You’ve been breached! Now what?

Whether it is an individual email account or a full-scale ransomware network infection, most organizations will be breached at some point. Are you prepared? There are 5 key stages that you must follow in response to a cyber security breach.

Step 1: Detection

The very first thing you must do is realize a compromise is occurring or has occurred. The time between the attack taking place and knowing it took place is absolutely crucial and can impact the overall scale of the compromise. Can you confidently say that if an attack took place against your company, you would know about it in minutes?

Step 2: Containment

After detecting an attack, the first step must always be to contain the threat which when done correctly, can drastically reduce the overall impact of a compromise and in some cases stop the attack before any data is stolen. Can you quarantine any impacted hosts, credentials or other systems immediately after an attack occurs? Would you even know which of the aforementioned were impacted?

Step 3: Remediation

So the breach has been contained, you must now prevent it from happening again and ensure the threat has been completely removed. Can you determine exactly how the attack occurred? Can you identify the entry point of any malware? Do you know which systems need to be patched?

Step 4: Recovery

Now the threat has been mitigated you must now recover any resources such as files, systems and databases. This is the stage you would also need to notify the ICO. Could you identify all of the files that needs to be restored from backup? Do you know what data the attacker had access to?

Step 5: Assessment

Now the incident has been brought to a close, you must compile a report detailing the following:

What occurred during the attack?

How were the systems/accounts compromised?

What steps have been taken to prevent this again and what steps still need to be taken?

Is further hardening required to secure your infrastructure?

A roadmap of all necessary actions including individuals/teams responsible and timescales.

Do you have all of the information to hand from previous steps to know the answer to these questions?

The cost of compromise is increasing year upon year with no sign of slowing down as attackers deploy more effective and destructive methods. A food and beverage supplier was infected twice in the same year with NotPetya ransomware which resulted in a loss of sales, compromised electronic data and equipment damage with a total cost to the organization of £109-£131m not including applicable fines. In 2019 British Airways were fined £19 million after falling victim to a cyber attack that the ICO deemed to be preventable but BA did not have sufficient security measures in place to protect their system, networks and data.

How can Zepko help?

Our 24/7 Security Operations Center (SOC) monitors our customers networks to detect attacks in real time. In the event of an attack, we will notify our customers of impacted hosts, any abused credentials or infected systems and recommend how to quickly contain the threat. We will identify Patient 0, explain how the attack occurred and what needs to be done to ensure it does not happen again. In the event of a ransomware attack, customers using RansomCare from our trusted partner Bullwall can leverage the ability to instantly have access to a list of all files touched by ransomware and receive a pre-completed ICO notification form including the details of the attack.

After every attack, Zepko will issue an incident response report including a timeline of events that occurred, how the attack took place, what systems/users were impacted, what has been done so far and what needs to be done next, recommendations to secure your organization and help plan out a security roadmap to implement these controls or changes.