The three stages of a cyber attack – what you need to know
Mark Lomas, technical architect at Probrand
In 2017, one of the biggest crises facing IT departments is the threat posed by cyber attacks. It’s no longer good enough to keep an eye on things and hope for the best. Few are naïve enough to think their organisation is too small or ‘not interesting’ to criminals. The bottom line is, if it’s important to you, it’s important to them. At the same time, new and sophisticated attack techniques mean hacks are not as visible as they once were – making them more difficult to spot and react to.
Any IT department worth its salt is now adopting a cyberincident-response plan as standard. But how should organisations prepare and react to these threats?
Before the hack
No one can pinpoint the moment they’re about to be attacked but there are certainly steps a business can take to minimise that possibility. A large chunk of this comes down to user education, and ensuring that the whole company (not just the IT department) understands some of the different types of threats. In doing so, you create a ‘think twice’ culture whereby staff are more sensitive to those red flags when something’s not quite right.
Whale phishing is one example, whereby an attacker will prey on an unsuspecting employee. They will identify a ‘big fish’ within a company (often the financial director or CEO) and impersonate them by sending emails to members of staff requesting a bank transfer or a password. Potential recipients need to be vigilant to notice anything that looks unusual. Is the tone of the email unusually formal for example? Does the font or spacing feel different? If this is the case, they should take a closer look at the email address. It might appear to be the same but on inspection it may have a small letter change or be completely different.
Employee training is not a tick-box exercise, it needs to be carried out on a regular basis so that users are kept up-to-date with new methods of attacks and expected standards.
You also need to make sure you’re covered from a technical perspective. What anti-malware software do you have in place? Do you have the latest patch installed? Is your software up-to-date? You then need to think about where your files, data and software is stored.
Ransomware for example, will scan your network and go looking for shared files it can encrypt. Which means many vendors have upped their game to develop software that can scan activity on files to detect if they’re being encrypted by a user. Check with your anti-malware vendor to see if this is a feature that you have in place – it may be the difference that stops vital data being held to ransom or not.
When a hack takes place
One of the worst things that can happen to a company is to be caught on the back foot. The best way to mitigate a cyber attack is to have a detailed and well-rehearsed response plan that can immediately kick into action. This playbook should contain several things, including information about who to alert.
Reporting an attack to the authorities is important. ActionFraud is the UK’s cybercrime reporting centre, which is part of the Police. If you’ve been a victim of fraud and lost money – either as a consumer or a business – you can report it directly to them.
Another aspect of the breach response should include public reporting. Organisations could have their reputation damaged by failing to disclose a breach when it happens, only for it to become public knowledge later. This could leave customers, suppliers and staff feeling betrayed. This is where having an internal and external comms strategy is crucial.
After an attack – the post-mortem
A cyber attack is probably the biggest nightmare any IT director can have. If it happens, you need the technical side of the security response team to figure out exactly what let the attackers in.
Was it a misconfigured web server? Unpatched Windows workstations? Overly permissive web proxy settings? Identify the source so you can close the doors to new attacks – otherwise you could find yourself in an endless loop of clean-up and reinfection.
Having carefully extradited the attackers from corporate systems, and surveyed the extent of the damage, organisations must fix as much of that damage as possible. This may involve reinstalling compromised systems from known, good media and potentially restoring data from backup. This remediation process also involves reconfiguring network and server software, and then monitoring its operation for a period to ensure that everything is behaving normally.
To truly close the circle, however, organisations should learn as much as possible from the attack. The results of this post-mortem should be fed back into a company security policy.
Use this intelligence in a business impact assessment, so that senior managers can decide on strategic measures to help prevent further attacks. A risk analysis may show that it’s worth investing in more staff security training, for example, or in a change to management processes.
No one likes facing adversity, but one true test of an IT director’s character lies is how they deal with it. When hackers strike, the truly savvy IT decision maker will have the tools, processes and contacts in place to manage the situation.