Cyber Security BlogsExpert insight from our cyber incident responder
Cyber attacks and data breaches are a matter of when, not if.
No single measure is 100% foolproof. A determined attacker will always be able to find their way around your defences, given enough time and resources.
Furthermore, as Vanessa Horton, our cyber incident responder, pointed out in an interview about anti-forensics:
The cyber world is changing all the time, which means we’re playing a bit of a cat-and-mouse game. Basically, as one side improves, so does the other.
In this interview, I pick her brain on cyber incident response more generally, gaining her expert insight into the ‘what’, ‘how’ and ‘why’, along with practical, real-life examples.
About Vanessa Horton
Vanessa holds a degree in computer forensics, as well as a number of cyber security and forensics qualifications.
She’s worked for the police as a digital forensics officer, where she was involved in complex crime cases. Vanessa was also awarded a Diamond Award and an Excellence in Service Delivery Award.
Now, she’s part of our cyber incident response team, helping clients with their cyber security requirements.
In this interview
Cyber incident response misconceptions
What common misconceptions do you see around cyber incident response? Or in your line of work generally?
The big one is the [misplaced] belief that ‘it’s not going to happen to us’. Many organisations believe they won’t suffer a cyber incident, even if other organisations might.
That’s a poor mindset to have because, for one, it’s wrong – everyone will suffer an incident at some point.
But more importantly, this mindset leaves organisations unprepared for when they do suffer that breach, and haven’t got an incident responder on hand to keep the damage to a minimum.
The fact that some big names have ‘been done’ recently shows how nobody’s safe. Not even big cyber threat actors! For example, not so long ago, LockBit [an infamous ransomware gang] got taken down. And various other ransomware groups, including Ragnar Locker and Black Basta, suffered the same fate.
It just goes to show that no one’s above being successfully attacked. That’s just the unfortunate reality.
But if threat actors are being brought down, doesn’t that improve the cyber landscape?
Oh, law enforcement doing its job is definitely a good thing.
However, when you bring one website or gang down, what always happens is that the remaining gang members form a new group.
Law enforcement never catches every single member of the gang when it takes one down. So, the ones who remain are going to take their skills and form new groups.
They might then change their objectives and go after new targets – because they’ll want to establish themselves as that new group.
What do you mean by ‘changing their objectives’?
So, for example, LockBit originally said it wasn’t going to go after hospitals for ethical reasons – perhaps ironic for a criminal gang, but there you go.
Anyway, LockBit changed, and is now going after hospitals.
This adds to my earlier point: you simply don’t know who’s going to be targeted next. And just because one group said it won’t target your industry, doesn’t mean other groups will offer the same courtesy. Plus, you have no way of knowing what any group’s next move will be.
This, by the way, is the type of conversation I often have with clients. It’s how I convince them that they really need that cyber incident response plan, to do tabletop exercises, to train their staff, and so on.
By being open and honest about these things, I can more easily show clients that taking these actions is in their own best interests.
Every organisation should prepare for an incident. They must actively take steps to protect themselves. Because if they don’t, well… We’re all human, and when faced with an unexpected situation like a security incident, you’re going to panic, no matter what.
But by being prepared, you can recover quicker, which makes the company financially better off, as you’ll suffer less disruption. You can also quickly stop the attacker from accessing any further data in your systems, so things don’t get any worse.
Plus, by handling an incident well, stakeholders and the public at large are generally more forgiving, which will obviously serve your reputation well.
Interviewer note: If you did everything you could, people are forgiving about breaches
Louise Brooks, head of consultancy at our sister company DQM GRC, made a similar observation in a recent interview about practical GDPR [General Data Protection Regulation] compliance:
“Organisations must remember that real, living people are behind the vast quantities of information they’re gathering and processing. Those people will be affected if anything goes wrong due to mismanagement of their data.
“However, people are generally open to forgiving organisations when things go wrong if the organisation can demonstrate they treated personal data with the respect that it deserves, and they did the best they can.”
Protection – first steps, simple measures
What are the first steps for organisations to protect themselves?
Before you do anything else, you need to know what you’re defending:
What are your key assets among your:
Data?
Systems?
Processes?
Where are those assets?
What are the risks to them?
What controls do you already have in place?
Risk assessment and management are critical starting points, as you need to know what you’re working with before you do anything else. But, as my colleague Andrew Pattison likes to say, it’s important to keep these simple.
The key is to identify your biggest risks, then implement appropriate controls to mitigate them.
What are some simple measures every organisation needs?
