Aftermath of a cyberattack: How should companies respond?
By Aravind
Published on Nov 14, 2022It is an indisputable fact that cyberattacks place a heavy financial burden on organizations. Cybersecurity Ventures' predicts that global cybercrime costs will reach $10.5 trillion by 2025, from $3 trillion in 2015. By having responsive procedures for cyberattacks in place, organizations can enhance their adaptability and bounce back from attacks with newer learnings and capabilities, whilst giving ample room to cushion any blow inflicted upon them.
To avoid the duplication of tasks, the entirety of 'processes' involved in cybersecurity can be consolidated with a unified concept of Governance, risk management, and compliance (GRC). As the name suggests, GRC comprises of three components:
Governance: This includes the enforcement of predefined processes that bolster efficient usage and security of IT resources within an organization. For instance, the IT policies that collate the best and necessary practices for employees.
Risk management: The protocols that must be implemented to mitigate the perceived and existing risks of an organization. Notable examples of risk management processes include business continuity, incident response, and disaster recovery plans, which are enforced to safeguard, and rebuild critical assets at volatile times.
Compliance: Consists of the measures kept in place within companies to ensure that they are in line with regulatory standards that pertain to their sectors. Every sector, or a particular region, has its own IT compliance standards, and adherence to those laws is necessary to avoid financial pitfalls and loss of reputation.
Post cyberattacks, the immediate response from organizations can be classified into two categories:
Internal: The communication between various teams and stakeholders within an organization about an attack and devising a response plan. Internal measures primarily involve cyber-investigation and establishing vigilance.
External: Communicating with the customer base of the organization, and reporting to the concerned governing authority about the cyberattack and the subsequent measures taken. External responses also involve coordinating with customers to determine indicators of compromise (IoC) relating to the incident.
Incident response plan: Road to internal recovery
In the aftermath of a cyberattack, companies devise incident response plans to give security teams and other stakeholders within the organization an actionable plan on how to mitigate the existing cyberattacks while preventing such occurrences in the future. Incident response plans hold higher importance in compliance standards such as the European Union's General Data Protection Regulation (GDPR), PCI Data Security Standards (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), and Federal Information Security Management Act (FISMA) to name a few.
According to SANS, the lifecycle of an incident response plan consists of six steps:
Preparation: Which consists of the preliminary steps involved in mitigating a cyberattack, such as documenting organizational IT policies or reviewing and revamping existing policies. During preparation, organizations decide their point of contact (PoC) for the individual procedures involved in the incident response plan and assemble computer security incident response teams (CSIRT) which comprise of:
- Analysts
- Researchers
- Incident responders
- Communications team
- Documentation team
- Legal team
Identification: The second phase of an incident response plan is to determine whether a network has been, or is, under attack. If so, this stage also involves identifying the assets that were affected during the onslaught. Subsequently, incident response teams must also gauge the scope of the attack.
Containment: Cyberattacks can have a prolonged impact on an organization, with advanced persistent threats (APTs) being one of the prime examples. Breach containment is performed to prevent data exfiltration or the lateral movement of any malicious entity into the network. Some of the most common steps taken during containment include:
- Isolate the the attack/malware by disabling devices/software used as vectors by the attacker.
- Reset credentials. Urge employees to reset passwords, and use personalized credentials via multi-factor authentication.
- Archive cyber-evidence, which can either be digital (log data, IP addresses, user access requests, screenshots) and physical (peripheral devices and their serial numbers, hard copies) to further the investigation process.
Eradication: During this stage, the CSIRT's responsibilities include investigating the root cause of the attack and eliminating its presence within the organizational network. Security teams must also ensure that such attacks do not happen in the future by releasing software patches for vulnerable and outdated systems within the network.
Recovery: Post eradication, a major component is getting the existing infrastructure back on track by restoring or rebuilding assets affected during the attack. With the introduction of cyber insurance, the process of recovery has become streamlined and more compensatory. Cyber insurance covers the liability costs encountered by companies during a data breach, besides helping with additional procedures such as:
- Notifying customers about the data breach.
- Restoring the stolen information of customers affected by the attack.
- Recovering/repairing tampered data, computer systems, and other digital assets.
Lessons learned: Also known as internal review, the final step is for the CSIR team to document and put forth a comprehensive study on the incident and its subsequent mitigation strategy. Such reviews ensure that organizations avoid any operational pitfalls in the future while bolstering transparency within the organization.
With incident response teams covering both the internal and external aspects of an organization's remedial operations, it can be said that these protocols are not just for recovering digital assets, but also for regaining the trust of stakeholders through reassurance and efficient communication.