Responding to a Cyber Attack

In honor of National Cybersecurity Awareness Month, Sayers will be releasing a series of short videos focused on various cybersecurity topics. In this episode, I’d like to provide you with some insight on how to RESPOND to a Cyber Attack.

It is almost inevitable that your organization will be affected (at some level or another) by a cyberattack.  The goal for all of us is to PREVENT as much as you can PROACTIVELY and MINIMIZE the damage for when your defenses have been compromise

While this message will focus on response, every organization should ensure they have an up-to-date Incident Response plan in place.  This IR plan needs to be comprehensive to accommodate various cyber events and incidents along with a clear communication and escalation plan.

The following are very high-level recommendations and actions that your organization should consider when responding to an elevated event, which could be a critical to catastrophic cyber incident.  The quicker your response, the better mitigation and damage control you’ll have.

1.       Stop the bleeding by isolating all infected computers. Depending on your specific environment, you can logically isolate the system, or even physically unplug the network cable immediately.

2.       Limit the Attacker’s movement. You minimize the attack surface by resetting affected user’s passwords, admin passwords, and service accounts to critical systems. Kill any active sessions, as authenticated users may still be reachable. And force MFA to users if this has not been done already. Be vigilant with security logs and detection tools deployed within your environment.

3.       Seek Third Party Assistance immediately, this could be your Incident Response contracted retainer organization and/or your legal counsel.

4.       Document everything.  You want to ensure all evidence is not tampered with or destroyed.  A Cyberattack could be an insider threat.  Ensure everyone reports any and all suspicious activity.

5.       Seek and Destroy. To ensure the attack has been contained, proactively hunt for threats and signs of malicious activity.

6.       Disclose the cyberattack, per your legal councils recommendations, to the relevant authorities, partners and clientele. A cyberattack often can result in a data breach, where sensitive information held by the organization is compromised. Comply with your regulatory requirements and be sure to disclose the breach to the proper entities.

7.       When restoring from backups, ensure you stage and sanitize the recovering data; adversaries could have been in your environment for weeks, months or even years.

8.       Lastly, it’s important to know if you become infected with ransomware, be cautious of paying the ransom up front; paying a ransom could also be an illegal activity. Remember, there are no guarantees that the files will be decrypted if you do pay the ransom. It also makes you vulnerable to being attacked again, as it marks you as an easy target. It’s best to immediately report the infection, seek assistance from an IT professional, consider the data lost and leverage your offline Backup and Recovery solution.

REMEMBER! Once the immediate danger is mitigated, it’s important to take the appropriate steps to help you prepare for a future attack. If you would like to learn more about Sayers and our service offerings such as preparing for, addressing, AND responding to a cyberattack… please visit www.sayers.com. Thank you.

REMEMEBER! Once the immediate danger is mitigated, it’s important to take the appropriate steps to help you prepare for a future attack. If you would like to learn more about Sayers and our service offerings such as preparing for, addressing, AND responding to a cyberattack… please visit www.sayers.com. Thank you.