Minimise cyber-attack damage with incident response
Incident response is so important because cyber breaches are not a question of if, but when, says Patrick Wragg, Integrity360
19 July 2021 | 0
In association with Integrity360
Malware, ransomware, insider abuse, phishing – cyber-attacks of all forms are occurring across the country right now. While businesses can work to limit risk of attack, they must also prepare to respond if the worst happens. Having an incident response strategy in place helps businesses minimise the reputational, financial and legal damage caused by an attack. These days, incident response is regarded as an essential component of any well-thought-out cyber security strategy. For more insight into the process, we caught up with Patrick Wragg, cyber incident response manager at Integrity360. He talked us through incident response, how organisations can act to best protect themselves, and the essential steps for developing a cybersecurity strategy.
What is incident response and why is it important for a business?
Incident response in cyber security is the act of responding to a live breach or compromise whereby intellectual or personal data is at risk within an organisation. The overall goals are to answer the who, what, why, when, where and how questions, prevent further damage, eradicate the threat, and restore the business back to full operating capacity.
The reason it is so important for businesses is because cyber breaches are not a question of if, but when. By having an effective incident response plan/process and incident response resources, businesses are best equipped to minimise the spread and damage, as well as preventing a similar incident taking place again. They will also be able to resume business-as-usual activities in a smaller timeframe.
When a threat is observed, what is the incident response team’s process?
The incident response team should generally follow an incident response playbook. SANS and NIST both provide ones that start with preparation, then move onto identification, containment, eradication, recovery then finish with lessons learnt. Once the sub-type of the incident is found out, such as ransomware, insider abuse and/or phishing, the incident response team should follow individual runbooks for these.
What should organisations be doing to protect themselves and what are the biggest blind spots in cyber security right now?
The most common and successful attacks right now are compromised credentials. They are typically stolen via fake Office 365 login pages served via phishing emails but are also stolen via social engineering. It would be highly beneficial for organisations to engage in frequent phishing/social engineering awareness training/simulations to pluck the ‘low hanging fruit’ that is compromised credentials.
Organisations should also be investing heavily in their cyber defence portfolio with EDR (Endpoint Detection and Response) and next generation AI-based detection being examples of good defence against cyber threats.
Insider threats, for example a rogue employee exfiltrating intellectual property before moving to a competitor, is one of the industry’s biggest blind spots. Organisations often focus most of their resources on external defences when strong internal auditing and a good DLP (Data Loss Prevention) solution is required to combat insider threats.
Are there any specific examples of cases that you’ve worked on that would be valuable for our readers to be aware of?
Credential compromises (via phishing) and ransomware attacks appear to be the most common scenario where Integrity360’s incident response is engaged upon. In the past few months there has been an influx of Microsoft Exchange compromise incidents, due to the Proxylogon vulnerability disclosed in early March 2021. This critical vulnerability affected many organisations, since it spanned many Microsoft Exchange versions, and it was so trivial to exploit. These compromises often led to ransomware and intellectual data exfiltration causing irreparable damage to a lot of our clients.
What challenges are your customers’ facing at the moment? Has remote working/ Covid-19 greatly increased the risk of attack?
The stats speak for themselves. Phishing attacks have increased by 600% because of the Covid-19 pandemic and that people are working from home more. Cloud services such as Office 365 and VPN’s allow employees to log into their organisation remotely, which means there is a single point of entry into an organisation (an employee’s login credentials). Couple this with Covid-themed phishing/social engineering and it becomes very successful because Covid is what everybody is talking about now.
How would you advise security professionals best develop an effective and sustainable cybersecurity strategy?
I would advise starting with a cyber kill chain or attack framework (such as MITRE ATT&CK), looking at the earliest stages of the attack, then investing based off that to stop cyber-attacks at the earliest possible stage. A cyber kill chain or attack framework shows the different stages/techniques used by cyber criminals to successfully breach organisations. The earlier stages, such as the delivery stage (e.g. phishing), can be easily prevented with frequent phishing awareness/simulations in an organisation. By preventing this stage, the breach is stopped in its tracks.
What is unique about Integrity360’s offering?
Integrity360’s incident response team combines hands-on technical experience of investigating advanced persistent threats with excellent incident management skills. Because of our specialism in security, the team can also effortlessly call upon our huge breadth of industry leading security consultants across every cyber specialism when required, in addition to pulling in senior security analyst assistance in a 24/7 capacity from Integrity360’s MDR (Managed Detection and Response) team. Integrity360 also has access to an industry leading arsenal of investigation tooling.
Many clients are opting for retainer IR services which gives them the added benefit of proactive preparedness assessments to get read in advance for a possible breach. It also gives the added benefit of using unused hours for security work if, hopefully, incident response is not called upon.
What do the coming months look like for Integrity360?
The Integrity360 incident response team is currently undergoing a rapid growth to deal directly with the exponential growth of the need for incident response. Not only because of recent high-profile breaches in the media, but also because the Cloud (being hosted on the Internet) is more publicly accessible to attacks than on-premises and because of remote working. As technology continues to become more complex (Moore’s Law), and with the major switch of on-premises devices to the Cloud, I project that the demand for Integrity360’s incident response service will continue to grow.
For more information about Integrity360’s incident response service, visit: www.integrity360.com/managed-security/incident-response