Detecting a breach and immediate action
September 21, 2020
Cybersecurity article series:
- Cybersecurity risk analysis
- Staff training
- Detecting a breach and immediate action
- Recovering from a breach
Having a trained and engaged team, coupled with effective and current cyber security practices will take your business a long way towards keeping your systems and data secured. But just like any security method, they are generally reactive and will be developed in response to a successful attack. Malicious actors are always developing new ways to get around our defences and they only have to be successful once. New types of attacks and vulnerabilities are sometimes found only when they are successfully exploited, which means that someone must be on the receiving end of an attack.
Although attacks are not necessarily inevitable, and can be avoided by taking appropriate precautions, we must be able to recognise the signs of attack when one does happen. Recognising an attack and taking swift, appropriate action can greatly limit the detrimental effects of an attack. In 2017, average dwell time (the time it takes to detect a breach) was over 100 days. Think about what an attacker could do with access to your systems and data for that long. Minimising dwell time is key to reducing the financial and reputational impacts on your business.
Some common indicators of an attack include:
- Unusually high system or disk activity while applications are idle
- Activity on unusual network ports or listening to unusual ports
- Presence of unexpected software or system processes
- Configuration changes that were not approved or cannot be traced to approvals
- Unexpected firewall changes
- Anomalous user activity – logging in at unusual times, from unusual locations or from multiple locations within a short time period
- Unexpected user account lockouts or password changes
- Repeated system or application crashes
- Disabling of antivirus or malware protection services
- Abnormal behaviour during web browsing – repeated popups, unexpected redirects or changes to browser configuration
- Reports of unusual messages claiming to come from your email server or social networks.
- A direct message from an attacker.
Identifying any one of these indicators does not necessarily mean that an attack has taken place. They should be taken seriously though and investigated further. Indicators should be reported to IT and network administrators immediately in order to keep an accurate timeline of events should a breach be discovered. Early detection also allows for notification to be made to relevant authorities and data owners in order to reduce the potential impacts of a breach. Activity can be monitored and credentials changed quickly to reduce additional financial or reputational risk.
If it is determined that a breach has occurred or is in progress, there are several important rules to note and actions that should be taken:
- If possible, isolate compromised devices from the network (remove network cables or disable Wi-Fi) but do not switch them off.
- If using a wireless network, change the SSID (Service Set Identifier) on the access point for other machines that are using the same connection.
- Identify key personnel that will form a response team and give them specific roles and tasks.
- Do not alter anything on suspect systems. This can potentially alter or tamper with any evidence left behind during a breach.
- Collect evidence. Safeguard any affected systems to prevent further loss and collect and potential forensic evidence data.
- Log everything. Throughout each phase of the detection and action process, take a moment to make a note of what is happening and what actions are being taken. This can help to organise the timeline of an attack and aid in identifying a source.
- Report internally. Inform senior management and stakeholders of observed incidents and any critical incidents having an impact on business.
- Evaluate if legal counsel should be consulted. If client data has been compromised, it may be necessary to consult counsel to determine next steps. You may also need to establish whether relevant law enforcement agencies should be notified.
- Be transparent. Take all reports of security incidents seriously and make sure all relevant personnel are notified and kept up to date.
These rules are not an exhaustive list but are designed to give you a solid foundation for how a breach should be handled. Once a breach has been identified and contained, you can begin the process of recovery and return to business as usual as quickly as possible. Look out for the final article in this series for information on recovering from a breach.