tactics
CYBERSECURITY
What to do after
a cyberattack
Experts offer advice on how to keep a bad situation from getting worse — and how to better prepare for the next incident
IBY KAREN EPPER HOFFMAN
t makes sense that information se-
curity professionals focus first on
preventing a breach — or at least reducing the chances of one happen- ing. But as hackers become more wily, sophisticated and pervasive, it’s just a question of when a hack will occur.
Jim Crook, senior product marketing manager at cloud storage and data pro- tection company CTERA, said FBI sta- tistics tell a chilling story: Ransomware victims lost $209 million in the
first quarter of 2016 — nearly 10 times the losses of $24 million for all of 2015.
“It is a global epidemic that every organization has either already faced or will almost cer- tainly face as the pace of cyberat- tacks increases on a daily basis,” Crook said.
With that in mind, govern- ment leaders must carefully con- sider their approach to the inevi- table and know what to do after a hack is discovered.
As soon as a breach is detect-
ed, “it’s important to first resolve
the problem, which means iden- tifying the source of the data leak and how it can be better protected,” said Cynthia James, general manager at KGSS, the exclusive provider of Kasper- sky Lab’s real-time cyberthreat intel- ligence to the U.S. government. Infor- mation security teams “have to be able to understand what happened during a
breach in order to prevent it from hap- pening again.”
If the breach was a result of ransom- ware, she said victims should not pay the cybercriminals the ransom money they demand. “While some threat ac- tors will try to convince you that you can buy your way out of this problem — paying a ransom to get back your data — too often the hijacked digital materials come back compromised or
of a breach is received,” she said. “This plan usually entails actions from vari- ous departments, including IT, govern- ment officials, legal, communications and other departments within a gov- ernment agency.”
“Sadly, most groups are never pre- pared for the first incident,” which can go undetected for some time, said Rich- ard Henderson, global security strate- gist at Canadian endpoint security firm
Absolute Software. “In both private and public organiza- tions, the first major breach may have persisted for a lot longer than was first thought.”
In some cases, it’s a third party that picks up on signs of a breach and notifies the man- agers of the hosting environ- ment. “That’s embarrassing on many levels,” he added.
The issue is not exclusive to government agencies, with their limited budgets and over- extended teams, Henderson said. Indeed, plenty of corpo- rations have “fallen victim to similar undetected breaches.
This is why it’s absolutely essential to be prepared now and have all your pieces in place before the unspeakable happens.”
He said “red teaming” — where in- ternal teams test security and vulner- abilities — can reveal weaknesses in an agency’s defense that might not have
Ransomware victims lost $209 million in the first quarter of 2016 —
nearly 10 times the losses of $24 million for all of 2015.
damaged,” James said. “Sometimes they don’t come back even once the ransom is paid.”
To protect against damage from such attacks, “government agencies should have a strong incident response plan at the ready once a hack does occur and implement it as soon as confirmation
46
GCN MARCH/APRIL 2017 • GCN.COM