Reader’s Note: I am writing this article in reverse order today. Please review Part 1 and begin following them today. Then maybe part 2 will not be necessary.
Part 1
Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports available at https://redskyalliance.org at no charge. In fact, the RedPane tool now scraps over 40 dark web forums, collecting pro-active data that can be used to defend a network before an attack is initiated.
What can you do to better protect your organization today?
- All data in transmission and at rest should be encrypted.
- Proper data back-up and off-site storage policies should be adopted and followed.
- Implement 2-Factor authentication-company wide.
- For USA readers, join and become active in your local Infragard chapter, there is no charge for membership: infragard.org
- Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.
- Institute cyber threat and phishing training for all employees, with testing and updating.
- Recommend/require cyber security software, services and devices to be used by all at home working employees and consultants.
- Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
- Ensure that all software updates and patches are installed immediately.
- Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network. You can enroll on line at https://www.wapacklabs.com/redxray
- Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance. You can buy it on line at https://www.wapacklabs.com/cyber-insurance
Part 2
What to Do After Your business is Hacked
As businesses move to a remote workforce, hackers have increased their activity to capitalize on new security holes. Cybercriminals often use unsophisticated methods that continue to be extremely successful. These include phishing emails to harvest credentials and gain easy access to business-critical environments.
Hackers are also using ransomware to hold your data hostage, demanding a ransom payment in exchange for a decryption key that unlocks your stolen data.
When dealing with a cyberattack, there are practical steps you want to follow.
What do these steps include?
- Quickly contain and isolate critical systems
- Report the hack to your customers and business stakeholders
- Engage the help of law enforcement
- Enact your disaster recovery and business continuity plans
- Analyze the attack, and remediate
Quickly contain and isolate critical systems
This first step is necessary: quickly contain and isolate critical systems. There is a chance that if you discover ransomware or other evidence of the hack on your network, it may not have made it to all business-critical data and systems.
Isolate known infected clients from the network as soon as possible. This action prevents any change the infection or malicious code will spread from the isolated clients.
Using a systematic approach of isolation, and containment, while cleaning up the infection, is one of the best ways to regain control of the network and eliminate lingering malicious code.
Report the hack to your customers and business stakeholders
Time and again, organizations are judged based on how they handle situations where a system hack or data breach has occurred. Reporting security incidents is always the best approach. Organizations suffer negative consequences for any type of cover-ups or delays in disclosing information.
While not pleasant to do so, disclosing security incidents as quickly as possible creates an atmosphere of transparency that generally reflects well on the organization in the long run. Organizations may be liable under compliance regulations to report any breach of security as well.
Engage the help of law enforcement
If your business is a victim of a cyberattack, engaging with law enforcement is an important step. Law enforcement agencies such as the Federal Bureau of Investigation (FBI) in the United States can open the door to various resources to help with the aftermath of the attack. Don’t expect much help as they are busy with high dollar and high profile national ransomware attacks.
The FBI and other organizations can help investigate cyberattacks and intrusions. They work to collect and share intelligence for the greater good, unmasking individuals and groups responsible for malicious cyber activities. This is why you join www.infragard.org .
Alerting these agencies of a cyberattack can promote the greater good of bringing cybercriminals to justice.
Enact your disaster recovery and business continuity plans
It is essential to develop an effective disaster recovery plan as part of your overall business continuity plan. The disaster recovery plan outlines the steps needed to operate the business with degraded systems or missing business-critical data. Where are you off-line back-ups?
After discovering a hack of your business, the disaster recovery plan should be enacted. These plans reestablish business continuity as soon as possible. They also get everyone on the same page for streamlining business processes, even in a degraded state. Remember the importance of updating these plans?
Analyze the attack, and remediate
After system integrity has returned to normal and the imminent security threat has been removed, businesses will want to analyze the attack and remediate any vulnerabilities.
This root/cause analysis will help to determine any weaknesses in the cybersecurity posture.
Organizations need to assess weaknesses in security continuously. No matter how large or small, any type of breach or successful attack should be used to understand where the security posture can be improved.
Improving password security – a necessary step
All passwords should be changed immediately following industry guidelines:
- Change it regularly—once every three to six months.
- Change it if you have the slightest suspicion that the password has become known by a human or a machine.
- Never use it for other websites.
- Avoid typing it on computers that you do not trust; for example, in an Internet café.
- Never save it for a web form on a computer that you do not control or that is used by more than one person.
- Never tell it to anyone.
- Never write it down.
Even better institute 2-factor authentication for all users.
Compromised credentials are a significant root cause of modern data breaches. IBMs Cost of a Data Breach Report 2020 noted:
"One in five companies (19%) that suffered a malicious data breach was infiltrated due to stolen or compromised credentials, increasing the average total cost of a breach for these companies by nearly $1 million to $4.77 million. Overall, malicious attacks registered as the most frequent root cause (52% of breaches in the study), versus human error (23%) or system glitches (25%), at an average total cost of $4.27 million."
Organizations must bolster account security, including preventing weak or breached passwords used in the environment. All too often, end-users choose vulnerable passwords. Hackers often use previously breached passwords that are readily available on the web in password spraying attacks and other account-based attacks.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
TR-21-169-001_Before_Hacked.pdf
Comments