A Weekend in Incident Response #23: Lengthy Cyber Attack Recovery Periods Lead to Creation of “Mean Blind Spots”, Increasing Risk of Future Attacks on Organizations, Study Shows

The greatest challenge for every organization that deals with cyber security threats is how to reduce its reaction time when responding to an incident and recover as soon as possible in order to minimize the consequences and contain the damage.

A new study that was recently published by the University of Portsmouth states that the fact that it takes a long time for organizations to recover from an incident makes them that much more vulnerable to future attacks soon thereafter. The study was conducted by researchers with the University of Portsmouth’s School of Computing, who have found that many organizations across different industries are faced with a serious issue threatening their cyber security, caused by long recovery times from cyber attacks and data breaches they had already suffered. The researchers call the recovery time between two cyber attacks increases an organization’s susceptibility to more attacks, dubbing that period “mean blind spot”.

After analyzing the VERIS Community Database – a dataset of cyber incident reports collected through various information sharing initiatives, researchers found that organizations often take days to recover from an attack, rather than hours, which increases the risk of getting breached between attacks. This suggests that reducing reaction times when responding to an incident can play an important role in preventing future cyber attacks.

Available Solutions for Reducing Reaction Times

The results of the University of Portsmouth’s study unequivocally point to the need for organizations to adopt a solution that would allow them to recover from cyber attacks much faster than today’s current speeds. Considering that there are a lot of actions that should be taken simultaneously by cyber security teams after their organization is breached, as they try to resolve the incident, a solution that would take care of some of those actions for them would be of great help to them and would accelerate the recovery process.

There are various solutions that can provide this type of help, and automation-and-orchestration cyber incident response platforms are what cyber security professionals need in their efforts for resolving incidents quickly and effectively. Those types of platforms allow you to execute a previously devised incident response plan in the most effective manner and save precious time while working on recovery.

One capability that these platforms provide that can be crucial for the mitigation of the problem at hand, is the fact that they allow you to analyze and respond to incidents in real time. They can automatically perform time-consuming tasks such as analysis of the reasons and origin of an incident, allowing you to quickly figure out where an attack is originating from and understand the methods and channels that were used by the attackers. Through automated playbooks, an incident response platform helps cyber security teams to prioritize their response, providing them with the key risk indicators so that they will know the current status of an incident and react accordingly.

Also, these platforms have the capability to create automated incident reports, run predictive analysis, and collect digital evidence for forensics purposes, which reduces reaction times even further.

In summation, the “mean blind spot” issue pointed out by the University of Portsmouth study could be best addressed by organizations by employing an incident response platform that is capable of automating some of the key processes that are part of a typical incident response plan.

A Weekend in Incident Response #22: Addressing the Incident Mitigation Procedures Prescribed in the NIST Framework

The typical cyber security incident response process is carried out in several stages, and mitigation activities are a significant part of that process, as they are meant to help eradicate an incident and prevent it from expanding. The Cybersecurity Framework, published by the National Institute of Standard and Technology (NIST) back in 2014, offers a separate section on mitigation as part of the broader incident response effort, advising companies on the immediate steps they are supposed to take following a cyber security event.

The NIST Framework section dedicated on mitigation includes the following steps: contain, reduce impact, eradicate, document. Going through all these steps can be time-consuming and can waste a significant amount of a company’s resources, which is why companies need to consider implementing a software solution that can help their cyber security teams save valuable time while performing these tasks. Incident response platforms with automation-and-orchestration capabilities are the ideal solution for every organization that’s required to mitigate cyber security incidents fast and effectively.

Automated Playbooks for Specific Types of Incidents

By using a cyber incident response platform, companies can take advantage of its numerous features relating to mitigation, such as automated playbooks, workflows, evidence tracking for forensic analysis, and reporting, to name a few.These platforms provide a set of workflows that apply to all different scenarios involving various types of cyber security events, including malware attacks, phishing incidents, or data breaches. The workflows help a company’s cyber security team analyse exactly what action to take depending on the type of attack. For instance, if your company faces a phishing attack, a workflow will guide your CSIRT through the containment process, with actions like checking the source-code of the phishing website and spreading the URL of the attack on all accessible web browsers.

