Companies that prepare intensively for a cyber attack have significantly less to contend with the consequences of the attacks. Much is already gained in having an incident response (IR) plan.
Cybersecurity is mainly focused on prevention. And the best way to do that is through learning from incidents. Nevertheless, it happens time and again that companies are attacked. In such a case, the point is to minimize the damage and learn as much as possible from known experiences. So what is the "best practice"?
Much is gained with a plan
The IT security team defines a plan for responding to a cyber attack (incident response, IR), which measures must be taken in the event of a security breach or an attack. The following questions are the basis for an IR plan:
- How serious is the incident?
- Where are the critical systems located and how are they to be isolated?
- How and with whom should communication take place?
- Who should be contacted and what measures should be taken?
- What about the backups?
An IR plan should be simple and straightforward so that it is easy to follow in a high pressure situation. The SANS Incident Handler's Handbook and the Incident Response Guide from Sophos can be very helpful in drawing up plans.
Get help after a cyber attack
Before it comes to restoring computers and systems after an attack or even negotiating a ransom, companies should seek help. Responding to attacks requires specialized skills and most organizations do not employ incident response specialists.
A plan includes the contact details of IR service providers. If the attack is directed against the server and end devices, e.g. in the event of a ransomware incident, the endpoint security provider should be contacted first, especially if they offer an IR service. He probably has telemetry of the affected environment and has access to preinstalled tools like EDR / XDR that he can use to help quickly.
Expand aid and work with authorities
It is advisable to contact your local law enforcement agency. There is a high probability that the incident resulted in a crime and the relevant authorities may have helpful resources. Of course, the cyber attack must also be registered with the cybersecurity insurance company, provided that insurance is in place. If you work with a technology provider or system integrator, they may be able to help with the restoration, for example with the backups.
Quickly isolate systems and contain incidents
The incident should be isolated and contained as much as possible. This also includes turning off the power supply, disconnecting the Internet connection and disconnecting the networks, software-based isolation, the application of deny-all firewall rules and the shutdown of critical systems. If a still functional domain controller is available, it is important to keep it, if possible, by shutting down the server and / or disconnecting it from the network. Backups should also be isolated and separated from the network. In addition, all suspected compromised passwords must be changed and the accounts reset.
When using incident response services, it is important to provide advice on how the affected systems and connections can be put back into operation.
Important: do not pay a ransom
Paying the ransom sounds like an “easy” way out, but it encourages criminals to continue doing criminal activity. In addition, the days of moderate ransom demands are long gone: The Sophos State of Ransomware Report 2021 shows that medium-sized companies paid an average of 147.000 euros in ransom last year. The Sophos study also found that only 65 percent of encrypted data could be recovered after paying a ransom, and more than a third of the data was lost anyway.
In addition, the legal situation for ransom payments differs around the world. It is therefore advisable to find out about any laws in the country (or countries) in which an organization operates.
Retain available evidence
Too often it happens that victims of a cyber attack are mainly occupied with restoring their systems and services as quickly as possible. In the process, a lot of information is lost that would help determine the cause and understand the extent of the security breach. However, these can provide an incident response team with information about who they are dealing with and what tactics this group typically uses. It could even reveal a whole new strain of ransomware and the tactics, techniques and procedures (TTPs) used.
Retaining the images of systems and virtual machines is just as important as isolating the malware. In this way, companies can also provide evidence in the event of a judicial review of insurance claims or prove to a government agency that they have not violated disclosure requirements.
Retribution does even more damage
In many cases, multiple groups are behind a ransomware attack. For example, with the information from the ransom note and the commonalities in the tactics, techniques, and procedures (TTPs), an experienced incident response team can usually quickly identify who they are dealing with. Attempting retaliation, the so-called “hack back”, is strongly discouraged. It's probably illegal in the first place and can only make the situation worse.
The role of cyber insurance
In the event of a cyber attack that is covered by cyber insurance, a claims adjuster from the insurance company will first hire an external legal advisor. This organizes internal and external resources and coordinates the activities until the incident is resolved.
When taking out insurance, it pays to clarify in advance which activities and which specialized providers are covered in the event of a cyber attack. Most cyber insurance companies accept the use of existing service providers.
Always keep communication going
Communication is often severely affected by cyber attacks. Email systems may be offline, electronic copies of insurance policies or IR plans may be encrypted, and the attacker may be monitoring communications. It is therefore advisable to have an alternative means of communication available, such as an instant messaging application. The entire team and everyone else involved can communicate using a separate channel. Insurance data, IR plans and contacts to the IR specialists should be kept separate and in physical form.
More at Sophos.com
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.