Very basic controls can get you a long way:
Strong passwords and MFA [multifactor authentication]
Anti-malware software
Secure configuration
Regular patching
Firewalls
Not doing these types of things just makes you a more likely target. I don’t like using the word ‘easy’, but that’s what you’re making yourself if you don’t patch or you use passwords like ‘Password123’: an easy target. You’re leaving the door wide open to threat actors.
This also underlines the importance of prevention and detection. Cyber incident response planning doesn’t start with the response – any response is only triggered if you detect abnormalities.
Detection – security monitoring and what is ‘normal’?
How do you detect an anomaly or a suspicious event?
You need to understand your baseline: what’s normal? Because if you can’t answer that, how will you know what is suspicious?
Is it normal if someone logs in from a Russian IP address, for example? And at 1:00 am?
But you don’t need to have someone sit there and monitor all event logs all the time – a security monitoring solution can do that for you, like:
An IPS [intrusion prevention system];
An IDS [intrusion detection system]; and/or
An EDR solution [endpoint detection and response].
You also want systems that log system activity and forward them to a centralised SIEM solution or SOC [security information and event management, security operations centre].
These types of technological solutions are essential to process huge amounts of information [security events like access logs]. But the human aspect is a vital part of detection, too.
For one, a person will have to ‘teach’ your technological solution what constitutes abnormal behaviour. And two, when your tool detects something suspicious, it must alert a human to follow up on it.
Interviewer note: Automating log analysis with AI
Earlier this year, I spoke to information security manager Adam Seamons about network security. Automated security monitoring tools cropped up, as did the role of AI and machine learning in security:
“AI and machine learning have both been used in detecting anomalies and suspicious patterns for some time, and will only continue to be used more. I expect SOCs to become increasingly reliant on AI.
“Getting more specific, log analysis is a key area for AI to automate. An AI tool could do the heavy lifting, sifting through tons of logs and data to detect and then respond to threats far faster than a human could.”
You gave a 1:00 am login as an example. Does a situation like that require an immediate follow-up?
Good question. Many organisations incorrectly believe that they don’t need 24-hour cover – or at least, don’t need to make someone responsible for responding to an out-of-hours alert from an automated tool.
But things are going to happen overnight. Look at it from the threat actor’s point of view. A smart attacker is going to attempt to breach your systems when they’re at their most vulnerable – i.e. when nobody’s looking.
Organisations are prone to forgetting about out-of-hours protection, but that’s precisely when you most need protection. That’s when you’re more likely to get attacked. Threat actors know that’s when defences tend to be down, and monitoring is slack.
What exactly should organisations be monitoring?
Security events. These are just everyday events on your systems or networks – logins, incoming emails, files received, and so on.
So, for example, if you suddenly get someone logging in from Russia, and they weren’t on a business trip there or something, you need to investigate. This means you’re not just tracking the logins themselves, but also certain information about them – locations and IP addresses, login times, files or services accessed, and so on.
Again, you have to know your baseline. What is expected activity? And if it’s unexpected, someone must quickly investigate. If a threat actor did gain access to a user’s account, you want to prevent them from accessing anything else.
Equally, if it’s just someone who’s on holiday in Russia and decided to log in, you can dismiss the security event. But you must establish that in your initial follow-up; you can’t just assume it’s not a security incident.
[The difference between a security event and a security incident is that an event is an everyday occurrence – like users logging in. But some events also signify a security incident: a breach of confidentiality, integrity and/or availability, also known as the ‘CIA triad’.]
To what extent does seasonality play a role in security monitoring? Like weekdays vs weekends, for example, or Black Friday?
Oh, seasonality plays a role, for sure. Black Friday is the perfect example.
If you’re a retailer, you’re going to see way more web traffic than usual. You must be able to handle that. By having more people on call, for example. By double-checking things. You need to plan ahead and assess the risks.
Again, a smart threat actor will target your weakest link, and when you’re at your most vulnerable. So, if they wanted to take your website down, for example, with a DoS attack [denial of service], a day like Black Friday is a prime time to target, when traffic is up anyway, and it’ll take fewer additional requests to flood your servers.
Black Friday is also a great time [from the attacker’s perspective] to cause most harm. If your website isn’t operating that day, you’ll take a massive financial hit in terms of lost sales.
Threat types and risk assessment
DoS attacks aside, what other cyber threats or attack types must organisations consider?
Take your pick:
DoS
Phishing
Ransomware
DNS poisoning
Backdoor attacks
Ultimately, a lot of them involve malware, but threat actors can deliver it in many different ways. The more important thing to think about is where and when you’re most vulnerable. Black Friday is one example. The end of your financial year is another, when you’re dealing with tons of confidential information.
