Specialists will extend beyond forensic security analysts and infrastructure managers to delve into other areas too. There is of course a legal and compliant part of the puzzle, as well as involving media and communications staff to discuss both internal, and external messaging.
These areas can – and should – work in tandem. For instance, technology staff who analyse lost or compromised data should then inform the legal team, who can then work out whether the lost data impacts customers and requires notification. Communications staff can then reach out accordingly.
Some of the worst responses are down to a lack of information, a lack of transparency, and in the worst cases, complete denial. By having a premeditated plan in place however, with dedicated teams responsible for specific areas, the business can work in sync to minimise the impact of the fallout as best they can.
A mature plan will break down into at least three main parts: containment, mitigation, and cleanup.
Keeping the attack contained
Once an attack has taken place, it’s crucial it doesn’t go any further – a kind of digital sandbag if you will, to prevent further injury. After circling in on the attacker, this is the first action that the response team should take, largely because it is near impossible to mitigate what cannot be contained.
This containment can be a difficult task. Attackers are stealthy, making it difficult for businesses or security experts to see how far hackers have got in their attack.
You could possibly enlist the response teams for the vendors to navigate this. Typical candidates are antivirus companies or ethical hackers who can be brought in to look at patterns that are interesting in terms of who these attackers are, and where their interest lies.
Mitigation and clean-up
After the containment comes the mitigation. At this stage, the security response team should have identified the weak spot. In short, how the attacker got inside.
Was it unpatched Windows workstations? Or a misconfigured web server? Batten down the hatches and close the door to fresh attacks, unless you want to find yourself in an endless cycle of cleanup-reinfection. Completely removing the malware and fixing any compromised user accounts is the next a crucial step.
Once you’ve carefully extradited the attackers from corporate systems and surveyed the extent of the damage, an organisation must look to fixing as much of the damage as possible. This includes reinstalling compromised systems from known, good media and potentially restoring data from backup.
Added to this, businesses must reconfigure network and server software, monitoring its operation for a set time in order to ensure that everything is working as it should.
Perhaps the only benefit of having been attacked is that you can learn from it. This includes carrying out a post-mortem with tangible insights that can then be fed into a company security policy, as well as the wider business strategy. You may discover that you need to embark on an internal education phase that addresses training and awareness for example.
No one likes facing adversity, but one true test of an IT director’s character lies in how they deal with it. When hackers strike, the truly savvy IT decision maker will have the tools and contacts in place to get the job done.
Mark Lomas is an IT consultant at Icomm Technologiesu2028.
Share this story