2020 was rich for cybersecurity incidents. The pandemic brought COVID-themed malware spikes and allowed cyber criminals to leverage from vulnerable smart workers. Italian companies – from hospitals to energy enterprises – experienced security incidents. Moreover, Italy has headed the rank of the GDPR violation cases and imposed fines of 45.6 million euros. Unfortunately, no security technology can guarantee 100% incident prevention. However, it does not mean companies cannot get ready for security emergency. Security incidents are always stressful, and therefore, require a clear incident response plan to minimize the reaction time and reduce the damage.
As well as any other security aspect, incident response is a process. There are different approached like the NIST (National Institute of Standards and Technology) cybersecurity framework, that companies use to get ready for a cyber emergency. Though he approaches can be applied at any moment of the process – before, during or even after an incident – we recommend starting from the beginning and in advance, to react fast and minimize the potential damage in case of an incident.
You need to know your assets to protect them. Define the critical areas and components of your corporate network and evaluate the existing and missing security processes.
Security incidents can come as results of ransomware attacks, money theft, sensitive data leakage and other troubles. All of them make different impact on business processes and therefore demand different mitigation strategies. Think of the necessary steps to address each of the incident types your company can come across.
It takes cyber criminals from a few days to a few weeks to prepare an attack. They control the process and often launch the attack during the weekend or on holidays. The incident may impact the company’s business processes, critical services, as well as the supply chain and clients. Therefore, on top of IT you may need the representatives of the corporate PR, legal, physical security, and other teams to communicate the incident. Additionally, you may be obliged to escalate the incident to the official structures according to legislation. Assign people responsible for each step of the incident response plan execution and agree, who should be available during the day and at night.
This stage requires certain efforts from the incident response team and the process stakeholders. Prepare a variety of statement templates for each type of an incident, as well as checklists and other information to use in case of a cyber security emergency.
In most cases security incidents are detected once the work is paralyzed, corporate website is down, the ransom is demanded, the clients complain, or the money is gone. In other companies, IT security experts detect suspicious activity at earlier stages, due to regular security event monitoring and analysis. Anyway, you would need to review the security event logs to understand what has happened and is going on.
Once you detect the incident, you need to understand the actual and potential incident effects to assign priorities according to its severity. Estimate the operational impact of the attack and evaluate the impact on data confidentiality.
This stage aims to identify the attacking hosts and possible communication channels (e.g. IRC) as well as analyze the state of the assets. After assessing the risk, you need to ensure security to the non-compromised parts.
As son as you identify the problem area, investigate the indicators of compromise (IOCs) to reconstruct the timeline and define the attack tools. Retrieve any information and configurations useful for system recovery and execute the restoration activities. The top priority here is to restore the infrastructure safety as fast as possible and exclude the incident recurrence.
Do not underestimate the “lesson learnt” stage. Its goal is to evaluate what happened and implement strategies, policies, and procedures necessary to avoid the repetition of similar incidents.
You can prepare the incident response plan yourself or ask the professionals for support. Check out the webinar on the Incident Response, where we go through each incident response plan step in detail and share some useful tips.
Image by morviduk
|_ga||2 years||The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.|
|_gat_gtag_UA_150416163_1||1 minute||Set by Google to distinguish users.|
|_gid||1 day||Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.|
|pardot||past||The pardot cookie is set while the visitor is logged in as a Pardot user. The cookie indicates an active session and is not used for tracking.|
|visitor_id909942-hash||10 years||No description|
|lpv909942||30 minutes||No description|
|visitor_id909942||10 years||No description|