What you do in the first 24 hours of a cyber attack could make or break your business.
A cyber attack is inevitable for just about every organization. The preparations you make for incidents hold the key to ensuring a dramatic event doesn’t become a crisis. Without effective planning, you’ll simply end up playing “whack-a-mole”, says Matt Lawrence, F-Secure’s director of detection and response.
“Speed, visibility and expertise are critical,” he told security professionals during Preparing for the First 24 Hours of a Cyber Attack, a webinar hosted by F-Secure and Mishcon de Reya’s Cyber Intelligence Director, Mark Tibbs.
And the potential consequences of inadequate planning are growing in severity. The biggest worry for many is the increasing prevalence and sophistication of ransomware. A poll of webinar attendees found that 50% expected ransomware threats to be their primary security concern this year.
Lawrence noted the fastest growing type of ransomware is human-operated, where hackers launch a multi-stage, targeted attack. That might typically start with a commodity phishing expedition to gain entry to your network, at which point human operators take over and use whatever techniques they can to move laterally inside your systems, taking control of ever more of the environment until they are ready to trigger the ransomware to greatest effect.
Other severe threats are also beginning to loom large. Lawrence said the recent Solar Winds attack had woken up many organizations to the problem of supply chain attacks, for example.
But however hackers get in, you need to be able to throw them out fast. “When an attacker is inside your network and can move around your environment and potentially find your crown jewels, your ability to mitigate that is fundamental,” said Lawrence.
That means having a comprehensive plan of what you’re going to do when it happens to your organization, particularly in that critical first 24 hours after discovery. Nearly all (97%) of our poll respondents agreed:
But how do you go about drawing up and executing that plan?
First, you need to get the fundamentals right – for example, making sure all your logs are switched on and ensuring your IT administration is up to scratch. “Having shared admin passwords, for example, is a recipe for disaster. You’re effectively providing an all-you-can-eat buffet for attackers,” said Lawrence.
You also need to be technically prepared – in terms of having the tools, processes and expertise (whether internal or external) to give you effective threat detection and incident response capabilities.
But equally, you must be culturally prepared, too. Webinar co-presenter Mark Tibbs, Cyber Intelligence director at Mishcon de Reya LLP, said: “Practice! Don’t have plans gathering dust. You need to conduct regular tabletop exercises with all the stakeholders involved,”
Tibbs added that strong leadership is critical, and everyone should be in no doubt who needs to be involved in responding to an incident, and when. As well as IT and security people, that might include legal teams, PR, outsourcing partners, data protection and compliance people, cyber-insurers and others – depending on the nature of the organization and the specific threats you face.
“Good preparation is about buying you time,” said Lawrence. “Incident response needs to become part of ‘business as usual’.”
To find out how, why not check out the full webinar replay, and find out how Lawrence and Tibbs cover the breadth of issues you need to consider if you want to get your business fighting fit to respond to attacks. They also discuss connected issues like the role of cyber insurance and whether it ever makes sense to bow to an attacker’s ransom demands.