Intelligent CIO Europe Issue 4 - Page 105

FINAL WORD “ DDOS ATTACKS THAT EITHER DIRECTLY TARGET A COMPANY’S DIGITAL INFRASTRUCTURE, OR INDIRECTLY TARGET ITS SERVICE PROVIDERS, ARE ALSO A GROWING CONCERN. Tim Bandos, Senior Director of Cybersecurity at Digital Guardian to start your breach analysis is to consider who was behind the attack. With this knowledge, you will be able to build a better “ PARTICULARLY SAVVY ATTACKERS MAY PURPOSELY ENGAGE IN A CYBERATTACK DURING NATIONAL HOLIDAY PERIODS WHEN THEY KNOW SECURITY PERSONNEL COULD BE SHORT- STAFFED AND ON LOW ALERT. picture of the entire incident. Also, the tactics and targets of a lone cybercriminal will differ greatly to state-sponsored attackers, which will in turn differ to hacktivists. attacks to target the weakest link in the security chain: the end-user. What? The motive of an attack is an important piece of information for any external announcements that might need to be made. Having these details is also very helpful when it comes to justifying your incident response plan or recommendations for additional security spending to company executives. For the most part, financial motive is still the top reason for attacks against companies; even state-sponsored attacks are financially-driven in some sense. It may take years and cost millions of pounds to develop the intellectual property and customer base that can be stolen in a mere matter of hours. There is a myriad of different attack techniques that target different weaknesses, so it is important to pinpoint exactly what caused the incident. Defacing websites has fallen out of fashion in favour of ransomware and data theft. DDoS attacks that either directly target a company’s digital infrastructure, or indirectly target its service providers, are also a growing concern. More recently, attackers have started to implement mass data destruction attacks which can seriously damage a business. Why? When? How? Understanding the timing is all part of building a better picture of the incident. There are no holidays in the global hacking community, though particularly savvy attackers may purposely engage in a cyberattack during national holiday periods when they know security personnel could be short-staffed and on low alert. Timing is also an important factor to consider if you do need to notify business partners and customers that their data has been compromised. Where? In order to effectively remediate you need to create a detailed step-by-step outline of exactly how the hacker attacked or breached your company. The tactics are evolving and some of the old tricks are making a comeback. Making matters worse, the black market for toolkits and ‘hackers for hire’ means that anyone can buy the technical savvy they need. Disgruntled employees, lost or stolen devices and unintentional sharing of sensitive information are other possible causes of an attack. Arguably, the most important questions to answer following an attack or breach is where it was targeted. This will involve an in-depth review of your entire attack surface; consider your network, your remote workers, your partners, your suppliers and even whether an infected USB stick could be to blame. Today, the most common entry point is email, for which hackers craft phishing Without an incident response plan in place, panic can set in and the wrong decisions may be made, leading to severe consequences. By focusing on these six questions in the immediate aftermath of a data breach or cyberattack, incident response teams minimise the likelihood of emotional-drive actions or mistakes, allowing for more effective remediation. n INTELLIGENTCIO 105