Incident Response: The aftermath of a digital incident
Keith Buzzard, Chief Technical Architect with Dr Meredith Patton, Director of Cyber Operations
In general, we try not to be too negative when it comes to the likelihood of an organisation, of any size, being hit by a cyber-attack, but for the sake of our clients, we also need to be realistic. We mentioned in a recent post that statistics indicate that it’s increasingly about when, not if, an organisation is targeted by cyber criminals. Threat actors are always updating their tactics and every day a new digital tool or exploit hits the market, making the attack surface—the sum of the different points where an unauthorised user can try to enter data to or extract data from an environment—gets just that little bit bigger.
We see a lot of content on how to prevent an attack, a very important element of any organisation’s approach to cyber security. We also see plenty of articles about what happens in ‘clean up’ mode; bringing in the Incident Responders, undertaking digital forensic investigations.
However, we don’t see much about what happens after all of that. In some ways, you could look at it as starting at the beginning of the cycle again by undertaking an analysis of what worked and what didn’t, to ensure any future threats won’t significantly impact your organisation. But we call it the strengthening and remediation phase. This is your organisation’s opportunity to learn from what happened and strengthen your defences.
Post incident review
‘Review and learn’ is basic common sense in almost all areas of working life. It’s what event managers do after an event, project managers do at the conclusion of a project and what any Board does regularly when looking at the performance of its company.
It becomes even more important when things go wrong. After a cyber incident, stepping back and properly reviewing what happened is an absolute must. This review should involve the key technical and non-technical stakeholders, so all perspectives and angles are covered, and you’ll want to come out of a review with answers to the following questions:
- What went wrong?
- Why did it go wrong?
- What was meant to stop it from going wrong, and why didn’t it work?
- What other controls should/could have prevented this?
- How has it been fixed and how has this solution been demonstrated to work?
- Is this a symptom of a wider problem?
I think it’s important to note here that, in order for the various business specialists to reach a conclusion, many of these questions will need an experienced Incident Responder to provide context to their activity.
Nothing is static. And we say it a lot, but that’s especially the case when it comes to digital risks. After an incident, there is likely to be a ‘new normal’ because if everything worked, there probably wouldn’t have been an incident or much of an impact, right?
When reviewing risks, it’s important to look at what matters to your business and what could impact it. While it’s not a cyber-attack, the recent OVH data centre incident probably caught a lot of people by surprise because they may not have considered their hosting provider literally crashing and burning as a risk. Websites all around the world went down after French data centres owned by OVH, the world’s third largest and Europe’s largest hosting provider, suffered a catastrophic fire.
If you run a business where your website is secondary to your operations (i.e. it serves solely as a promotional tool), then it’s not a major problem. But if your website is used for ecommerce or taking bookings—central to your operations—a back-up plan is vital. Especially when your hosting provider says, “we recommend activating your Disaster Recovery Plan”.
When reviewing your risks, we recommend being able to answer the following questions at a minimum:
- What are our key assets? Have they changed?
- How would our organisation be affected if we lost the ability to do connect to our outsourced data centre or couldn’t get access to our production systems?
- What are we doing to protect our assets, and should we be doing more?
The ‘doing something’ question is often the trickiest to answer but there are a number of options for strengthening security after a cyber incident.
Review your security testing
Post-incident, reassessing your security testing is important. Do you test regularly? Conducting one penetration test will tell you about the vulnerabilities on your organisation’s networks and systems on the day the test was completed. An organisation with a strong security posture will have a security auditing/testing programme in place that delivers an ongoing assessment of network resilience. It will help align your organisation with the speed of technological changes and threat actors’ increasingly sophisticated approaches. Each report will be looked at individually to assess current problems but will also be given context by comparing it with other reports to discover trends and pre-empt problematic weak spots.
Even regular pen testing doesn’t make your organisation invulnerable of course, and if an incident occurs, it’s important to review your pen testing programme to understand whether it should have identified the vulnerabilities before they became a problem. Regularly reviewing your pen testing programme will help limit the impact of incidents.
How will you deal with your supply chain after an incident?
We’ve said it before, when it comes to Incident Response preparation, consideration must be given to your supply chain. This is a bi-directional relationship. Your suppliers are a risk to you, and you are a risk to them. Information sharing about your incident experiences, and mutual explanations of your plans and intended response allow you to understand the risk presented by the other party. For especially significant suppliers, you may wish to audit their security posture in order to have assurance that they don’t represent a weak link in your security chain.
Training and staff involvement
Human error can undermine the best technical security posture. How good is the basic level of cyber security hygiene in your organisation? Depending on the confidentiality of the data involved, it’s worth considering briefing your staff on the incident and why it occurred, especially if human error was a factor.
Strengthen your security posture
Since 2013, PGI’s Incident Response, Security Testing and Information Assurance teams have been helping organisations strengthen their security posture and prepare for the future. Talk to us about how our Cyber Security Maturity Model can help you understand how well your current security measures are working and what improvements you can make to limit the damage of a cyber-attack. We look at your business as whole, including your risk profile and appetite so we can help you prioritise security investments that are proportionate to your needs. No more, no less.
Contact us for an obligation free discussion via: firstname.lastname@example.org or +44 (0) 845 600 4403