Tis the season for cybersecurity and IT teams have to send out a company-wide email: “No, our CEO does NOT want you to buy gift cards.” As much of the workforce signs off for the holidays, hackers are stepping up their game. We will see an increase in activity as hackers continue to introduce e-commerce scams and holiday-themed phishing attacks. Hackers love to use these tactics to trick end users into compromising not only their personal data but also their organization data.
Use this time of year as an opportunity to ensure that your Incident Response (IR) plan is complete and updated. Here are some actions items for your team:
Preparation: This is the first phase and involves reviewing existing security measures and policies; performing risk assessments to find potential vulnerabilities; and establishing a communication plan that lays out protocols and alerts staff to potential security risks. During the holidays, the preparation stage of your IR plan is crucial as it gives you the opportunity to communicate holiday-specific threats and put the wheels in motion to address such threats as they are identified.
Identification: The identification stage is when an incident has been identified either one that has occurred or is currently in progress. This can occur a number of ways: by an in-house team, a third-party consultant or managed service provider, or by the worst case scenario, because the incident has resulted in a data breach or infiltration of your network. Because so many holiday cybersecurity hacks involve end-user credentials, it is worth dialing up safety mechanisms that monitor how your networks are being accessed.
Containment: The goal of the containment stage is to minimize damage done by a security incident. This step varies depending on the incident and can include protocols such as isolating a device, disabling email accounts, or disconnecting vulnerable systems from the main network. Because containment actions often have severe business implications, it is imperative that both short-term and long-term decisions are determined ahead of time so there is no last minute scrambling to address the security issue.
Eradication: Once you have contained the security incident, the next step is to make sure the threat has been completely removed. This may also involve investigative measures to find out who, what, when, where and why the incident occurred. Eradication may involve disk cleaning procedures, restoring systems to a clean backup version, or full disk reimaging. The eradication stage may also include deleting malicious files, modifying registry keys, and possibly re-installing operating systems.
Recovery: The recovery stage is the light at the end of the tunnel, allowing your
organization to return to business as usual. Same as containment, recovery protocols are best established beforehand, so appropriate measures are taken to ensure systems are safe.
Lessons learned: During the lessons learned phase, you will need to document what happened and note how your IR strategy worked at each step. This is a key time to consider details like how long it took to detect and contain the incident. Were there any signs of lingering malware or compromised systems post-eradication? Was it a scam connected to a holiday hacker scheme? And if so, what can you do to prevent it next year? Incorporating best practices into your IR strategy is one thing. But building and then implementing these best practices is easier said than done when you do not have the time or resources. Leaders of smaller security teams face additional challenges triggered by these lack of resources. Bare-bones budgets compounded by not having enough staff to manage security operations is leaving many lean security teams feeling resigned to the idea that they will not be able to keep their organization safe from the onslaught of attacks we often see during the holiday season.
There are resources available for all organizations such as:
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
source: https://thehackernews.com/2022/12/accelerate-your-incident-response.html
Comments