{"id":12237,"date":"2020-12-23T06:21:23","date_gmt":"2020-12-23T11:21:23","guid":{"rendered":"http:\/\/45.33.92.219\/?p=12237"},"modified":"2020-12-23T06:21:23","modified_gmt":"2020-12-23T11:21:23","slug":"best-practice-avoid-a-cyberattack","status":"publish","type":"post","link":"https:\/\/claritytg.com\/index.php\/2020\/12\/23\/best-practice-avoid-a-cyberattack\/","title":{"rendered":"Incident Response Guide – Best Practice to Avoid a Cyberattack"},"content":{"rendered":"

Incident Response Guide – Best Practice to Avoid a Cyberattack<\/span><\/strong><\/h1>\n

By: Bruce G. Kreeger<\/span><\/strong><\/p>\n

What is the best way to avoid having a cyberattack turn into a full breach? Prepare in advance.<\/span><\/strong><\/h2>\n

After experiencing a breach, organizations often realize they could have avoided a lot of costs, pain, and disruption if only they had an effective incident response plan in place.<\/span><\/p>\n

This guide is intended to help you define the framework for cybersecurity incident response planning that gives you the best chance at thwarting an adversary. These recommendations are based on the real-world experiences of the Sophos Managed Threat Response and Sophos Rapid Response teams, who have tens of thousands of hours of experience when it comes to dealing with Cyberattacks.<\/span><\/p>\n

Cybersecurity incident response plan<\/span><\/strong><\/h2>\n

There are 10 main steps to an effective incident response plan.<\/span><\/p>\n

    \n
  1. Determine key stakeholders<\/span><\/li>\n
  2. Identify critical assets<\/span><\/li>\n
  3. Deploy protection tools<\/span><\/li>\n
  4. Ensure maximum visibility<\/span><\/li>\n
  5. Run table-top exercises<\/span><\/li>\n
  6. Implement access control<\/span><\/li>\n
  7. Invest in investigation tools<\/span><\/li>\n
  8. Establish response actions<\/span><\/li>\n
  9. Conduct awareness training<\/span><\/li>\n
  10. Hire a managed security service<\/span><\/li>\n<\/ol>\n

    Incident Response Plan Framework<\/span><\/strong><\/h2>\n

    Determine Key Stakeholders<\/span><\/strong><\/h2>\n

    Properly planning for a potential incident is not the sole responsibility of your security team. In fact, an incident will likely impact almost every department in your organization, especially if the incident turns into a full-scale breach. To properly coordinate a response, you must first determine who should be involved. This often includes representation from senior management, security, IT, legal, and public relations. Knowing who should be at the table and involved in your organization\u2019s planning exercises is something that should be determined in advance. Additionally, a method of communication needs to be established to ensure a quick response. This should take into account the possibility that your normal channels of communication (i.e. corporate email) may be impacted by an incident.<\/span><\/p>\n

    Identify critical assets<\/span><\/strong><\/h4>\n

    To determine the scope and impact of an attack, your organization first needs to identify its highest priority assets. Mapping out your highest priority assets will not only help you determine your protection strategy but will make it much easier to determine the scope and impact of an attack. Additionally, by identifying these in advance, your incident response team will be able to focus on the most critical assets during an attack, minimizing disruption to the business.<\/span><\/p>\n

    Run tabletop exercises<\/span><\/strong><\/h4>\n

    Incident response is like many other disciplines \u2013 practice makes perfect. While it is difficult to fully replicate the intense pressure your team will experience during a potential breach, practice exercises ensure a more tightly coordinated and effective response when a real situation occurs. It is important to not only run technical tabletop exercises (often as part of a red team drill) but also broader exercises that <\/span>include the various business stakeholders previously identified. Tabletop exercises should test your organizational responses to a variety of potential incident response scenarios. Each of these scenarios might also include stakeholders beyond the immediate technical team. Your organization should determine in advance who needs to be informed when an attack is detected, even if was successfully defended.<\/span><\/p>\n