You’re not just looking at who might target you and how, but also when you’d suffer the biggest blow. When would the impact of a security incident be at its worst? [I.e. business impact analysis.]
And OK, not every attacker will think that way. But this question is one every organisation should consider, because you want to be operational during your most critical times. Even if the cause of a disruption wasn’t malicious, you don’t want it to happen – and especially not at a time when disruption would be costly.
How can organisations balance the cost of such assessments and measures against the risk of an incident or a disruption?
That’s always the challenge, especially for smaller organisations. Everyone needs to find that balance and make those difficult choices.
To help make them, ask questions like:
What are your assets and processes?
What security controls do you already have in place?
Are you training your staff? Both specialist training and general staff awareness?
I think of this as a gap assessment, which can be against a standard like ISO 27001 or NIST SP 800-53. I’ve found that many organisations particularly like the NIST incident response guidance because it’s so accessible.
Interviewer note: The core principles behind cyber resilience and defence in depth
Vanessa covered the core ideas behind the three broad layers of cyber defence in depth:
Prevention
Detection
Response
The core idea behind prevention is risk assessment. Identify your threats and weaknesses, and where and when your business would most suffer from a cyber incident, then implement measures to mitigate the risks as best you can. Concentrate on the more basic, cost-effective measures – like firewalls and patching – that prevent most common attacks.
The core idea behind detection is that preventive measures can fail. As Vanessa said to me: “They can only do so much.” You can think of the cyber security world as a ‘cat-and-mouse game’ in which the ‘cat’ (attacker) has the upper hand. Besides, there’ll always be zero-day exploits.
So, you want to become aware – as quickly as possible – of when your prevention failed. The key here is to know what ‘normal’ looks like, so you can identify abnormal behaviour, potentially indicating a cyber security incident.
Let’s get deeper into response: the follow-up to when your tools flag up an anomaly.
Cyber incident response plan
What’s the first step in planning your response?
Your cyber incident response plan. No doubt about it.
Incident response planning is such a vital part of having an effective response overall. As I said earlier, we’re human – panic is natural in unexpected situations. Even if you are prepared!
But preparing and documenting a solid response plan – an incident action plan, if you like – ensures that even when under pressure, people do the right things. They make all the right decisions, because they were made ahead of time, outside the heat of the moment.
A good security incident plan should also ensure that your approach is consistent, even if a key person is unavailable.
How can organisations further improve their cyber incident response plan?
Your incident response plan should include a different incident response playbook for different threats. Dealing with malware on your systems requires a different response than, for example, a DoS attack.
Also, test your plan. Tabletop exercises are important – they tell you whether your plans are working as intended. Plus, they make for valuable training for staff! It’s always much easier to do something if it feels familiar.
[Note: Vanessa gave an example of this below.]
Training – specialist skills and when to outsource
What training do staff with incident response roles or responsibilities need?
That depends on the individual’s role in the team.
Cyber incident response isn’t an IT issue, but a business issue requiring input from a wide range of stakeholders.
At a minimum, training should include:
What constitutes an incident;
Responsibilities during an incident response;
Activities for ensuring compliance with legal requirements;
How, when and to whom an incident should be escalated; and
How to handle, store and process evidence in a forensically sound manner.
Is that a common issue? Not recognising something as a potential incident?
We do often see that. Different people in an organisation have different opinions on the definition of an incident.
In many situations, differing views are great. But in the context of incident response in cyber security, the organisation needs to ensure a consistent definition and approach, so staff training can cover it clearly.
You need to teach people how to recognise the abnormal stuff. And to put in a security incident report to someone adequately trained. Whoever triages must know both what to look for and how to handle it securely, to ensure the organisation is taking the right actions from the start.
When is it better to have or develop that technical expertise internally, and when is it better to outsource?
It depends on:
Your organisational size;
The complexity of your systems; and
Your internal capabilities.
If you’re a smaller organisation, it’s unlikely you have the internal capability. More complex organisations would probably also benefit from outsourcing all or some of the capabilities – digital forensics, for example.
Using external expertise also means relying on people for whom responding to an incident is an everyday occurrence. They’ll know exactly what actions to take, and won’t allow their skills to become rusty. In fact, they make a point of keeping up with industry news and trends.
That’s completely different from an internal capacity, whose day to day likely involves other tasks. That makes them less comfortable dealing with an exceptional situation like a security breach.
What skills are specific for incident response? That an internal person is unlikely to use day to day?
Again, keeping up with, and having a deep understanding of, the latest threats. That gives them the ability to quickly detect and respond to these threats.
More specialist capabilities include:
Digital forensics [discussed below];
Malware analysis; and
Threat hunting.
These..
