التكنولوجيا وأخبارها بوابة الإمارات لتكنولوجيا المعلومات والإتصالات
By Haider Pasha
While we can only speculate about the success rate of incidents that were kept secret,
there’s enough evidence to show this: Most large enterprises that tried to keep a cyber
crisis secret and were busted afterwards failed big time with their reputation.
Moreover,
you have to manage all relevant internal stakeholders and vendors to comply with potential regulations for obligatory reports.
Some regulators ask for extremely fast reports, such as the Monetary Authority of Singapore (MAS) that demands notification within a few minutes.
But there are many technical variables you can’t control.
For example,
a range of impactful cyber breaches such as Stuxnet were reported by security researchers who identified evidence of a compromise based on external telemetry and malware samples.
Treating your cyber crisis transparently will bring you benefits such as public support by authorities, researchers and customers.
But you need to be ready to take the pressure in communication and execution.
Rule 3: Access cybersecurity expertise.
Most companies employ their own CISO and security staff who will respond to the cyber crisis. But, let me ask you a question:
Did your staff really see the full cyber crisis and experience it end-to-end? If you have not run proper tabletop exercises yet and your team has never dealt with a cyber crisis, don’t try to work it out alone. Instead,
consider using the following stakeholders in the crisis process:
Cybersecurity incident and crisis experts: Reporting of the crisis and technical analysis can likely be done more effectively by external companies that have dealt with similar situations or the same threat actor.
For instance,
most companies often lack legal experience or are not familiar with the Tactics, Techniques and Procedures (TTPs) of the threat actor.
Security vendors: Most companies are shy to consider security vendors as partners.
The reality is that security vendors are perhaps the best partners to help you mitigate the threat given their experience with your security controls.
Peers: Cybersecurity is a team sport,
so we have to be humbler when working with our peers or even competitors. Most of the threats your organization faces have already hit some of your peers. Engaging peers and asking for help is critical.
Law Enforcement: In many countries engagement of law enforcement is more of a formal act to register the incident.
However,
some countries have strong capabilities that focus not only on investigation of the threat actors but also help defend your networks.
To address the problem of cybersecurity in a sustainable way, it is always good to engage with law enforcement during or after an incident.
Rule 4: Use smart containment.
Containing a cyber crisis could take years if you randomly follow all recommendations available out there.
How do you challenge your CISO on the balance between incident containment and keeping the business going and avoiding panic mode?
Instead of doing everything, your task force can apply a risk-driven containment approach addressing the most important questions:
1. Why were we hacked?
2. What are our crown-jewels and were they impacted? 3. How do we mitigate the threat?
In order to understand how to mitigate the threat,
you have to triage the first and second question properly. Sometimes, it is even required to keep the attacker
for a while in your own network in order to determine his true motivations. If the motivation is destructive you better get him off the network asap.
For all targeted attacks aimed specifically at your company and with a defined purpose, such as trying to steal information for espionage or to sabotage the IT system, there is one
key question you should always ask your CSO: Have we identified patient zero?
Similar to virus outbreaks in our human world, patient zero can help you reconstruct the
path of attack and identify potential hidden backdoors the attacker created as a backup in your network in case he gets identified.
If your task force can’t identify patient zero, they won’t be able to confirm if the attacker is still in the network or determine the full scope of the attack.
Rule 5: Be safe, don’t be sorry.
How has the cyber breach impacted your business from a reputational, legal, financial and technical point of view?
Have you lost money because you weren’t able to run a server for the last 20 hours?
Estimate the overall cost of the attack.
Look for an ongoing operational impact if time was lost working on important projects.
This analysis is not only required in case you have hedged your cyber risk with insurance but will also help you derive your investment required in cybersecurity.
In the end, most organizations that experience a cyber crisis make a significant increase in cybersecurity investment.
Focusing on principles such as Zero Trust, improving cyber hygiene,
and simplifying security process and technologies are some of the most important – and basic – things to do.
Cyber resilience in a nutshell
No matter your industry, a proper cyber resilience plan is a must if you want to be prepared for the worst-case scenario. Reducing the scope of damage caused by a cyberattack is the primary aim of a cyber resilience plan. Attempting to secure the network is one thing. But activating a well-thought out and stress-tested business-continuity plan in the event of an attack can save your organization enormous money and time.
So be well prepared.
Haider Pasha is regional chief security officer,
Middle East & Africa region, for Palo Alto Networks
