Are You Prepared to Answer the Tough Questions?
By Andrew Roberts, Chief Cybersecurity Strategist, cStor
It is no longer possible to avoid news about new cyberattacks. Over the past year, they have been increasing in frequency, magnitude, and damage inflicted. Ransomware is the most prevalent threat by far but not the only risk. When an organization falls victim to ransomware or another attack, they need to worry about responding to the incident while simultaneously spending significant resources finding the answers to tough questions posed by executives, boards, legal teams, and others.
5 Hard Questions to Answer Post Cyberattack
If this happens to your organization, would you be able to answer these questions?
What happened?
In almost all cases, this is the first question to be asked following a cyberattack. Your CEO will make someone’s phone ring and want to know the answer. “We got ransomware” will not be a sufficient answer. Do you have the security monitoring capability to trace an incident to its source? You need to be able to quickly query your toolset to trace the event back to a phishing email, an infected attachment, a compromised credential, a malicious URL, or another source. Understanding what happened is critical to the steps that follow.
Has the threat been eliminated?
The first step to recovery is stopping the threat. After that, we need to be certain, beyond doubt, that the threat has been eliminated. Removing infected files is part of that process, but we also need to be sure any backdoors are found and closed.
This is accomplished by taking a very thorough and comprehensive look at the entire environment. We should also be monitoring very closely so that any other suspicious activity is quickly identified.
Have we recovered completely?
Does your recovery plan include complete testing of all the recovered systems and data? Does it include data that is only touched infrequently? If your answer is “no,” it is time to adjust your plans. Certain events, like ransomware, can have a widespread effect. We do not want to discover missing data months after we thought the recovery was complete.
What data, if any, was stolen?
Many regulations and laws make it necessary to be able to answer this question quickly. How you answer it will help determine whether the event is reportable. Check with your legal team to see what a reportable event would be in your organization.
Having systems in place that are purpose-built for monitoring data access make it easier to know the truth. You will also need logs, lots of logs. Those logs must be stored somewhere safe; hackers often delete logs to cover their tracks. Be prepared to set some workstations and servers aside for forensic analysis. If your recovery plan relies on being able to use all existing equipment, that could be problematic.
How can we prevent this from happening again?
This is where the answer to “What happened?” becomes critical. To prevent a repeat event, we must understand all the points of failure that made the first attack possible. To ensure we put in new security measures that protect us from another cyberattack, we must take a holistic view.
If a ransomware attack started with an infected email attachment, we should realize that many failure points made that possible. We should strengthen our email gateway, user awareness program, endpoint and server protection, data protection, and monitoring – at a minimum – to know that we are safe.
Proper Preparation and Interventions
Without proper preparation, these can be very hard questions to answer. There is good news; investment in the technologies and capabilities that will allow you to get the answers you need will also provide a very beneficial side-benefit – they will reduce the risk of a successful attack and the need to find these answers in the first place.
We have been working with several clients to help answer these questions after a cyberattack, but we would rather be more proactive. Consider a facilitated tabletop exercise to help refine your plans and identify areas for improvement.
cStor takes a holistic approach to cybersecurity and can help create a customized strategy, then select and implement the right mix of tools to create an environment where these questions simpler to answer.