Incident Response (IR) and The Art of Defense

“Attack is the secret of defense; defense is the planning of an attack,” Sun Tzu wrote in The Art of War. The idea of planning an attack is at the root of Incident Response (IR) strategizing. Tzu illustrated that “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” Incident Response and the Art of Defence

This statement proved correct in 5th Century BC East Asian warfare, and it remains true in modern cybersecurity. To be cyber-resilient a company needs to be well-versed in potential threat attackers and the weaponry used, as well as understanding its own vulnerabilities. Think of Incident Response strategy as the art of defense for a digital battlefield.

The threat landscape evolves continuously, and cyber threats grow increasingly more sophisticated. Threat actors, whether hacktivists, state-sponsored threats, or cybercriminals after their own money and notoriety, often sneak onto networks, undetected, performing lengthy reconnaissance. They use stealth to obtain legitimate credentials enabling them to stay undercover for months, sometimes years. They have come for your most valuable data whether that’s personally identifiable information, credit card and financial information, health data, corporate trade, acquisitions or merger information, or intellectual property.

The battleground landscape

Cyber-threats are on the rise. McAfee Labs 2018 Threats Report showed that Public Sector disclosed incidents rose by 150%, and in the Financial Sector, disclosed incidents rose by 64%. Total coin miner malware increased by more than 4,400% in the past year. While ransomware continues to grow, rising 45% over 2018. New malware samples jumped in McAfee’s third quarter to approximately 63 million. In 2017, 21% of Canadian businesses reported that they were impacted by a cybersecurity incident which affected their operations. The scary part is that as of 2017, only 13% of Canadian businesses had a written policy in place to manage or report cybersecurity incidents. That means 87% of Canadian businesses are ill-prepared to defend against silent intruders. The truth is that even with basic cyber-defense tools in place, no network or device is entirely impermeable.

Many organizations rely on the expertise of a cybersecurity partner to ensure they have the highest level of protection in place. A good cybersecurity partner works with your company in reviewing existing security infrastructure, preparing identification and response plans, and implementing the IR tools and processes. By working with a security partner, you get specialized expertise and critical insight. ISA security experts recommend implementing a proactive Incident Response Plan (IRP) to ensure your company is protected, and just as important, should a security incident occur you are able to contain and recover quickly. The best IRP is actually cyclical – implement a robust and layered cyber defense, in the case of an attack or breach have effective remediation strategies in place, then reevaluate, continuously learning and improving.

Prepare to win

Take Tzu’s advice, “Knowing the enemy enables you to take the offensive, knowing yourself enables you to stand on the defensive.” Tzu would have been excellent at developing IRPs. Keep your defenses current to changing threats and have a clear vision of your environment and vulnerabilities. Preparation means having a clear and specific plan in place before an incident occurs. Here are some necessary steps that need to be taken in the development of an IR strategy. All five steps are centred on knowing your institution.

Ensure that clearly defined roles and responsibilities are outlined, so there is no time wasted in confusion or duplication of work.

Have a clear and full picture of everything in your cyber environment, all endpoints, and network assets.

Know where your critical assets are stored.

Increase your logging and monitoring. Log everything from firewall acceptances and denials to internal web proxy logs.

Use tools that allow you to search your entire environment for indicators of compromise. If you don’t have that capability, because few companies do, then regularly check your environment for abnormal activity.

Respond and remediate

“Ponder and deliberate before you make a move,” advised Tzu. Should an attack happen, or your network is breached, then your response must be swift while maintaining calm. You have done the preparation. Trust in your incident response strategy. This is why you’ve worked with professionals, like the experts at ISA, to create your plan.

Follow the evidence and determine what type of attack occurred and where. You must have the proper tools in place to identify and assess an attack. Without the proper tools, a threat, breach, or targeted attack could go undetected, or its source or attack vector could be unidentifiable. Learn as much as you can about your attacker, their intents and motives.

Keep the incident contained. Once you’ve identified the attack or breach and its scope, you must make haste to limit the damage and loss. Cybersecurity professionals use a variety of specialized tools and processes to curb attacks and corresponding damages.

Eradicate the attack. Once the malware or cybersecurity attack has been stopped, it has to be removed entirely from the environment. In most cases, that takes professionals with powerful tools to thoroughly cleanse a system.

Recovering and moving beyond

Tzu wrote, “Victorious warriors win first and then go to war, while defeated warriors go to war first and then seek to win.” The reality is there will be more cyber attacks in your company’s future. To win, you must first prepare and learn.

Recovery involves the restoration of data and network availability. This largely depends on the type of breach or attack and how damaging it was. This could mean enabling backups, or it could mean having to re-install software or re-connect endpoints.

Return to the new normal. Learn from the experience and then set a long-term strategy to enhance your organization’s security overall and diminish future attacks.

Begin at a better beginning by returning to cybersecurity preparations. It isn’t full circle if you go back to preparing because you now have a new way of seeing your environment, both the strengths and vulnerabilities of it. Recognize the points of access and failure points in your system. Go back and enhance the areas that let you down. Work at refining your IRP. Cyber threat attackers continuously change how they infiltrate and engage, so your company needs to do the same and treat your IRP as a work-in-progress.

Prepare now or pay later. Your security and Incident Response strategy must evolve alongside the changing threat landscape. It’s important to speak with security experts who have a proven ability to monitor for security incidents and quickly identify threats and respond instantly. Partner with cybersecurity professionals who have established processes, tools, and techniques, and offer constant threat monitoring and detection from a 24-7 cybersecurity operations centre.

ISA has been offering cybersecurity services for over twenty-five years. They are masters in the art of defense and can help you create a customized, pro-active incident response strategy.

NEWSLETTER

Get exclusively curated cyber insights and news in your inbox

Related Posts

Contact Us Today

SUBSCRIBE

Get monthly proprietary, curated updates on the latest cyber news.