How should companies respond to a cyberattack?

Cyberattacks are reported daily in the news, a fact that does not raise the question of whether organizations, regardless of their size or business area, are more vulnerable to a cyberattack or a data breach because it is clear that they are. The real question is when the next cyberattack will occur and how organizations should prepare, mainly how to protect themselves and react after the attack. 

In reality, no organization can prevent or resolve every single cyberattack, but it can implement a set of measures that significantly mitigate the risk, such as identifying and preventing most cyberattacks and security incidents, and limiting the scope and reducing the impact of the remaining cyberattacks. 

First of all, organizations need to develop a cyberattack response plan that follows a tested and proven methodology. One of the most widely accepted methodologies in the world is the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-61 Rev. 2, which was originally published in 2004 and is about 18 years old. To put it briefly, this methodology provides guidelines for incident handling and consists of four parts: (1) preparation, (2) detection and analysis, (3) containment, eradication, and recovery, and finally, (4) post-incident activity.

This publication demonstrates that incident response is neither a simple nor a linear process that begins with the detection of an incident and ends with its eradication and consequent recovery. On the contrary, it is a complex and cyclical process of continuous improvement of an organization's defenses, and each of the aforementioned phases requires planning and the allocation of specialized resources.

The preparation phase consists of allocating and organizing the resources deemed necessary to respond to security incidents, including policies, procedures, tools, an incident response team, communications, skills, and internal and external dependencies. 

The detection and analysis phase includes the ability to aggregate, register, analyze, and correlate security events from multiple sources in real time, and to generate the alerts necessary to investigate incidents and prioritize responses.

The containment, eradication, and recovery phase consists of the execution of response actions based on an appropriate strategy according to the type of attack previously identified in the detection and analysis phase, and also the targets affected, without forgetting the collection of evidence for forensic analysis. 

Finally, the post-incident activity phase focuses on learning and improving by analyzing the incident responses, reviewing the activities performed throughout the whole process to prevent possible failures from recurring, and incorporating improvements into the overall incident response process based on the lessons learned.

While this publication provides the necessary guidelines for organizations to implement effective and efficient IT security incident response regardless of cloud platforms, hardware, operating systems, protocols, or applications, most tasks are complex and demanding. Therefore, it is recommended that the implementation is tailored to each organization by a team of internal and/or external professionals with complementary skills in cybersecurity, privacy, law, project management, and administration of the networks and systems used by the organization.

In short, organizations do not plan to fail in responding to cyber incidents, but they do fail in planning their incident response, so it is necessary to plan ahead and be able to respond effectively and efficiently to a cyberattack.

Article published on Sapo Tek on August, 2nd 2022