Detection, Analysis & Response: A Three-Pronged Approach to Addressing Cyberthreats
Cybercrime was once a phenomenon you read about on the news as hackers walked away with stolen credit card numbers of everyday customers and sabotaged big businesses. Today, most people have the deepest and most vulnerable details of their lives stored on the internet in the form of ones and zeroes.
For a business, cybercrime means a devastating loss of money and reputation. For an ordinary person, it might mean the destruction of their professional and personal lives.
Hackers can encrypt all our family photos and work files, hold them hostage, and demand a ransom in exchange. It’s no surprise then that billionaires like Warren Buffet believe that cybercrime poses a bigger threat to mankind than nuclear weapons.
But how are we supposed to stop cybercrime? Or better yet, how do we prevent it from happening in the first place?
Threat Detection In The Modern Age
The Internet Crime Complaint Center reports that the world experiences a cyberattack every 1.12 seconds.
The most fearsome cybercrime, ransomware, is reported to have caused $623 million in damage across schools, businesses, and even hospitals in 2021.
This leads cyber security services and professionals to a simple conclusion — The best way to minimize losses from cyber crimes is to detect them as early as possible so that damage mitigation can immediately take place. Cyber threats that are detected quickly, precisely, and definitively leave victims with the best chances of healing and recovery.
No matter how big your defense budget, or how powerful and comprehensive your defense plans are, an undetected attack can wreak as much havoc as it wants and waltz away without anyone being the wiser.
Cyber defense starts with vigilance. Internet users must be trained to be vigilant when browsing the internet. Software tools can be used to monitor suspicious emails and strange network activity that might be impending signs of an attack.
Data leakage, phishing, credit card theft, privacy breaches, and accidentally giving out authentication details are all problems that can only be fixed by being careful.
The Art Of Threat Analysis
The goal of a hacker is simple: to disguise their infiltration attempts as something benign and harmless. For this reason, hack attacks won’t be huge, larger-than-life events that scream for attention. An ongoing hack attack might be a series of very small, almost imperceptible network movements that don’t seem out of the ordinary.
It’s for this exact reason that while software and technology can be an incredible asset to analyze intrusion attempts, you will always need a human in the pilot’s seat to determine what is and isn’t malicious behavior.
If you’re looking at any suspicious activity or potentially infected files, ask yourself the following:
- Who has internal access to this data and does this activity make sense?
- How was the attack initiated?
- Are any normally accessible files now inaccessible?
- What information is being accessed, and for what purpose?
- Who does this affect?
- What network connections were active when this event occurred?
- Have any access credentials been changed in any way recently?
- Is the system behaving abnormally in any way?
Locate and identify all endpoint and network assets. Use a network architecture diagram to help you understand the interconnectivity and communications between each point.
You should already be monitoring TCP/UDP, SMTP, HTTP, and FTP ports with networking monitoring and threat analysis tools.
Mobilizing A Threat Response
Once you realize you are indeed the victim of a cybercrime in progress, what do you do?
Your internal team, no matter how well-funded and prepared it is, is responding to an unknown entity that might be a single individual on a lark or an organized group with a financial motive.
It’s time to isolate the compromised network, filter, block, and reroute traffic. Disable all remote access and change all passwords immediately. In most cases, that’s all you can do and might not even be enough. Remember, the only safe system is one that’s disconnected from the internet.
Recovering From A Cyber Attack
At this stage, the attackers have taken what they can and left or simply ran from the crime scene when they noticed your response.
Contact your local police immediately and ask to speak to their cybercrime division. Your taxes pay for their resources. Resources that can only help you add to your firepower at this point in time.
Your endpoint resolution automated systems should already be helping you locate infected files and malware.
Restore modified and erased files, and isolate and disconnect sensitive databases while gathering as much information as possible. Update your firewall rules, deploy all your security measures, and summon forensic experts. Whatever holes and vulnerabilities have been freshly revealed or created must be plugged in and made whole again.
This is the time when the evidence left behind is freshest. Move your IT infrastructure around to identify and locate the source of the attack and the cause. Mobilize IT consultancy services and have them work on understanding the forensics details.
You will be required to consult your legal counsel, information security specialists, and senior management.
It’s time to interview the employees who first detected the breach and ask them questions while their memories are still fresh. You may have shareholders you are obligated to report to depending on your federal, state, and other compliance regulations.
One of the most painful and heartbreaking moments will be assessing data loss. The more data that is lost, the more your clients, everyday business, and bottom line will suffer. Restore as much data as possible from your secondary and tertiary backup sources. If both of these are compromised or never existed in the first place, alert your human resources department to the need for a new IT team.
Wrapping It Up
Moving forward, focus on creating a disaster recovery plan that your partners, customers, and senior management will appreciate. Anyone can be a victim of cybercrime. What differentiates us is how we respond and pick ourselves up after the fact.
Use anti-virus software, firewalls, and two-factor password protection, and regularly update your software and firmware.
● Endpoint Detection and Response (EDR)
● Cloud Access and Security Brokers (CASB)
● Managed Detection and Response (MDR)
Use security operation centers with high-quality alerts and low false positive rates to help your security teams focus on real threats.
Leave a ReplyWant to join the discussion?
Feel free to contribute!