Top security priorities: responding to security incidents

While not all cyber attacks end in catastrophe, they are an inevitability for your organization. 2022 saw a 38% increase in cyber attacks with organizations experiencing hundreds or thousands of attacks per week. The sheer volume of attacks is why a strong incident response program is critical—after all, it only takes one successful attack of the many to wreak havoc on your business.

The Center for Internet Security states that the primary goal of incident response is to:

identify threats on the enterprise, respond to them before they can spread, and remediate them before they can cause harm.

In this blog, we’ll briefly discuss the types of common attacks and how to implement defenses against them.

What are the types of cyber attacks?

Ransomware

Ransomware sounds scary— this type of malware seems to show up on the news frequently (though this type of attack is becoming less common). Indeed, it can cost organizations large sums of money and resources. This attack vector typically involves a user downloading a malware file that encrypts files on a user’s computer. The bad actors request money from the user or organization to decrypt their files.

Phishing and social engineering

As the most common attack, phishing and social engineering attacks rely on human error, goodwill and habits to deceive people into giving away their personal information—bank account username and password, for example. This can look as simple as a suspicious text or email or be as complex as a targeted campaign involving impersonation or intimidation.

Denial of service

A denial of service (DoS) attack aims to prevent access to a service by flooding it with traffic. Distributed DoS, or DDoS, attacks flood services from many different sources, making this particularly difficult to counter.

Man-in-the-middle (MitM)

MitM attacks consist of a third-party bad actor intercepting and altering communications between two parties. This type of attack can look like an email impersonating your bank, a DNS redirect to a spoofed site or a stolen browser cookie that can be used to login to your account.

Insider threats

Insider threats can take many forms, and occur when a user who deeply knows internal systems uses that knowledge to attack.

How can cyber attacks be prevented?

Cyber attacks can take other forms than what is discussed above, including ways that have not been well-documented or understood. Because of this, it’s necessary to have an incident response plan that reduces the likelihood of attack, mitigates the impact of a successful attack and adapts to the evolution of cyber attacks.

Preparation

As with many things in life, the first step is preparation. This is the stage where the response process is developed and documented. This can involve:

• Hiring appropriate IT and Security staff and assigning responsibilities accordingly
• Gathering all relevant stakeholder contact information
• Implementing an issue tracking system
• Developing a centralized and well-established process to contact relevant parties
• Regularly training users on cybersecurity best practices and threats

There are also a number of tools and resources to consider, such as forensic and/or spare workstations, packet sniffers and protocol analyzers, and evidence gathering accessories like notebooks, camera or chain-of-custody forms.

A critical part of preparation is creating a baseline understanding of your network, devices and general behavior. NIST recommends having:

• Port lists
• Documentation for OSs, applications, protocols, and intrusion detection and antivirus products
• Network diagrams and lists of critical assets
• Current baselines of expected network, system and application activity
• Cryptographic hashes of critical files to speed incident analysis, verification and eradication

Regular risk assessments and backups should be conducted and networks should be secured with strict authentication requirements and protections.

Protect and detect

Once a baseline is established, it’s easier to spot anomalous activity. Security information and event management (SIEM) and endpoint detection and response (EDR) software can monitor and analyze security events as they happen, notifying teams of potential threats. Establishing threat hunting practices, especially with the use of AI and machine learning, efficiently and proactively prevents exploitation of vulnerabilities and potential threats in your systems.

Respond

Even organizations with sophisticated defenses have to deal with incidents. Signs of an incident include:

• Notifications from your SIEM, EDR or network intrusion software
• Multiple failed login attempts from an unknown system
• Filenames with unusual characters
• Data loss or discrepancies
• Inability to access company resources or accounts
• Announcement of a new exploit relevant to your systems

After noticing an incident, it’s time to follow the response plan developed in the “preparation” phase, documenting each action along the way. Each sign of an incident should be examined and analyzed to understand its source (if possible) and impact. Compromised devices or servers should be quarantined if appropriate to prevent the spread of malware to other devices. Press and law enforcement should be notified if relevant.

Recover and reinforce

After containing any threats, it may be useful to restore your systems to a point before they were compromised using a clean backup. Any parts of your incident response process or toolset that impeded remediation of the event should be changed or removed, or additional tools that would have been useful should be added.

Key takeaways

• Security incidents are inevitable for your organization
• There are a number of attack vectors, with social engineering being the most common
• Defending your organization requires defense on the network, server, device and user level
• A well-developed incident response plan is critical for mitigating the impact of a cyber event
• Monitoring and understanding your network and user behavior makes spotting anomalies easier
• Tools like SIEM, EDR and network intrusion software help spot issues
• Post-incident reviews make handling or preventing the next cyber event more effective and efficient

ICYMI— check out the rest of this blog series:

• Upgrading IT and data security
• End-user security awareness
• Data protection
• Identity and access controls