With attacks against SolarWinds and Microsoft Exchange Server, it is clear that the volume, scale, and complexity of cyber threats show no indication of slowing. This also means organisations need to keep pace with the latest threats, threat actors, and best defences available when a virus or ransomware group decide to strike.
In this S-RM Insider podcast, we bring together three specialists in the field of cyber incident response, to explain how a typical cyber-attack unfolds, and the tools and tactics needed to optimise your cyber incident response plan. On the panel are:
Joseph Tarraf, Associate Director, S-RM’s Cyber Incident Response team
Magnus Josias, Co-Founder and COO of Krizo
Greg Foss, Senior Cyber Security Strategist, VMware Carbon Black
The panel discuss how a typical cyber incident unfolds and how to approach them from the start. Cyber incidents are by nature “chaos impersonated,” says Joe Tarraf, with the first 24 hours setting the tempo for the entire response.
Some organisations are better prepared than others, with many looking to incident response specialists to manage and solve their crisis from start to finish, including relations with external counsel, law enforcement, and ransomware negotiations.
“[Some] organisations are simply not equipped to handle a response, especially when it’s a complex response like a ransomware case. They might not have recovery plans, they might not have incident response plans, they might not have the in-house security teams and the response teams to handle the incidents.” – Joe Tarraf
Prepared or not, organisations can and do make mistakes, and some of those are more common than others, says the panel. Sometimes that is trying to immediately delete malware, which can make reinfection more likely, because crucial clues left by a threat actor are missed. Mistakes can also be made around ransomware negotiations, particularly if the threat actor is on a sanctions list.
To mitigate against these sorts of mistakes, the panel turn to resources on the market, looking at how endpoint detection and response tools can act as ‘hunting platforms,’ giving responders full visibility and a competitive edge over threats.
“When you look at a virus, you detect a malicious file, but that’s not where it stops. What we really want to know is how did it get there, what actions did it perform, were they using it to grab passwords, were they using it to move laterally.” – Greg Foss
The panel also look at the best tools for communicating in a crisis, to facilitate the right information sharing to the right people at the right time, and ensure an audit trail for later on: “Whatever tool you’re using, make sure it creates a tamper-proof audit trail for post incident review, insurance claims or legal issues,” says Magnus Josias.
“Responses should be seen as a learning opportunity. The ‘post-mortem’ process should result in becoming a more resilient organisation. Use lessons learnt to update your plans and playbooks, stream procedures, and capture bottlenecks.” – Magnus Josias
The panel conclude in agreeing that every incident is an opportunity to improve an organisation’s incident response readiness; building a strong network of external contacts and briefing leadership on response playbooks are two of the main ways businesses can prepare for the next virus or ransomware attack.