Threat actors are unavoidable in today’s cybersecurity environment. And while enterprise detection and response (EDR) systems have gotten better at catching breach attempts, not every breach will be prevented. As a result, it’s not a question of whether your organization will face a cyber attack, but when.
A hack can be devastating for a business, and knowing what to do when you are hacked can be the difference between recovering and shutting down permanently.
What Typically Happens During An Attack?
The first step for threat actors is getting a foothold in the network they’re trying to hack. If they have a foothold, it means they’re already in the system, but they may not have privileged access. They might not be exfiltrating data yet, but they will attempt to escalate to a privileged account — such as a system or network administrator.
Once they have access to a privileged account, they essentially own the entire system. The garden variety hackers will randomly probe the network for additional holes, but the most dangerous attackers already know where to look to find your crown jewels. They have done meticulous planning and may know more about your network than you do.
That could be your data, finances, or intellectual property, and skilled hackers will immediately search for a route directly to those items using a technique called lateral movement.
Discovery and Response to the Attack
In a perfect world, EDR would trigger at the start of an incident and alert a security operations center (SOC) of the attack. Unfortunately, it’s not always a security person or infosec tool that discovers the breach. It could be a regular IT person, or even a standard business user, that discovers something is wrong with their application. Many times the hackers make a small misstep and something breaks.
However, instead of reporting the incident as a breach, it initially gets addressed as an IT problem and not a security incident. This actually makes things quite difficult for the security team to figure out what happened and when.
Imagine somebody coming into a room and seeing that it’s messy and nothing is where it belongs. Instinctively, they start to clean up the mess and put things away. Without realizing that somebody came in and ransacked the house looking for the heirloom jewelry, they’ve just cleaned up without stopping to assess the situation.
Then when somebody else comes in, they don’t realize that the jewelry has been stolen either because nothing is out of place. This makes investigating the crime scene that much harder. Network breaches are in fact crime scenes, and when people start messing around in them, they get contaminated, and the evidence is spoiled and often invalidated.
After they belatedly figure out they’ve had an incident, security finally gets pulled in — but at that point, it could be too late. Crafty threat actors will recognize that someone is on to them and clean up whatever remains on their way out the back door.
Respond — Don’t React
The most important thing to do during a breach is remain calm. Organizations often make things worse for themselves by reacting to a situation, rather than responding to it. Again, if you clean up the mess without consulting security, they’ll have a much harder time piecing everything together.
Here are a few steps to follow in the event that your organization faces a breach.
Execute Your Breach Response Plan
Having a breach response plan in place can be the difference between a minor security incident and headline news. A good plan will include process flows, decision trees and contact information for critical resources, as well as pre-planned actions for common scenarios which can help expedite an appropriate response.
Don’t have a breach response plan? After resolving your security incident, Contact Black Kilt Security for a template plan and expert advice on how to customize it for your specific needs.
Get Forensics and Law Enforcement Involved
The first thing you need to do is engage both your forensics team and law enforcement. Together, those teams can decide what needs to happen with the systems that are known to be compromised.
Anything anybody does to a server will change and potentially obscure, delete, or hinder an investigation. If they are not specifically trained in forensics, even the most technical and well-versed IT personnel will do more harm than good if they are engaging with a breach before the forensics team.
Once security is engaged, they’re going to follow the letter of the law and go through the incident by the book.
If you’re a larger business and don’t already have a forensic analyst on staff or retainer, you should seriously reconsider your cyber security budget. You don’t want to be shopping for forensic specialists and breach specialists during the middle of an incident.
You don’t want to be making important hiring decisions when you’re in panic mode. And if you do bring on a forensics team in the middle of a breach, they’ll have no baseline for what your network normally looks like.
Consult Legal Counsel
As soon as you discover a breach, you should also be working with your legal counsel on addressing it. You may be legally obligated to notify customers, partners and regulatory agencies of the breach if financial information, personally identifiable information, health information, or any other type of regulated information was compromised.
There are specific timelines to notify based on the size of your business and the impact of the breach. If you don’t follow those timelines, there could be hefty fines to pay on top of the cost of your breach.
Engaging legal counsel will prepare your organization for any public-facing statements as well. Security breaches are very sensitive subjects, and if they aren’t addressed with an eye towards public relations, your stock price might take a hit. Prepare for this beforehand with your legal team. This is another important element that should be part of a good breach response plan.
Legal counsel also provides an important resource for the security team. There are times when the security team may need to take offensive actions against a threat actor. legal counsel can provide guidance and possibly air cover for the team so that they don’t overstep their bounds.
The worst thing you can do is have an overzealous security team try to turn the tables on a threat actor and actually get accused or sued for the very behavior that the threat actor was perpetrating in the first place.
Make Recommended Changes to Your Systems and Network
Under recommendation from the forensics experts or your incident response team, you may take additional steps on your network to make sure that other assets are not going to be compromised.
Do not pull servers off the network or power down equipment without first running it by your security team. As soon as you shut it down, the hackers know they’ve been discovered. They’re most likely going to exit and cover their tracks on their way out.
There also may be steps to take that stop further lateral movement or data exfiltration that don’t alert the attackers to the work you’re doing. For instance, if you know the hackers have infiltrated five systems, you may make subtle network changes that wall off those five systems from the rest of the company to prevent further lateral movement.
Ransomware and rapidly spreading worms should be treated as special cases, however. If ransomware or similar is detected and observed to be spreading, there may be a very quick decision required to pull the affected servers off the network to stop lateral movement. Again, a breach response plan can be a life saver in these scenarios.
Ransomware is typically automated, and not a human being moving around on a system. Thus response time can be vitally important. Not all breaches are created equal, and your response will depend on the type of breach.
Uncovering the Threat Actor
If your security team does manage to figure out who the intruders are, they can be charged by law enforcement and tried for cyber crimes. Any evidence you collect will be used in a court of law, so there’s a particular way the incident and any evidence left behind needs to be handled and evidence collected, stored, and transferred to law enforcement.
If you mismanage evidence, or if the threat actor covers their tracks on the way out, then you’re left with little recourse from a legal perspective. As in the scene above, if you clean up the apartment, the crime scene is tainted and the evidence is spoiled. The lawyers don’t have a case without evidence and the criminals cannot be charged.
Forensic experts are trained in the same techniques for handling evidence as law enforcement. Their work, when performed properly, will stand up in a court of law. This can be the deciding factor for a successful court case with damage recovery. It can also help to determine the appropriate action and public response, by knowing exactly what happened and when.
With major breaches, the odds of winning a court case are slim because they’re often performed with nation-state backing. But people face punishment for petty cyber crimes all the time, especially if you’ve got a good cyber team in your court.
Moving Forward Post-Breach
Once you’ve successfully stopped the security breach, it’s important to do an after-action report and talk about what deficiencies allowed that threat actor to gain entry in the first place..
Next, perform a company-wide security review. For example, if the threat actor got in because something wasn’t patched, review your patching process and current patching status. Examine how you detect missing patches along with your patch schedule and performance metrics. Look for more instances of the same missing patch, as well as other patches that may be missing across the environment.
Repeat this exercise with other security elements, both those involved in the breach as well as others that are simply industry best practices. Document any further deficiencies and develop a remediation plan for each item that can be addressed with an owner and timeline for correction.
Black Kilt’s Blog Has You Covered
Whether it’s recovering from a security breach or keeping you updated on the latest news in cybersecurity, Black Kilt’s experts provide their audience with industry-leading advice, analysis, and more on a weekly basis. Subscribe today to get the latest insights in your inbox.