would be tactical to remove the site from public view in an attempt to minimise the impact, or even corporate embarrassment. The same kind of decision is equally applicable to an internal compromise of a LAN asset, in which disconnection of a compromised device could reduce the overall potential impact.