The most important point in a cyberattack is before it happens
Let’s get the scary thing out of the way: more than half of businesses have dealt with a serious security breach in the last two years. The chances of one happening are so high that organizations need to plan for a breach. The good news, though, is there are straightforward ways of minimizing the impact before an attacker even so much as looks in the direction of your organization.
Before an incident happens, there is often both time and resource to prepare, allowing you to turn things that might be panicked fire drills into anticipated scenarios. For instance, you can gain insight into the most common threats in your industry and understand the way attackers might think and act during an incident from both past war stories and threat intelligence sources such as the MITRE ATT&CK framework.
Most importantly, attacks on your business all have one thing in common: your business. Your mastery of your own systems, processes, people, and culture is your secret weapon in every attack.
We call this incident readiness, a state of being – and striving to continually be – prepared for compromise so that business continuity is maintained throughout an attack. It is both the measurement of an organization’s current security posture and a set of actions they have put in place around responding to an incident.
Broadly speaking, incident readiness will likely mean you have developed or have access to these three qualities:
- Speed – You’re able to quickly to detect and respond to a compromise
- Visibility – Your team understands the scope and scale of your estate, collects the right logs and can provide the data trails you may need to perform forensic analysis
- Expertise – You’ve got the in-house or outsourced defensive skills to be able to isolate and contain an attacker, and the forensic skills to perform a post-mortem
Businesses that prioritize readiness are generally able to return to business-as-usual faster, even when faced with sophisticated attacks. This means that an investment in readiness generally pays for itself at the next compromise – and that’s pretty hard to beat as a return on investment (ROI).
What can you do to start building readiness?
It’s usually best to conduct a readiness assessment to benchmark your starting point and prioritize. An assessment should help you understand the scope of the improvements needed, and place them in a sensible order, aligned to your budget and your risk appetite. It will also help you show RoI and progress from long-term readiness activities.
Here are some examples of the activities that we often see following on from these assessments:
- Incident response plans and playbooks developed throughout the company for a full range of compromise scenarios
- “First responder” incident response training in place for staff
- Tabletop incident simulation exercises carried out on a regular basis for technical, business and C-suite stakeholders
- A full review of the central logging solution that collects and aggregates key logs, with an emphasis on logging strategy and policy for priority assets
- A review of high privilege accounts and their management
- Selection of an incident response retainer provider, to enable access to niche expertise in the event of an incident
We consistently see such activities have a direct impact on an organization’s ability to respond during a real incident.
Take the example of human-operated ransomware, which continues to grow in popularity with cybercriminals. Attackers launch a multi-stage attack that could start with a simple phishing email. Once they have access to your network, human operators take over and use whatever techniques they can to move laterally inside the organization’s systems, taking increasing control of the environment until they’re ready to trigger the ransomware to greatest effect.
Now, let’s look at how the readiness activities we’ve discussed would allow an organization to respond to this threat at various points. Firstly, a coherent readiness plan empowers you to understand where your strengths and weaknesses are before you are compromised. Detection is necessary to initiate any response and should be present in your mind when planning.
If you have detection gaps, your preparation for compromise should acknowledge it and, to the extent possible, help you to plan to mitigate it. The plan can emphasize preserving key data, allowing you to diminish the value of an attacker’s persistence. This proactively deters attackers by making your organization an unprofitable target.
Equally, ransomware incident playbooks are critical to correctly maneuvering during a ransomware attack. Any actions which alert the attacker to the fact they have been detected can trigger them to deploy their ransomware early, reducing your ability to contain them before it’s too late. Playbooks can guide you through the correct response, allowing for the attacker to be subtly contained before they are in a position to make their demands.
Seeing all the “unknowns” of a potential cyber incident should not prevent you from pursuing readiness. If cyberattacks are viewed as “business as usual,” then they are no longer the terrifying black swan events that so often litter our headlines – they are more identifiable and measurable risks that, with proper planning, your organization should feel calmly confident in tackling.
Start your path towards speed, visibility and expertise as early as possible to ensure your organization detects attackers early, maintains business continuity during a cyber incident and quickly recovers any losses in the aftermath.