Incident Response Overview
Cyber breaches do not just happen to big corporations. A successful cyber attack can be fatal for any business. In fact, small and medium sized businesses are the most likely to face an attack and the consequences are relatively more damaging for these entities.
That is why every organization should have a response plan in place in case of a breach or attack.
No matter how vigilantly your company is at trying to protect against cyber attacks, you still need to have a plan in place to respond if your network is breached. The actions of just one employee could expose your entire network.
Once a cyber criminal gains access to your network, often they will stay dormant in your systems for upward of 180 days. They use this time to become familiar with your infrastructure and sometimes they will compromise even your backups. Many companies that are breached do not discover the breach for months and after deployment of an attack, such as a ransomware attack, companies will be down, on average, for at least two weeks.
Incident response planning should start with a cyber risk and resilience review. Once you know where you are most vulnerable it becomes much easier to identify a breach when it happens. You can then document your protocols and procedures for quickly addressing the consequences of the breach. These protocols include items such as automatic data backups, automated responses to purge infected systems, quarantining the parts of your network that may be compromised and restoring your network to its unadulterated state.
A network can be attacked in numerous ways. You may not need to know every possible attack vector, but you should be aware of the most popular and effective attack types.
- Phishing– Phishing is an attack where the hacker users emails that appear to be from a legitimate source and use social engineering to get a victim to respond, click on a link, enter their credentials or open an attachment containing malicious code. They often impersonate a high-ranking member of the organization or the hackers pretend to be someone who knows the victim personally, using information gleaned from the victim’s own social media posts. While these attacks are relatively unsophisticated, they work surprisingly well and often.
- Distributed Denial of Service Attack (DDoS)– A DDoS attack works by using a bot network of infected computers that flood a network with fake requests, overloading it. This shuts down the network making it so that legitimate requests to the server cannot get through.
- Malware– Malware is any kind of malicious software that can corrupt data, record key strokes, encrypt data for a ransom or any other number of harmful activities. This software can also be used to steal sensitive data. It can get onto your computer systems through bad links or downloading infected attachments.
- SQL Injection– Structured Query Language (SQL) is generally used in maintaining databases. A SQL injection attack is where an attacker inserts code into an SQL server. This code then makes the server reveal information contained in the database, destroy data, or spoof an identity.
Even in the digital landscape there are always traces left behind after a crime has been committed. Cyber criminals will always leave behind some evidence of how they got in and out. Digital forensics is a process of sorting through the electronic data available, analyzing it and providing an interpretation of what may have occurred based on the evidence.
Often digital forensics is the first step in responding to a breach. Until you know how the culprit gained access to your network and what kinds of activities they performed and data they may have had access to, you cannot know what the appropriate response activities are.
Digital forensics involves imaging of breached data, analysis of the data and a report of the findings. It can also include recovering deleted files and extracting registry information to see when and who accessed the data.