Cyber incidents: Tips for the right response

According to media reports, another cyber attack was recently launched against a well-known Swiss SME: The blinds company Griesser was attacked with ransomware and has accordingly pulled out all the stops to limit the damage. According to the company, an IT task force and a crisis team are working to restore the systems so that they can gradually return to normal operations.

Cyber incidents can now happen anywhere

Cyber incidents can affect any company. The dangers are now lurking everywhere, and cyber criminals are becoming ever more perfidious in their methods. And then, all of a sudden, one click too many and disaster takes its course. What do you do then? Incident response experts from IT security service provider Sophos have developed a guide to help companies cope with this difficult task. The following four tips are based on the practical experience of the Managed Threat Response and Rapid Response teams, who together have responded to thousands of cyber security incidents.

Tip 1: React as quickly as possible

When companies are under attack, every second counts. However, in-house security teams often take too long to respond appropriately quickly. The most common reason for this is that they do not recognize the seriousness of the situation and the urgency in time. In addition, many cyber incidents happen on holidays, weekends and at night. Since most IT and security teams are significantly understaffed, the response to an attack at these times is often too late to contain the impact of the attack in time.

In addition, a certain alarm fatigue lowers a quick response. And even when responding correctly and in a timely manner, security teams often do not have the necessary experience to take the right steps. Therefore, potential incidents and the response to them should be planned in detail in advance. Sophos has outlined the ten most important steps of such a cybercrisis plan in the Incident Response Guide at https://secure2.sophos.com/en-us/security-news-trends/whitepapers/gated-wp/incident-response-guide.aspx listed.

Tip 2: Do not declare actions "mission accomplished" prematurely

In the case of a cyber incident, it is not enough to simply treat the symptoms. It is also necessary to get to the bottom of the causes. For example, successfully removing a piece of malware and clearing an alert does not mean that the attacker has been driven out of the environment. This is because it could simply be a test run by the attacker to determine what defenses they are facing. If the attacker still has access to the infrastructure, it will likely strike again, but with greater destructive power. Does the attacker still have a foot in the perimeter? Is he planning to launch a second wave? Experienced incident responders know when and where to dig deeper. They look for anything the attackers are doing, have done, or may be planning to do on the network and neutralize those activities as well.

Tip 3: Complete visibility is crucial

In the event of an attack, it is important to have access to correct, high-quality data. Only this information makes it possible to accurately identify potential indicators of an attack and determine the root cause. Specialized teams collect relevant data to detect the signals and they know how to prioritize them. In doing so, they consider the following points:

• Collect signals: Limited visibility of an environment is a sure way to miss attacks. Big data tools offer a remedy. These collect enough data to provide meaningful insights for investigating and responding to attacks. Gathering the right, high-quality data from a variety of sources ensures complete insight into an attacker's tools, tactics and procedures.
• Reduce background noise: For fear of not having the data to provide a complete picture of an attack, some companies and security tools generally collect all available information. However, this approach makes it more difficult to find the attacks and generates more data than is necessary. Not only does this increase the cost of data collection and storage, but it also creates a high background noise of potential incidents that leads to alert fatigue and wasted time chasing true false positives.
• Apply context: To run an effective incident response program, context is needed in addition to content (data). By applying meaningful metadata associated with signals, security analysts can determine whether those signals are malicious or benign. One of the most important components of effective threat detection and response is prioritizing signals. The best way to identify the most important alerts is through a combination of context provided by security tools (i.e., endpoint detection and response solutions), artificial intelligence, threat intelligence and the human operator's knowledge base. Context helps identify the origin of a signal, the current stage of the attack, related events, and the potential impact on the organization.

Tip 4: It's OK to ask for help

The lack of skilled resources to investigate and respond to incidents is one of the biggest issues facing the cybersecurity industry today. Many high-pressure cyberattack IT and security teams find themselves in situations for which they lack the experience and skills. This dilemma has given way to an alternative: managed security services. More specifically, managed detection and response (MDR) services. MDR services are outsourced security operations delivered by a team of specialists and are an extension of the organization's in-house security team. These services combine human-led investigations, real-time monitoring and incident response with intelligence gathering and analysis technologies.

For organizations that have not yet used an MDR service and need to respond to an active attack, specialized incident response services are a good option. Incident responders are called in when the security team is overwhelmed and outside experts are needed to assess the attack and ensure the attacker is neutralized. Companies that have a team of skilled security analysts can also benefit from working with an incident response service. For example, gaps in coverage (e.g., nights, weekends and holidays) can be closed or specialized tasks needed in cyber incident response can be assigned.

Source: Sophos