After countless man hours and additional funding put in place to protect your business from cyber-attacks, there is always some residual risk of a breach. And even if a breach happens after all the hard work you and your team put in, it is easy to resign yourself to the fact that it was all for nothing. But what you must instead focus on is the work you can do to patch the hole in your network that allowed the breach to occur in the first place. A hacker may spend days, weeks or months attempting to breach a network. And they only have to be lucky once to call their operation a success. If they manage to do so, the best thing you can do is learn from it.
After Action Review (AAR) for Cyber-Attacks
Following every operation in the military, both training and real-world, comes an After Action Review (AAR). You should conduct one of your own to learn as much as you can about any cyber incident. An AAR has several key parts to ensure you learn as much as possible about the incident:
- What was supposed to happen? Determine the measures in place to prevent breaches, and train your team to respond appropriately. Make a list of everything that should have happened from the moment a breach was detected, up until the moment it was contained.
- What actually happened? Using the list you made of what should have happened, compare it to what actually happened.
- Sustains. List everything about the reaction to the breach that provided positive results. This might include the technical controls that were in place that limited a breach. It might also include the action taken by your team that contained any losses.
- Improves. Carefully analyze anything that didn’t work out as planned. Include any additional actions might help in the future.
You can tailor an AAR to your needs. But the most important thing that should come out of it should be positive change for the future. I know from my own experience. I’ve seen the best AAR’s filed away and then forgotten. When that happens, you don’t make any forward progress, and similar outcomes will continue to occur.
Analyze Your Security Controls
As well as an AAR, you should carefully analyze all the technical security controls you have in place. This way, you can test their functionality. Knowing how they performed during the breach enables you to determine if any of them failed, need to be updated, or need to be replaced.
Steps to Take
Since there are so many different types of cyber attacks, some basic steps to take are as follows:
- Determine the compromised devices or networks, and then determine any lost data.
- If possible, find the perpetrator(s) of the attack. This may involve bringing in a specialist which can be expensive, but there are also many useful forensic tools that can help find any evidence left behind by an attacker and exactly what they gained access to.
- Update or replace any of the breached hardware or software. Attackers are constantly working on new avenues of attack by finding new vulnerabilities. Keeping your hardware current and your software patched can prevent you from succumbing to attacks that could be prevented.
- Ensure your backup process is robust. When data is compromised, you may need to restore your systems from a backup. This would be a terrible time to discover that your process was flawed. To ensure smooth transitions and minimal downtime in the future, test the restoration from backup and make sure everything works as expected.
- Change all login credentials. This may seem trivial, but any breach of a computer system or network may provide a hacker unauthorized access in many different ways. Forcibly changing all network credentials is the cheapest and easiest way to prevent easy access.
- Update your risk register. To ensure you have a complete record of the breach and your response to it, update your risk register with all the information you obtain in the AAR and all other reviews of the incident. Keeping this log is instrumental in preventing future breaches.
Debrief
Whatever you do after a breach, debrief your team appropriately and adjust your training plan accordingly. A knowledgeable and motivated staff is your first and best line of defense against data breaches.