Timing key in cyber incident response

When it comes to responding to a cyber security event, it’s all about timing. Responding as quickly as possible is key to minimising the fallout of a cyber attack. However, businesses still make several basic mistakes when these events occur.

“Failure to respond quickly can cost businesses millions of Rands, not only in lost business, but in lawsuits and loss of reputation,” says Simon Campbell-Young, MD of Credence Security.

He says one basic mistake businesses make is assuming that shutting down the power will solve the problem and lessen the risk of further damage or data loss. “It won’t. It might stop the cyber criminal’s activity at that moment, but it could endanger the business far more, as it could lose valuable business data, as well as forensic data that could be used to trace the attack.”

According to Campbell-Young, PCs log activity and information continually, and this means not only before and during, but following a security event too. “All of this information can be used to help the business pinpoint the actors behind the event, as well as the intent. This in turn will point to the nature of the attack and what is was after, and will show where and what containment is needed, and any other issues that need to be fixed. Furthermore, this data is vital to any successful arrest and prosecution following an event.”

He says not to underestimate the gravity of a security incident. “Even an event can be a good learning curve for a business. It presents an opportunity to see what went wrong, what worked and what didn’t, and which areas to focus security efforts on. This will help to improve not only the business’ security response, but its general posture too.”

So how to properly monitor the network to improve incident response? “There are forensics and monitoring solutions on the market that can give an organisation total visibility of the network, and help to identify genuine security incidents. It’s not always easy to tell a genuine incident that demands a response apart from other potential threats that might only be noise. This is why too many incidents today, particularly those involving APTs, take weeks or even months to be discovered. A good solution should be able to identify any anomalous activity and investigate it at once.”

In addition, Campbell-Young says all relevant incident data must be analysed. “In the majority of cases, those tasked with forensics investigation only have access to computer logs from firewalls and other perimeter solutions whose job is to keep attackers from outside the firewall out of the network. This doesn’t help in the case of internal or insider threats at all.”

He says a good solution will work for internal and external threats, and will enable the business to look for multiple strings within specific activities or across all recorded logs, and give the ability to analyse previous so anything possibly overlooked in prior events can be identified. Finally, monitoring technology should be able to tell the business what was compromised and when.

“This will help to identify the ‘who’ and ‘why’ to stop similar events happening in future. Proper forensics will be able to reveal if an incident was malicious, inadvertent, or merely careless, which will in turn help a company understand where to focus its security training efforts. Information provided by advanced monitoring tools can help an organisation respond as fast as possible to nearly every security event, and will help prevent future ones, which might have a devastating effect on the business,” Campbell-Young concludes.