After an attack: How to keep a bad situation from getting worse

 

Connecting state and local government leaders

Cybersecurity teams must understand what happened during a breach in order to prevent it from happening again.

It makes sense that information security professionals focus first on preventing a breach, or at least reducing the chances of one happening. But as hackers become more wily, sophisticated and pervasive, it’s just a question of when a hack will occur.

Jim Crook, senior product marketing manager for CTERA, a cloud storage and data protection company, points to FBI statistics: ransomware victims lost $209 million the first quarter of 2016 alone -- nearly tenfold the losses of $24 million for all of 2015. “It is a global epidemic that every organization has either already faced or will almost certainly face as the pace of cyberattacks increases on a daily basis,” Crook said.

With that in mind, government InfoSec professionals must carefully consider their approach for what comes next: what to do after the inevitable hack is discovered.

Cynthia James, general manager of KGSS, the exclusive provider of Kaspersky Lab’s real-time cyberthreat intelligence to the U.S. government, said that as soon as the breach is detected, “it’s important to first resolve the problem, which means identifying the source of the data leak and how it can be better protected. InfoSec teams have to be able to understand what happened during a breach in order to prevent it from happening again.”

If the breach was a result of ransomware, James said it’s important to not pay the cybercriminals the ransom money they are demanding. “While some threat actors will try to convince you that you can buy your way out of this problem-- paying a ransom to get back your data -- too often, the hijacked digital materials come back compromised or damaged,” she said. “Sometimes they don’t come back, even once the ransom is paid.”

To protect against damage from such attacks, “government agencies should have a strong incident response plan at the ready once a hack does occur and implement it as soon as confirmation of a breach is received. This plan usually entails actions from various departments, including IT, government officials, legal, communications and other departments within a government agency,” James said.

“Sadly, most groups are never prepared for the first incident,” which can take some time to detect, said Richard Henderson, global security strategist for Absolute, a Canadian endpoint security firm. “In both private and public organizations, the first major breach may have persisted for a lot longer than was first thought,” he said. In some cases, it’s a third party that picks up on signs of a breach and notifies managers of the hosting environment. “That’s embarrassing on many levels.”

This issue is not exclusive to government agencies with limited budgets and short-staffed teams, Henderson maintains. Indeed, plenty of corporations have “fallen victim to similar undetected breaches. This is why it’s absolutely essential to be prepared now and have all your pieces in place before the unspeakable happens.” Henderson suggests that “red teaming” -- where internal teams test security and vulnerabilities -- can be a great way to find the holes and cracks in an agency’s defense that may not have been caught by standard security reviews. 

Forewarned is forearmed

While they are often seen as being at a disadvantage compared to their private-sector peers, government InfoSec professionals may actually have a leg up in handling the breach post-mortem, according to Joshua Douglas, chief strategy officer at Raytheon Foreground Security, a security services and training firm that works with the public and private sectors. Government agencies and defense contractors, often conduct more thorough analyses than commercial companies after a hack, Douglas said. “They are really getting a better understanding of what has been lost. The [Department of Defense] space especially is becoming an influencer of commercial companies.”  

Indeed, CTERA’s Crook points to the Texas Department of State Health Services as a “prime example of a hack that occurred and was successfully defeated.” While the state DSHS was using state-of-the-art firewall software to minimize the threat of malware breach, a user unfortunately downloaded a virus that was too new to be caught by the agency’s enterprise virus scanning software, Crook explains, causing tens of thousands of files on a hospital’s file server to be encrypted by ransomware.  DSHS quickly caught the issue, however, and managed to roll back its files to a healthy state before its users even noticed, he said. “With a small data protection interval, DSHS fortunately lost zero files,” Crook said. “While backup will always play a huge role as a ransomware countermeasure, securing your perimeter and better educating your employees on breaches are also crucial steps to avoid paying ransom.”

Casey Ellis, CEO and founder of Bugcrowd, a crowdsourced testing platform for enterprise security, concurs. “Breach response should begin before a breach ever takes place…The worst incident response plan is no incident response plan, and any organization’s first step should be to create one,” he said. And much like the iconic advice from the Hitchhiker’s Guide to the Galaxy, Ellis also warns agency InfoSec professionals: “Don’t panic.”

“Assessing the situation calmly will help ensure nothing gets missed during the next steps and avoids the silly mistakes that can happen under pressure,” Ellis said. Assess the damage next, and after that, “piece together events, weaknesses and the various pieces of evidence you’ve collected and try to determine what happened. This is a necessary step toward mitigating the damage and remediating against future threats,” Ellis counsels.

But trying to control your pest problem without getting rid of the pests is a flawed plan, according to Nir Polak, co-founder and CEO of behavioral analytics services firm, Exabeam. “After a hack, the focus should be first on completeness of remediation… in other words, fully kicking the hacker out of the network,” Polak said.

Complete remediation is harder than might be expected because organizations often do not know the full extent of the hacker’s reach, he said. For example, if the hacker gains access via malware that steals credentials on an employee’s laptop, he can then use those credentials to jump into the network and create new accounts.  IT may see the malware, wipe the employee’s machine and think all is well, without realizing the contagion has spread, he adds.  

Andy Vallila, leader for Americas sales and marketing for One Identity, the security business under Quest Software, said that government InfoSec teams should also determine “the who, what, how and why of the incident. Without these details, they cannot stop or prevent future damage.” This level of detailed analysis, Vallila said, is impossible without an audit trail -- a capability many organizations are lacking when it comes to security -- to determine the root cause of a breach and establish appropriate next steps.

Focus on the future

After InfoSec teams effectively suck out the worst of the poison and determine the species of hacker “snake” by which they have been bitten, what comes next?

James of KGSS recommends that agencies designate a specific department to notify all employees and third parties who may be directly affected by the breach and make required disclosures to regulators.

Educating employees at every level should continue to be a priority.  “All organizations must realize that technology alone won’t prevent a breach,” James said. “User education remains a critical and undervalued prevention method, as most cyberattacks stem from employees making careless or naive mistakes. Employees all too often click on malicious links that appear to be credible, and these phishing attacks are one of the easiest ways cybercriminals get into an organization’s network.”

Henderson recommends mapping out a crisis or disaster plan “that touches every critical function in the organization… Get everyone in a room and talk about what you’d do when a breach hits. After an incident talk about what you learned… and how your teams responded. What could they have done better? Use every incident as a learning experience and learn from it.”

Assessing who in the organization has access to privileged credentials is critical too.  According to Nick Nikols, cybersecurity chief technology officer for CA Technologies, 80 percent of breaches involve privileged credentials. “An agency may identify that privileged accounts must be protected and implement privileged access management software to protect accounts and use analytics to detect potential breach,” Nikols said.

After all is said and done -- the hacker booted, the system sealed off, checked, double-checked and restructured (if need be) and plans changed, Ellis of Bugcrowd said, “then, and only then, should you try to figure out who did it.” However, Ellis cautions that rather than finding a culprit, government agencies should stay focused on the “real issue: how to prevent vulnerabilities. The most important thing to focus on is how to prevent future attacks,” he said. ”You can’t control which burglar shows up at your house, but you can control whether or not you lock your door. You can’t control your threat actor, but you can control where you are vulnerable.”

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.