Incident Response Plays a Key Role in Effective Cybersecurity
Experts say that a security breach is virtually inevitable — that it’s a matter of “when” not “if.” However, rapid detection and response to a security incident can greatly reduce its impact, as GDS proved recently when it stopped a ransomware attack.
Security Breach Data
Law firm BakerHostetler recently published its 2019 Data Security Incident Response Report, with insights gained from the analysis of 750 cybersecurity incidents that occurred in 2018. Now in its fifth year, the report provides metrics on the root causes of cyberattacks, and recommendations for implementing an incident response plan that minimizes risk.
According to the report, phishing is the leading cause of security incidents at 37 percent, followed by network intrusion (30 percent) and inadvertent disclosure of information (12 percent). In 55 percent of incidents, employees were found to be responsible by falling for phishing or social engineering attacks or making simple mistakes.
Ransomware remains a serious threat. Most ransomware strains are distributed via phishing campaigns, in which a user is tricked into clicking a link or opening an attachment that drops the malware onto the user’s device. There are exceptions — the Ryuk variant, for example, is used for targeted attacks conducted after extensive reconnaissance activities. GDS recently detected and stopped a Ryuk ransomware attack, enabling the company to recover quickly without any data loss.
The Ryuk attack shows the critical importance of an effective incident response strategy. Incident response is the process of addressing a cyberattack in order to minimize downtime, damage and costs. It begins with proper preparation and planning, so that key personnel know the procedures they should follow when a security breach occurs.
Incident response is the process of addressing a cyberattack in order to minimize downtime, damage and costs.
The incident response plan should define what constitutes an “incident,” which might include data exfiltration, unauthorized access, malware infection, denial of service attack and other security-related events. Incidents should be categorized based upon:
- The type of data involved
- The type of perpetrator responsible
- The scope of the event
- Any legal or regulatory compliance requirements that may be implicated
Once a potential incident has been identified, the response team should rapidly and thoroughly investigate the event in order to understand what they are dealing with. In the Ryuk incident, the GDS team quickly reviewed the company’s security event logs after the malware was detected, and found at least one compromised user account and several infected machines.
After the investigation is complete, the IT team can work to contain and eradicate the problem and recover systems, applications and data. In the Ryuk incident, GDS successfully cleaned the affected systems and took steps to block malicious IP addresses and geo-locations. GDS also had users change their passwords and restored data from back up to get the company’s server up and running.
The BakerHostetler report found that non-network intrusion incidents were detected in 64 days on average, down slightly from 66 days the previous year, and network intrusion incidents were detected in 90 days, up from 84 days the previous year. The law firm recommends that organizations monitor systems to detect suspicious activity and prepare to act quickly when incidents occur in order to reduce response times and the impact of an attack.
The GDS managed security services team uses sophisticated monitoring tools and works around the clock to detect and respond to security incidents. Contact us to discuss how we can help prevent the inevitable cyberattack from becoming a business-crippling disaster.