Cybersecurity has been pushed even further into the spotlight in 2020, as those working from home during the pandemic became prime targets for criminals wanted unauthorised access to data. That likely won’t change once the pandemic ends, and businesses need to know how to effectively respond to these kinds of incidents.
Luckily, Nithen Naidoo, CEO and founder of cybersecurity specialists Snode Technologies, has weight in with some sage advice.
To that end he advocates for a practical yet simplistic approach for firms to adopt when a cybersecurity incident happens.
“We believe that simplicity is the ultimate sophistication in taking a robust response to a security breach. Our modus operandi in these situations is to gain comprehensive visibility, and fast,” says the Snode CEO.
“Based on this approach, we endeavour to perform a rapid response, minimise business impact, contain the incident, assist the organisation in communicating about the incident and help them recover,” he adds.
With a company capable of only doing so much to prevent a breach, it is the reaction that is important in Naidoo’s view, especially in terms of how the different reaction teams collaborate with one another to resolve matters as quickly as possible.
Post-breach then, he calls on the defence, forensics and recovery teams to run in tandem.
“The first step is to isolate the infiltrator and cut off their remote access to the network. This ensures that the channels of exfiltration are shut down, and no further sensitive data is exposed. Simultaneously, our defense team, and possibly an independent forensics team, is deployed to evaluate what has transpired – what is patient zero? – to gain insight into the threat actor’s tools and tactics in order to understand how the initial attack vector led to widespread compromise, and how to block them from a second wave of attack,” explains Naidoo.
“Detective control landscapes give us insight into how to lock intruders down, deny them access to other elements of the environment and limit and reduce and manage the client’s risk exposure,” adds the Snode founder.
Once the actions post-breach have been completed, it is up to the business to put preventative controls in place, he stresses.
By this, Naidoo emphasises analysing known threats within the network, assessing anomalies within the system, understanding potential data exfiltration, evaluating C2 (malware-related) channels and monitoring the lateral movement of attackers within the environment.
Lastly, he notes that companies need to address communication around the breach. This may be one of the least technical aspects of the reaction and response, but may be the most crucial, with it often being the first and biggest mistake that businesses make.
“Trying to sweep the issue under the carpet does not help. Fundamental to surviving an attack is how you respond – the real test is how well you communicate, both internally and externally, about how you are remediating and mitigating the risk,” Naidoo highlights.
Interestingly, another mistake that companies make post-breach is communicating too soon, according to the Snode CEO.
“In any breach situation, there is naturally pressure from the board and C-suite executives to have all the answers, right now. The shortfall responders fall into is not having all of the facts, but want to provide all of the information possible to assure stakeholders and shareholders,” says Naidoo.
“Sharing incomplete information while an investigation is ongoing may end up hurting the brand and erodes trust in the ecosystem around you, as it becomes dubious whether or not you have a grip on the situation. The key is to take the time to collate all of the information to provide accurate feedback,” he advises.
The third mistake often made in a post-breach strategy is communicating too much.
“This can occur when information around your breach is prematurely disclosed through non-official channels. This erodes public trust as it may be viewed as an attempt to disguise the truth,” Naidoo concludes.
With cybersecurity now becoming one of the most significant considerations for those in the boardroom, having an end-to-end solution in place is critical. As is the ability to communicate effectively with stakeholders, should a breach occur.