These platforms provide a set of workflows that apply to all different scenarios involving various types of cyber security events, including malware attacks, phishing incidents, or data breaches. The workflows help a company’s cyber security team analyse exactly what action to take depending on the type of attack. For instance, if your company faces a phishing attack, a workflow will guide your CSIRT through the containment process, with actions like checking the source-code of the phishing website and spreading the URL of the attack on all accessible web browsers.When it comes to reducing the impact of an incident – related to a malware attack, for example – you can use an incident response platform’s playbooks to figure out how to configure servers and email clients to block emails providing suspicious files, after having identified them, or to block malicious code, and how to identify and isolate the host that has been recognized as a source of the infection.

Few Simple Steps to Eradicate and Document

As far as eradication is concerned, it’s also mostly associated with malware attacks, a highly effective solution is an automated incident response platform. It can help you identify all vulnerabilities and remove the malware fast from all affected hosts, while also allowing you to proceed to the final stage of the mitigation procedure – documentation of an incident. These types of platforms have the ability to preserve, secure and document digital evidence, to allow a proper forensic analysis that would help determine where the attack came from, how it was conducted, and how similar attacks can be prevented in the future.

A Weekend in Incident Response #21: How to Mitigate Cyber Security Risks in Health Care?

Health care institutions are facing an increasing risk of cyber attacks. There are a few reasons why organizations providing health-care services are under such a high cyber security risks, with the increase utilization of IoT devices singled out by security experts as the leading one over the last couple of years. The fact that many hospitals around the world keep adopting BYOD policies only raises the risk of cyber attacks in the health care sector.

Considering that there is more than enough statistics showing that the most common cyber attacks on health-care organizations include phishing incidents and malware attacks, it is safe to say that IoT devices and BYOD policies are exposing this sector to an ever higher and constant cyber security threat, requiring increased efforts for raising cyber security awareness among employees and implementing advanced incident response measures.

Developing an Effective Incident Response Plan

Incident response plans are one of the essential elements of any organization’s efforts for mitigating cyber security risks. Having a comprehensive and constantly updated incident response plan helps organizations be prepared for any type of cyber attack in case their cyber defense is breached, and odds for that to occur are extremely high at any given moment. While establishing an effective incident response plans, health-care organizations are advised to start by acquiring a cyber incident response platform that provides an automated and orchestrated response to all sorts of cyber attacks.

Health-care institutions could use such a platform to contain the damage and prevent the loss of confidential and sensitive patient data in the aftermath of a breach. A cyber incident response platform can provide them with automated playbooks that allow cyber incident response teams to react to different types of attacks quickly and effectively.

Phishing and Malware Incident Playbooks

There are platforms providing playbooks for phishing attacks and ransomware attacks, which health-care institutions are often facing. Those playbooks will tell cyber security teams exactly what to do when their information systems and computer networks are attacked through one of the above-mentioned methods. Playbooks help CSIRTs prepare their systems for potential phishing attacks, identify them as soon as they occur, contain the damage, and recover from any incident in a timely manner. When it comes to ransomware attacks, playbooks help you reduce the time it takes you to establish a precise diagnosis, identify the kind of malware and the infection target, and assess the range of infection. Also, they help you determine the level of impact of an attack, suggesting taking specific actions that are appropriate for any given level of impact.

With that in mind, automation and orchestration platforms with automated playbooks are one of the best solution for any health-care organization that is under a threat of getting attacked by cyber criminals.

A Weekend in Incident Response #20: New Regulations on Reporting Cyber Security Breaches for New York’s Financial Institutions

Faced with the growing threat of cyber attacks and the challenges involved in recovering from various cyber security events, New York state’s authorities have rolled out new cyber security regulations that apply to financial institutions operating within the state. New York’s Department of Financial Services (DFS) has issued the final Cybersecurity Requirements for Financial Services Companies, affecting “Covered Entities”, defined as “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation, or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law”, establishing a set of standards that have to do with reporting cyber security breaches to regulators, in addition to implementing specific cyber security policies.

