If you're reading this, chances are you’re actively trying to improve your security to prevent a breach, or you're experiencing a breach right now and trying to determine what to do about it.
Most of the advice you've found so far probably has you writing an incident response (IR) plan and then stashing it in a safe until the moment of the breach—which won't help much if you're in the middle of one, nor with detecting an indicator of compromise throughout its lengthy dwell time (before it leads to a breach).
There are several avenues that small to mid-sized enterprises can consider for dealing with cybersecurity incidents. In this post, I provide concrete paths (beyond the IR plan) to consider leading up to a breach, and the pros and cons associated with each of them. I also evaluate their applicability in a post-breach scenario. Note, these aren't all mutually exclusive, and are best implemented before you've been breached.
That said, we'll close with some high-level steps that can direct your efforts right away and make a significant, measurable impact on your security posture.
Spoiler alert, if you haven't yet invested in the people, processes, and technologies of a mature cybersecurity program, you will likely need external help from a provider to restore your operation (depending on the impact of the breach, and how prepared you are to restore to backups). More on that later.
"So," you may ask yourself, "what can I do today that would significantly aid my response to an incident?" For the purposes of this discussion, let's assume the worst: ransomware on all your machines. What can you do about this today to make sure if every single person in the company had ransomware on a Friday you could go home for the weekend and still come back to a job on Monday? Here are five paths you can consider for IR:
This is an easy-to-explain solution and leaves the liability and responsibility for tracking the event (and stopping it) to others. There’s no shortage of cybersecurity vendors claiming to offer "next-gen" sophisticated tools to detect and prevent breaches and infections from disrupting your network and business operations. Some of these indeed are highly effective, at least today, and can offer some immediate visibility (and stress relief) but they do have their own downsides. They can cost more money, need to be professionally implemented (and more importantly integrated with other tools), are expensive to maintain, and require training for proper operations. It can't be done quickly, and may not solve the problem in every case, without adding other layers (see our post on SOC creep).
Restoring from a backup when infected might solve your problem (at least temporarily), but it's an expensive solution to maintain both technically and operationally. Purchasing a data backup system also requires significant investment in adjusting processes and training of IT (and other) staff to maintain vigilance when backing up. Further, even with backups you're likely to lose at least some of your most recent data. You'll also experience significant downtime during the restore, and it doesn't actually stop the underlying ransomware attack. What if your systems get infected again right after the restore? How many times do you want to reinstall? What if your backups themselves were infected? Now you are pushing the infection across your network again.
This solution has the virtue of being easy to implement if the plan is already in place. Back to the 1970s, everyone! But like some of these other options, this can be an expensive solution (particularly in extra labour costs), and your systems may not actually recover without some other strategy or intervention. Pen and paper will work temporarily, but how long can your users go without email? Payroll system? Although this may help you maintain some form of (rudimentary) business operations, it hasn’t solved the underlying issue, has not cleaned the current infection. Your systems will have to be turned back online eventually. How will you know they are clean? Do you have any backup? What will you tell employees, customers, and partners?
This entails running comprehensive internal/external vulnerability scans and then painstakingly patching all effected machines. This is a proactive strategy and one that your auditors might like! But this is a play that can't be done quickly. The costs associated with patching should be measured in time, effort, and potential disruptions as patches are applied. Moreover, this won’t help with current/active infection. Such a strategy is challenging to implement on legacy systems, and you can't guarantee that it will block all avenues of attack. You’ll also need to balance the time between the release, and establishing whether it is stable Finally, this approach typically addresses many of the network level vulnerabilities (i.e servers, storage, tools) but it often leads end-user machines still susceptible to attack and infection from phishing, drive-by downloads, and malicious emails.
This has the advantage of being cost-effective and an option that can be implemented relatively quickly. It entails the creation of rules/policies to prevent users from installing any non-approved software on their machines, the creation of ‘gold-standard’ for servers and network based tools, and scalable manner in which to introduce new machines to the network.
However, some drawbacks include the risk that legitimate applications that IT is unaware of may break, and it places the burden of maintenance on the back of IT. With the proliferation of ‘shadow IT’ where users implement some of their own tools for legitimate business functions, it is very difficult to ascertain what business processes may be affected. Further, many tools are cloud native and it is seemingly difficult for IT administrators to control who has access to what (cloud) system and what data sharing looks like. It can also have unforeseen consequences for in-house software, or other software with dependencies you weren’t aware of. Check out my post on SRP for more on this one.
As you can see, each path has its pros and cons, and there's not necessarily any one clear winning strategy. The answer invariably lies in a combination of strategies, coupled with more advanced detection and response capabilities.
If you're in the middle of an incident and need immediate assistance, remember the stages of the cybersecurity kill-chain: reconnaissance; weaponization; delivery; exploitation; installation; command and control; and actions on objectives.
Every common attack vector, from phishing to ransomware, will trigger activity on the cybersecurity kill-chain, and each link in the chain is an opportunity for you to stop the cyberattack in its tracks. My colleague has written about how the advantage has shifted back to defenders with MDR. In the past, an attacker had to be right just once to penetrate a network, while the (overworked, overwhelmed) IT Administrator had to be right at every level and layer in order to thwart attacks. Those tables have turned.
All that being said, I'm not trying to offer 20/20 hindsight. If you're going through an incident right now, you can consider paths like these once you've recovered. You have the immediate cybersecurity kill-chain steps that we offered for relief right now, but unfortunately these steps are complex and may be challenging for IT generalists to implement on their own.
If your people, processes, or technology to implement such contingencies are limited, consider engaging an incident response team like ActZero. The best time to engage us is before a breach; we can harden your systems and reduce your risk of getting breached. Or, if you have already been breached, we can get you back to an operational state, conduct an investigation to learn from the incident, and provide documentation to provide to your board, law enforcement, or insurance providers.
Reach out to us today and protect your business.