Incident Response

As far as we know, a NonStop server has never successfully been hacked.

But as much as we wish that they would, NSK do not sit in a vacuum.
Surrounding them are Linux, Unix, Windows and other lesser computer systems.
Not to mention networking gear and the leakiest component of all, humans.

Cyber Response? No – Be proactive, not reactive

Typically, when IT infrastructure is hacked, the security boys and girls start running around trying to figure out what happened, how to minimize the damage and get the systems back to normal. Business continuity professionals have been using a different approach for years:

1. Assess
2. Plan
3. Practice
4. Execute
5. Repeat steps 1-4

In other words, Business continuity professionals are proactive, while security professionals tend to be reactive. When Maersk was hit by NotPetya ransomware in 2017, it shut down its entire network to protect its applications from being infected. “We didn’t kick in the backup system because we feared it would be infected as well,” said Vincent Clerc, Chief Commercial Officer and Executive Vice President.

Assess, plan and practice – build muscle memory

Since ransomware is a possible attack vector, shouldn’t every cyber team assess, plan and practice what would happen and how they would recover if their organization was hit by it?

If Maersk’s team had practiced recovering from a ransomware attack, they should have known exactly what would happen if the backup systems were brought up. And if they were infected during a test, the team also should have determined what steps to take to prevent that from occurring. Instead, the company resorted to a mostly manual system and NotPetya-related costs contributed to a $264 million quarterly loss.

Let us assume that your SIEM (security information and event management system) sounds the alarm in the middle of the night. What do you do? Because you have assessed and planned, you know exactly what to do. You initiate your incident response plan and depending on the parameters of the attack you might take immediate action before you notify the incident management team. Larger organizations might have “follow the sun” teams so instead of getting people out of bed, a team already at work could take ownership of the problem.

Be careful not to press the wrong button …

Target started out right but let the ball drop. They implemented a SIEM which was monitored by an around-the-clock team in Bangalore. The system flagged multiple incidents over a 4-day period in late 2013 and the Bangalore team alerted the security team at Target’s corporate headquarters in the US.

Unfortunately, not only did Target’s security team fail to act on the warnings from Bangalore, they also had disabled a feature that would have automatically eliminated the malware upon detection without any human intervention.

So, what does your incident response plan look like? Do you even have an incident response plan – and a team which has practiced executing it? Whether or not you have started planning or actually have on in place, this webinar might give you some additional tips and tricks to help you protect your organization.

Ron LaPedis
Managing Director
Seacliff Partners International, LLC