This article is part of a series exploring the cyber-crime threat facing small and mid-size organizations (SMBs), and how such organizations can mitigate their risk of compromise. In Part 5, we list the fundamentals of cyber breach response to mitigate damage to an affected SMB.
Imagine this: one day at the office your manager sends you a report to review, which must be completed that morning. You open it and realize you’ve just “made a boo boo”– it was a spoofed email account which just sent you a ransomware package.
Your computer has the infamous ransom notice across the screen…now what?
Unfortunately, no network or device is impervious to cyber-crime, and thusly, we SMBs must have a plan to respond to breaches. In the final part of our Cyber Security Series, we provide tips and best practices in dealing with a breach.
Part 1 – The Threat Landscape
Step 1: Detect
It may be hard to believe, but the average detection time following a breach can be as high as 100 days! Cyber attack response starts with detection, and is pivotal in mitigating damages like operations downtime, data exfiltration, and spread-of-infection (intra or inter-network). Detecting a breach is often dependent on the type of attack, as some will be painfully obvious while others will be highly clandestine.
The obvious types can include Adware, ransomware, and DDoS. Such attacks will display pop-ups, ransom notices, and complete systems failure. While some (like ransomware) are designed to steal funds, many of these easy-to-detect attacks are merely out of spite.
In contrast, keyloggers, spyware, social engineering, and banking trojans are all intended to infect a computer/network/account without the victim knowing it. The more time the program has to operate, the more data it can compromise, the more computers it can affect, and the more profits it can gain.
While such breaches are difficult for users to identify, things to look for can include:
- Slow system performance
- Odd or unapproved banking transactions
- Websites which look “off” or operate abnormally following user sign-in
- Difficulty logging into secure sites
- Odd browser behavior i.e. site redirects which you’ve never seen, home page changes
- Increased computer crashes
Once you’ve identified a potential breach, the next step is to report the suspected threat.
** Step 1 B: Immediate emergency action
In a scenario where highly confident you’ve detected a virus/malware/worm (which is corrupting or has corrupted the victim computer) it’s best to pull the plug immediately before going to the reporting stage.
Immediately holding down the power button for ~ 10 seconds or pulling the wall plug (for desktops) can inhibit infection progress and prevent potential spread by quarantining the affected device.
Step 2: Report
The reporting stage is necessary to A. start the remediation process, and B. notify other users on the network who may also be affected. The question is to whom do you report the breach and how?
Ideally, this should flow from your information security policy, and moreover, should have been covered in staff training. In general, it’s best to report the incident to company management and then your I.T. resources.
Notifying company management first will establish that the employee sees cybersecurity as a priority and is trying to mitigate damage (rather than trying to save face). Said management can then notify related staff to prevent infection spread, then bring in IT resources to take charge of the situation.
Step 3: Release the I.T. guy
Once the breach has been detected and reported within the company process, it’s time to hand the issue over to professionals who can remove infection. When bringing your IT department into the situation, make sure to give them a detailed synopsis of what happened and what is currently affected. For example, forwarding the malicious email that duped you with the word “HELP!” isn’t going to be as helpful to the IT team as calling them and telling them what happened (and how).
A good IT pro will methodically move through a sequence of phases to remove infection, mitigate spread, and repair systems. This process will likely include:
- Investigation: find out what the breach is, the damage, and what systems/users are affected
- Isolation: quarantine the infected accounts and/or devices in order to prevent spread through the network
- Removal: restore normal operations to the affected areas e.g. reset passwords, remove malware, wipe system and install backup image
- Analysis: find out the specific attack-type, where it came in, where it originated from, and how it succeeded
- ** Fortification: (where necessary) update cyber security systems and policies to account for the recent breach methods
- Education: provide company management with a report on what occurred, how it occurred, and how policies/training can be improved to mitigate future risk
Education is a key-piece here, as there are always lessons to be learned from breaches. Make sure to get a thorough debriefing from your IT resources after a breach so these lessons can be turned into daily practices and policies. Fool me once…
Step 4 (?): External reporting
Depending on 1. The extent of the damage, 2. The attacker and attack-variant, and 3. The external parties affected by the breach, you may want to (or must) report the breach to external parties. These parties could be law enforcement or customers and vendors.
Why law enforcement – I have personally been in the audience for two separate presentations by FBI agents in the Cyber Division. Both gentlemen echoed the same sentiment: they can’t catch cybercriminals if no one reports the crimes. If your organization falls prey to a unique or significant breach, the FBI provides a resource for you to submit a complaint and potentially open an investigation: FBI IC3
Why customers/vendors – Two possible reasons: a legal requirement or an ethical imperative. There are many factors which could determine a need to report the breach externally, but if it is found that your customers and vendors were compromised as a result of the breach, it must be evaluated.
Please note it is best to discuss these items as part of your cyber-attack response and review the legal and ethical considerations. In general, too few organizations report breaches – thusly perpetuating the cybercrime empire.
What about the damage already done?
That’s where disaster recovery comes into play. Unfortunately, the majority of small businesses have no written disaster recovery plan, which often results in irrevocable damages. Since disaster recovery is not directly a part of cybersecurity, we’ll cover this topic in-depth through a different article.
A final consideration related to damages incurred from a breach is cyber insurance.
Have a plan, minimize damage
In personal self-defense, many training experts educate individuals to develop a plan, skills, and attitude for protection of themselves and their families. The same applies to organizations amid a multi-billion-dollar digital threat. Have a cyber-attack response plan for how employees are to detect and report breaches. Have a no-nonsense attitude about cybercrime, where cybercrime is taken seriously and accounted for in daily work-practices. Finally, develop the skills to identify breaches and mitigate spread before engaging IT professionals.
When responding to a breach, there are two main goals: 1. mitigate time from breach to response, and 2. Mitigate systems and data affected. With the right plan, skills, and attitude, your organization will be equipped to do just that.