Responding to a Cybersecurity Breach

While much of the focus is often placed on preventing cyberbreaches, it’s vital to plan for a rapid response once the worst has occurred.

Throughout IT, cybercriminals are exploiting vulnerabilities in record time and have forged ahead off the back of commoditized toolkits made available through the dark web – known as cybercrime-as-a-service.

Ransomware is becoming a thorn in the side of digitization, and each financial quarter it seems is punctuated with reports of a major breach.

Given the scale of the threat, enterprises must prioritize which responses to mount first in case of an attack, according to Dr Pranshu Bajpai, a security researcher commenting as an independent field expert.

“After gaining initial access, ransomware often seek lateral movement to infiltrate deeper into internal environments,” he said.

A glance at the National Institute of Standards and Technology’s database provides little comfort. As of early August 2021, the U.S watchdog and research board had already processed 63 potential new flaws that month, and nearly 1,600 in July.

After a Breach Hits

Responding to a cyber security breach will depend on the Internet of Things (IoT) systems involved, said Jen Ellis, vice president of community and public affairs at cybersecurity analytics, automation and services provider Rapid7.

An assessment might reveal specific units should be put into quarantine or, in especially sensitive breaches, the responder might defer action to avoid alerting an attacker.

Automated incident response systems – orchestrating workflows, evidence and strategies – can handle some workloads as long as the victim had the foresight to invest. According to IBM data cited by Varonis, enterprises that did so saved $1.6 million on average.

Connected functions in the physical world raise the stakes on attacks, with critical infrastructure increasingly put at risk.

IoT also extends cybercriminals’ reach, enabling malicious attacks to move from IoT devices to core IT systems and shelters malware from standardized operating systems, PCs or mobile, where anti-virus tools offer protection. In massive machine-type communications, such as smart power plants or rail networks, whole swathes of infrastructure may need rebooted.

To respond to security breaches where IoT has been substantially affected, research points to increased costs for the victim.  IBM estimated that, in cases involving connected technology, the typical expense rises by $5 for each compromised record.

Ransomware Continues to Run Rampant

Ransomware has been around for decades but it has come to the fore of the global cybersecurity agenda as the financial rewards for attackers have grown, and because victims have few remedies other than to pay.

Data privacy means extortion tactics can now be employed, with the threat of information being leaked into the public domain enough to threaten organizations. The balance has tipped in favor of perpetrators, who will find sanctuary from law enforcement in overseas jurisdictions, argued Rapid7’s Ellis.

Organizations manage to retrieve just 65% of data on average after paying a ransom, according to Palo Alto Networks. Conversely, the amount of ransom paid doubled from 2019 to 2020, from $5 million to $10 million. By way of a response, the Ransomware Task Force which Ellis cochairs has drawn together 48 recommendations, spearheaded by the Institute for Security and Technology and its international peers.

Ellis said the initiative would look to collaborate and spur existing technologies that assist ransomware victims. One partial antidote, already backed by the task force, is the No More Ransom Project, which provides decryption tools for known ransomware attacks and is sponsored by pan-European enforcement agency EUROPOL.

“It can in some cases mean the [victim] doesn’t have to pay the ransom, which solves the initial part of the problem, although the remainder of the recovery process– including assessing all systems accessed in the breach — are still necessary,” Ellis concluded.