Each year we look back at the statistics and how concerning it is that how rapidly the number of cyber attacks is increasing. 2017 saw the most attacks yet, and nobody seemed safe. From the WannaCry ransomware that brought the NHS to a grounding halt, to the Equifax hack that saw an estimated 145 million customer details compromised.
An estimated 66% of incidents are completely undetected for a month or more, leaving behind a trail of damage, and stolen data. We've put together a checklist of things you need to do if you think your organization has suffered a cyber breach.
Prepare & test
First things first it's important that you have a policy and procedure in place that you can implement upon the discovery of a breach. Ensure that your employees are aware of it so that everyone follows the same plan. You also need to test your plan, using a broad range of scenarios to ensure that it's fit for purpose. Here at Nettitude we can help you to build a successful cyber incident plan.
Detection & Triage
The ability to detect threats in your environment is an important part of your cyber security strategy. Not only does this ability rely on technology but also the people and processes within your business. You need to ensure that your team can review and understand log data, and car further investigate anything that may seem suspicious. As well as this you want to train a first responder within your team, who can jump onto any suspicious activity straight away. This is the triage step and is important to establish that there is an attack happening or if the initially detection was a false positive indication.
Investigate & Contain
Once you have conducted the initial triage, you need to investigate further into the breach. If you don't have an internal incident response team, we recommend at this point you look for external help. The investigation needs to look at the scope and impact of the ongoing breach and be able to identify the root cause. Incident Response capability should be backed with malware analysis capability. Make sure that any third party investigators are aware of any logging capabilities that you developed during the preparing and testing stage.
Once you have investigated the breach thoroughly it's time to contain it. There are many ways to contain a breach, which could be the simple removal of a network cable right up to shutting down the entire infrastructure. You need to make sure that your Incident Response clearly states who has the authority to shut down the network should it need to happen to contain a breach. As soon as the breach is contained you can eradicate it and begin the recovery process.
Just because you have eradicated a breach doesn't mean the incident response plan ends there. You need to make sure you notify the relevant authorities, and look at the gaps that allowed the breach to take place in the first place. This is a good time to have a penetration test as it will allow you to find the gaps and fix them. It's also a good opportunity to assess how well your organization coped with the breach and to amend the procedure to make sure it runs smoothly in the event of another attack.
If you're not sure how to set up an incident response plan, or you need some guidance, contact us today for a consultation with one of our experts.