After an attack: How to keep a bad situation from getting worse
- By Karen Epper Hoffman
- Jan 17, 2017
It makes sense that information security professionals focus first on preventing a breach, or at least reducing the chances of one happening. But as hackers become more wily, sophisticated and pervasive, it’s just a question of when a hack will occur.
Jim Crook, senior product marketing manager for CTERA, a cloud storage and data protection company, points to FBI statistics: ransomware victims lost $209 million the first quarter of 2016 alone -- nearly tenfold the losses of $24 million for all of 2015. “It is a global epidemic that every organization has either already faced or will almost certainly face as the pace of cyberattacks increases on a daily basis,” Crook said.
With that in mind, government InfoSec professionals must carefully consider their approach for what comes next: what to do after the inevitable hack is discovered.
Cynthia James, general manager of KGSS, the exclusive provider of Kaspersky Lab’s real-time cyberthreat intelligence to the U.S. government, said that as soon as the breach is detected, “it’s important to first resolve the problem, which means identifying the source of the data leak and how it can be better protected. InfoSec teams have to be able to understand what happened during a breach in order to prevent it from happening again.”
If the breach was a result of ransomware, James said it’s important to not pay the cybercriminals the ransom money they are demanding. “While some threat actors will try to convince you that you can buy your way out of this problem-- paying a ransom to get back your data -- too often, the hijacked digital materials come back compromised or damaged,” she said. “Sometimes they don’t come back, even once the ransom is paid.”
To protect against damage from such attacks, “government agencies should have a strong incident response plan at the ready once a hack does occur and implement it as soon as confirmation of a breach is received. This plan usually entails actions from various departments, including IT, government officials, legal, communications and other departments within a government agency,” James said.
“Sadly, most groups are never prepared for the first incident,” which can take some time to detect, said Richard Henderson, global security strategist for Absolute, a Canadian endpoint security firm. “In both private and public organizations, the first major breach may have persisted for a lot longer than was first thought,” he said. In some cases, it’s a third party that picks up on signs of a breach and notifies managers of the hosting environment. “That’s embarrassing on many levels.”
This issue is not exclusive to government agencies with limited budgets and short-staffed teams, Henderson maintains. Indeed, plenty of corporations have “fallen victim to similar undetected breaches. This is why it’s absolutely essential to be prepared now and have all your pieces in place before the unspeakable happens.” Henderson suggests that “red teaming” -- where internal teams test security and vulnerabilities -- can be a great way to find the holes and cracks in an agency’s defense that may not have been caught by standard security reviews.
Forewarned is forearmed
While they are often seen as being at a disadvantage compared to their private-sector peers, government InfoSec professionals may actually have a leg up in handling the breach post-mortem, according to Joshua Douglas, chief strategy officer at Raytheon Foreground Security, a security services and training firm that works with the public and private sectors. Government agencies and defense contractors, often conduct more thorough analyses than commercial companies after a hack, Douglas said. “They are really getting a better understanding of what has been lost. The [Department of Defense] space especially is becoming an influencer of commercial companies.”
Indeed, CTERA’s Crook points to the Texas Department of State Health Services as a “prime example of a hack that occurred and was successfully defeated.” While the state DSHS was using state-of-the-art firewall software to minimize the threat of malware breach, a user unfortunately downloaded a virus that was too new to be caught by the agency’s enterprise virus scanning software, Crook explains, causing tens of thousands of files on a hospital’s file server to be encrypted by ransomware. DSHS quickly caught the issue, however, and managed to roll back its files to a healthy state before its users even noticed, he said. “With a small data protection interval, DSHS fortunately lost zero files,” Crook said. “While backup will always play a huge role as a ransomware countermeasure, securing your perimeter and better educating your employees on breaches are also crucial steps to avoid paying ransom.”
Casey Ellis, CEO and founder of Bugcrowd, a crowdsourced testing platform for enterprise security, concurs. “Breach response should begin before a breach ever takes place…The worst incident response plan is no incident response plan, and any organization’s first step should be to create one,” he said. And much like the iconic advice from the Hitchhiker’s Guide to the Galaxy, Ellis also warns agency InfoSec professionals: “Don’t panic.”
“Assessing the situation calmly will help ensure nothing gets missed during the next steps and avoids the silly mistakes that can happen under pressure,” Ellis said. Assess the damage next, and after that, “piece together events, weaknesses and the various pieces of evidence you’ve collected and try to determine what happened. This is a necessary step toward mitigating the damage and remediating against future threats,” Ellis counsels.
But trying to control your pest problem without getting rid of the pests is a flawed plan, according to Nir Polak, co-founder and CEO of behavioral analytics services firm, Exabeam. “After a hack, the focus should be first on completeness of remediation… in other words, fully kicking the hacker out of the network,” Polak said.
Complete remediation is harder than might be expected because organizations often do not know the full extent of the hacker’s reach, he said. For example, if the hacker gains access via malware that steals credentials on an employee’s laptop, he can then use those credentials to jump into the network and create new accounts. IT may see the malware, wipe the employee’s machine and think all is well, without realizing the contagion has spread, he adds.
Andy Vallila, leader for Americas sales and marketing for One Identity, the security business under Quest Software, said that government InfoSec teams should also determine “the who, what, how and why of the incident. Without these details, they cannot stop or prevent future damage.” This level of detailed analysis, Vallila said, is impossible without an audit trail -- a capability many organizations are lacking when it comes to security -- to determine the root cause of a breach and establish appropriate next steps.
Focus on the future
After InfoSec teams effectively suck out the worst of the poison and determine the species of hacker “snake” by which they have been bitten, what comes next?
James of KGSS recommends that agencies designate a specific department to notify all employees and third parties who may be directly affected by the breach and make required disclosures to regulators.
Educating employees at every level should continue to be a priority. “All organizations must realize that technology alone won’t prevent a breach,” James said. “User education remains a critical and undervalued prevention method, as most cyberattacks stem from employees making careless or naive mistakes. Employees all too often click on malicious links that appear to be credible, and these phishing attacks are one of the easiest ways cybercriminals get into an organization’s network.”
Henderson recommends mapping out a crisis or disaster plan “that touches every critical function in the organization… Get everyone in a room and talk about what you’d do when a breach hits. After an incident talk about what you learned… and how your teams responded. What could they have done better? Use every incident as a learning experience and learn from it.”
Assessing who in the organization has access to privileged credentials is critical too. According to Nick Nikols, cybersecurity chief technology officer for CA Technologies, 80 percent of breaches involve privileged credentials. “An agency may identify that privileged accounts must be protected and implement privileged access management software to protect accounts and use analytics to detect potential breach,” Nikols said.
After all is said and done -- the hacker booted, the system sealed off, checked, double-checked and restructured (if need be) and plans changed, Ellis of Bugcrowd said, “then, and only then, should you try to figure out who did it.” However, Ellis cautions that rather than finding a culprit, government agencies should stay focused on the “real issue: how to prevent vulnerabilities. The most important thing to focus on is how to prevent future attacks,” he said. ”You can’t control which burglar shows up at your house, but you can control whether or not you lock your door. You can’t control your threat actor, but you can control where you are vulnerable.”