Cyber Security Programs and Incident Response Plans

The new regulation aims to protect New York’s banks and insurance providers against cyber attacks, along with protecting sensitive consumer data. To that end, the rules – that went into effect on March 1 – prescribe a wide-ranging set of requirements for financial services companies in terms of specific steps they are supposed to take to be better prepared for cyber security incidents and how and when they must notify authorities of cyber attacks on their computer systems and networks.

According to the regulations, financial services companies are required to create a cyber security program that is expected to protect their information systems against cyber attacks. A covered entity’s cyber security program should be focused on identifying internal and external cyber security risks, detecting cyber security events, responding to detected cyber security events, recovering from cyber security events, and complying with reporting obligations.

As far as cyber security policies are concerned, covered entities are required to implement them in order to be able to address systems and network security, information security, data governance, customer data privacy, risk assessment, and incident response, among other aspects of cyber security.

Reporting Incidents

When it comes to incident response plans, the new rules state that reporting cyber security  incidents to regulators must be a paramount part of those plans. Regulated entities are required to confirm they gathered documentation regarding cyber security events and report them to various government and supervisory bodies, as part of their previously devised incident response plans.

Compiling documentation in reference to cyber security events, creating appropriate reports, and notifying authorities can be a tedious task for any organisation’s CSIRT. Companies can face tough consequences if they don’t complete the documentation in a timely and proper manner. Companies often require the solution of a cyber incident response platform that can generate reports on cyber security incidents automatically and in various formats, and is also capable of tracking and collecting evidence, helping their cyber security teams compile the required documentation faster and effortlessly.

These types of platforms also can also help companies’ CSIRTs predict and detect cyber security breaches and respond as fast as possible, which is one of the main capabilities the new cyber security regulations require from covered entities.

A Weekend in Incident Response #19: Reporting Cyber Security Incidents Fast and Easy with Automated Playbooks

Many organizations often complain about having to abide by strict regulations regarding government notification of cyber security events, claiming that such mandates only put them under an extra strain, in terms of increased expenses and unnecessary burden on their employees.

But, given that the risk of cyber attacks for many government agencies and private organizations across the world continues to grow, all activities that have to do with cyber security obviously need to be intensified, and notifying authorities, is one of the key parts of those efforts. Detailed and timely government notifications of cyber security events often play a crucial role in preventing future incidents and improving and upgrading current incident response plans and programs.

Why Notifications Are Important

While it is true that government notification of a breach can be a time-consuming and complicated process, it is safe to say that – on top of overall cyber security efforts – it is also beneficial to companies in terms of protecting themselves from potential legal liabilities and substantial financial losses, along with unimaginable damage to their reputation.

Laws that mandate reporting cyber security incidents to governmental agencies and law enforcement vary from one country to another, but what they all have in common is the requirement to notify individuals whose sensitive information has been stolen or misused, or accessed in an unauthorized manner, in addition to notifying the authorities.

Save Time and Comply with Regulations Through Playbooks

One of the best ways to make sure your company complies with data breach notification laws is to update your cyber incident response program to include an automation and orchestration platform with dynamic reporting capabilities.

You can save a lot of valuable time by utilizing such a platform, considering that reporting cyber security events involves a complicated procedure and encompasses several different processes that can take up a lot of your time if you don’t use the proper tools to do it.

A platform with reporting capabilities can take care of all reporting requirements automatically and ensure that you don’t waste time on determining what information needs to be disclosed and how to notify law enforcement in a confidential manner, without risking accidentally sharing sensitive information with the public or with a party or individual that is not supposed to have access to it.

These types of platforms are able to quickly and reliably notify authorities and affected individuals of a data breach as soon as it occurs, through a variety of secure channels. They can create automated reports of any incident, containing information that describes the incident in detail, including what type of data has been accessed by an unauthorized person, and the amount of data that has been stolen, deleted, or compromised in any way.

By relying on a cyber incident response platform that features automated playbooks for breach notifications, your organization will always be prepared for the unwanted event of falling victim to a data breach and will avoid the risk of failing to comply with regulations that have to do with reporting cyber security events to law enforcement and affected organizations or individuals.