Businesses and organizations operating in today’s connected world face a variety of dangerous new threats from cyber criminals. To keep pace with the new Digital Transformation, organizations have to provide convenience for their customers, thus take payments online, store customer data and records in information systems, and adopt connected technologies. In doing so, organizations create security gaps and ultimately expose themselves to the threat of cyberattack.
Over 80% of small and midsized organizations reported suffering at least one cyberattack in the last 12 months, with an average cost of nearly $1 million to restore servers, databases, other systems and data to return to normal business operation after a successful attack. The results of these attacks are staggering: 60% of small companies that suffer a cyberattack are out of business within six months of the attack as suggested by the National Cyber Security Alliance. With such high costs associated with significant attacks, organizations must be prepared to detect and respond to attackers if they are to limit damage and subsequently reduce costs to maintain their business.
— Hitachi Sys Security (@HitachiSysSec) August 22, 2017
The FBI recently reported that over 4,000 ransomware attacks take place each day! Therefore, with the volume of attacks as well as the sophistication of the malware, it is a near certainty that all businesses will succumb to an advanced attack at some point. However, most organizations are woefully unprepared. Only 38% of organizations surveyed for ISACA’s recent “Global Cybersecurity Status Report” believed they were prepared for a sophisticated cyberattack and according to the Ponemon Institute, only 25% of all IT security personnel polled believe their organizations have the ability to thwart the attack. The current landscape poses enormous hazards for businesses – attackers are often able to spend months inside an organization’s systems before their activities are detected. During this “dwell time,” attackers are able to escalate privileges, spread throughout networks and systems, and exfiltrate sensitive data like trade secrets or sensitive customer and employee information. The ability to detect and respond to such an attack is critical to limiting the damage that successful attackers cause. Ponemon attributes much of the damage suffered in attacks to the time the malware spent on the network or in corporate systems. Organizations that stop attacks in under 100 days were far less likely to suffer extensive loss than those that allowed the malware to sit on their systems for over 100 days. A simple deficiency of adequate people, processes, and technologies to respond effectively to attacks allows attackers to spend much longer on an organization’s systems and thus increases the impact and cost of the incident exponentially.
Many organizations today do not invest in the right people, processes, and technology to respond appropriately to cyberattacks. In the same way, only few organizations have dedicated or assigned incident response people (a team or an individual) with sufficient technical skills or have proper training to enable effective decision-making and take action quickly during an attack. The technical skillset for incident response is unique, blending forensic investigation with a technical understanding of networks, systems, and most importantly processes that would protect high-value assets in the organization.
Hiring and maintaining a dedicated team of responders is both difficult and expensive. In addition, maintaining an effective response capability requires training, practice, and extensive preparation in order for everything to operate correctly during an attack. Employing the right processes is a critical element necessary to respond to an attack. Organizations need to have a proven, best-practice plan in place so that they know what to do, how to do it, and when to do it during an attack.
Finally, technology plays an increasingly important role in enabling an effective response. Responders need to know their data and network topology, know where their Internet connections are, and have ready access to the appropriate logs. In addition, an effective response tool enables responders to investigate details about where and when events are happening in order to analyze and understand an attack.
The vast majority of organizations do not invest in the right mix of people, processes, and technology necessary to respond to a cyberattack. Too many of them focus on perimeter defense including SIEMs, firewalls, and anti-virus technology rather than response due to the improvement of such technology of the past several years. The problem with technology focused on preventing malware from entering the network is that most hackers can easily find a way around these innovative technologies through phishing and other social engineering types of attacks that essentially circumvent any defensive technology. With limited budgets, finding the right balance between defensive and responsive capabilities is critical to managing risk effectively. Maintaining response capabilities (including cyber resilience and active cyber defense) is the only way to limit the damage caused when an attacker succeeds. To do so, organizations can start by improving training, planning, and technical capabilities.
Thus, fundamentally, how can organizations improve their response capabilities? Several simple steps can make a big difference. Most cyber incidents occur because of phishing or drive-bys and can be traced to employees doing something that they aren’t supposed to do, such as opening a malicious e-mail attachment from unknown senders.
As a first line of defense, social engineering and fundamental IT security training can not only help prevent a majority of incidents, but also aid response capability. Employees trained to report suspicious activity can alert responders to an attack in-progress, activating response procedures and reducing the dwell time of the attacker on the organization’s systems.
Another effective training element is an incident response exercise or “tabletop” exercise. A simulated attack can be used to test and rehearse an organization’s response procedures, involving not only incident responders and security personnel, but also IT and business organization participants to document and simulate communications and “swim lanes” between departments.
Another way to immediately improve response capability is to create an incident response (IR) plan. An IR plan is geared to document and outline the actions and procedures necessary to take once an attack is detected. Organizations are well-served to have a plan prepared and approved by executive management in advance, as they do not need to determine who to contact, what to do, and what actions are authorized when under attack. Having agreed upon actions make response times faster and eliminates uncertainty concerning responsibility and next steps.
Notably, in Ponemon’s 2016 survey of 2,400 security and IT professionals, 75% of the respondents said they did not have a formal Cyber Security Incident Response Plan (CSIRP) that could be applied consistently across their organization. What about your organization?
Writing and then communicating and drilling on such a plan is an effective first step towards building a strong incident response program.
With attacks occurring constantly and new attack techniques and advanced malware being generated daily, it is more important than ever for organizations to be prepared to respond to cyberattacks. With the right investments in people, processes, and technology, organizations can effectively respond to intrusions and minimize the financial losses that come with an attack.