    Common incident response scenarios include:<\/span><\/strong><\/h2>\n

    Active adversary detected within your network:<\/span><\/strong><\/h2>\n

    In these scenarios, it is critical that the response team determines how an attacker was able to infiltrate your environment, what tools and techniques they used, what was targeted, and if they have established persistence. This information will help determine the proper course of action to neutralize the attack. While it might seem obvious that you would immediately eject the adversary from the environment, some security teams choose to wait and observe the attacker gain important intelligence in order to determine what they are trying to achieve and what methods they are using to achieve them.<\/span><\/p>\n

    Successful data breach:<\/span><\/strong><\/h4>\n

    If a successful data breach is detected, your team should be able to determine what was exfiltrated and how. This will then inform the proper response, including the potential need to consider the impact on compliance and regulatory policies, if customers need to be contacted, and potential legal or law enforcement involvement.<\/span><\/p>\n

    Successful ransomware attack:<\/span><\/strong><\/h4>\n

    If critical data and systems are encrypted, your team should follow a plan to recover such losses as quickly as possible. This should include a process to restore systems from backups. To ensure the attack won\u2019t be repeated as soon as you\u2019re back online, the team should investigate if the adversary\u2019s access has been cut off. Additionally, your broader organization should determine if it would be willing to pay a ransom in extreme situations and, if so, how much it would be willing to spend.<\/span><\/p>\n

    High-priority system compromised:<\/span><\/strong><\/h4>\n

    When a high-priority system is compromised, your organization may not be able to conduct business normally. In addition to all the steps needed as part of an incident response plan, your organization also needs to consider establishing a business recovery plan to ensure minimal disruption in a scenario such as this.<\/span><\/p>\n

    Deploy protection tools<\/span><\/strong><\/h2>\n

    The best way to deal with an incident is to protect against it in the first place. Ensure your organization has the appropriate endpoint, network, server, cloud, mobile, and email protection available.<\/span><\/p>\n

    Ensure you have maximum visibility<\/span><\/strong><\/h2>\n

    Without the proper visibility into what is happening during an attack, your organization will struggle to respond appropriately. Before an attack occurs, IT and security teams should ensure they have the ability to understand the scope and impact of an attack, including determining adversary entry points and points of persistence. Proper visibility includes collecting log data, with a focus on end point and network data. Since many attacks take days or weeks to discover, it is important that you have historical data going back for days or weeks (even months) to investigate. Additionally, ensure such data is backed up so it can be accessed during an active incident.<\/span><\/p>\n

    Implement access control<\/span><\/strong><\/h2>\n

    Attackers can leverage weak access control to infiltrate your organization\u2019s defenses and escalate privileges. Regularly ensure that you have the proper controls in place to establish access control. This includes, but is not limited to, deploying multi-factor authentication, limiting admin privileges to as few accounts as possible (following the Principle of Least Privilege), changing default passwords, and reducing the amount of access points you need to monitor.<\/span><\/p>\n

    Invest in investigation tools<\/span><\/strong><\/h2>\n

    In addition to ensuring you have the necessary visibility, your organization should invest in tools that provide necessary context during an investigation Some of the most common tools used for incident response include endpoint detection and response (EDR) or extended detection and response (XDR), which allow you to hunt across your environment to detect indicators of compromise (IOCs) and indicators of attack (IOA). EDR tools help analysts pinpoint which assets have been compromised, which in turn helps determine the impact and scope of an attack.<\/span><\/p>\n

    The more data that is collected \u2013 from the endpoints and beyond \u2013 the more context is available during investigation. Having broader visibility will allow your team to not only determine what the attackers targeted but how they gained entry into the environment and if they still have the ability to access it again. In addition to EDR tools, advanced security teams might also deploy a security orchestration, automation, and response (SOAR) solution that aids in response workflows.<\/span><\/p>\n

    Establish response actions<\/span><\/strong><\/h2>\n

    Detecting an attack is only part of the process. In order to properly respond to an attack, your IT and security teams need to ensure they have the ability to conduct a wide range of remedial actions to disrupt and neutralize an attacker. Response actions include, but are not limited to:<\/span><\/p>\n

     <\/p>\n