Detecting a breach and immediate action

Cybersecurity article series:

• Cybersecurity risk analysis
• Staff training
• Detecting a breach and immediate action
• Recovering from a breach

Detecting a Breach and Immediate Action

Malicious actors frequently find new ways to get around our defences. And they only have to be successful once to cause massive damage.

But by coupling effective cyber security practices with a trained and engaged team, you can take your business a long way towards keeping your systems and data secured. However, just as with any other security method, they are generally reactive, developed in response to a successful attack. Oftentimes, it is only after the successful execution of a new attack that we can identify vulnerabilities. And you never want to be the one of the receiving end of an attack.

Although attacks are not necessarily inevitable and can be avoided by taking appropriate precautions, we must be able to recognise the signs of attack when one does happen. Recognising an attack and taking swift, appropriate action can greatly limit the detrimental effects of an attack. In 2017, average dwell time (the time it takes to detect a breach) was over 100 days. Just imagine all the damage an attacker could do with access to your systems and data for that amount of time. Minimising dwell time is key to reducing the financial and reputational impacts on your business.

Some common indicators of an attack include:

• Unusually high system or disk activity while applications are idle
• Activity on unusual network ports or listening to unusual ports
• Presence of unexpected software or system processes
• Configuration changes that were not approved or cannot be traced to approvals
• Unexpected firewall changes
• Anomalous user activity – for instance, logging in at unusual times, from unusual locations, or from multiple locations within a short time period
• Unexpected user account lockouts or password changes
• Repeated system or application crashes
• Disabling of antivirus or malware protection services
• Abnormal behaviour during web browsing – repeated popups, unexpected redirects or changes to browser configuration
• Reports of unusual messages claiming to come from your email server or social networks.
• A direct message from an attacker.

Identifying any one of these indicators does not necessarily mean that an attack has taken place. But still, you should take all of these indicators seriously, and investigate further when necessary. Report all indicators to IT and network administrators immediately in order to keep an accurate timeline of events should a breach be discovered. Early detection also allows for notification to be made to relevant authorities and data owners in order to reduce the potential impacts of a breach. Activity can be monitored and credentials changed quickly to reduce additional financial or reputational risk.

Steps to take if a breach occurs

If you have determined that a breach has occurred or is in progress, there are several important rules to note. Here are some of the best actions to take in the event of a breach:

• Isolate compromised devices from the network (remove network cables or disable Wi-Fi) but do not switch them off, if possible.
• If using a wireless network, change the SSID (Service Set Identifier) on the access point for other machines that are using the same connection.
• Identify key personnel that will form a response team and give them specific roles and tasks.
• Do not alter anything on suspect systems. This can potentially alter or tamper with any evidence left behind during a breach.
• Collect evidence. Safeguard any affected systems to prevent further loss and collect and potential forensic evidence data.
• Log everything. Throughout each phase of the detection and action process, take a moment to make a note of what is happening and what actions are being taken. This can help to organise the timeline of an attack. Further, it can aid in identifying a source.
• Report internally. Inform senior management and stakeholders of observed incidents and any critical incidents having an impact on business.
• Evaluate whether or not legal counsel should be consulted. In some cases, it may be necessary to consult legal counsel if client data has been compromised. You may also need to establish whether relevant law enforcement agencies should be notified.
• Be transparent. Take all reports of security incidents seriously. Also, make sure to keep all relevant personnel notified and up to date.

Conclusion

These rules are not an exhaustive list. But can give you a solid foundation for handling a breach. Once you have identified and contained a breach, you can begin the process of recovery and return to business as usual as quickly as possible. Meanwhile, look out for the final article in this series for information on recovering from a breach.