As today’s companies are increasingly tending to run their business on the basis of digital assets, information security has become an even more critical factor of the business model, as it protects the most essential asset: information.
We know that security is not a goal, but rather a process. As such, prevention and constant reinforcement of the outer edge of the corporate system are vital elements in the defense of assets in cyberspace.
But despite this, contingencies occur, and the risk of suffering a security breach must always be considered. So let’s look at what action we should take in the face of this type of scenario to overcome a situation in which the organization’s resources could be compromised.
Step 1: Determine the scope of the infection
Time and time again, companies that have been victims of infections assess the traces of the impact just by using their intuition, rather than by means of an analytical examination of the problem. Clearly, after detecting an infection at the company, reaction speed is extremely important. However, hurrying to make groundless appraisals can divert your attention away from the right actions to take.
If the necessary precautions have been taken, and there has consequently been an investment into the development of robust contingency management systems, it is possible to quickly gather the bits of evidence you need to answer some of the first key questions.
In this way, to be begin with it is necessary to establish which systems have been compromised and in what way. Is the infection limited to a single piece of equipment or subnetwork? Has any sensitive data leaked out? Are we talking about corporate data, or private data relating to employees and/or customers?
Step 2: Ensure continuity of service
In the case of a leak of information which might compromise employees or end users, the second step would be to give them a warning of the possible breach and advise them to watch out for any unusual movements they might notice regarding the data they have stored under your service.
If any physical equipment has been seriously compromised, you must set in motion any processes to activate backup resources, in order to maintain customer service. For this reason, it is critically important to plan your defense against attacks on availability, creating redundancy of equipment and connections. This, together with an action plan suitably defined at the level of the organization, will enable a rapid response to any events that lay siege to corporate security.
Step 3: Contain the infection
The containment of an infection begins with isolation of the equipment that you know has been compromised. Shutting down the segments of the network that include this equipment prevents the infection from continuing to spread throughout the corporate network, and interrupts any connection that may have been established with the attacker for the purpose of stealing information.
If the traffic generated by the malicious agent turns out to be encrypted, the analysts must try reverse-engineering it to obtain the cryptographic keys. However, if communication is taking place on non-confidential protocols like HTTP, it will be exponentially easier to track the commands used by the attacker.
Either way, studying these commands can lead the investigation to the discovery of new infected equipment, and the generation of traffic patterns should be translated into firewall rules, to quickly generate a first line of defense.
To achieve this, it is necessary to have correctly labeled traffic captures in order to speed up processing. Once again, it’s self-evident that proactive prevention and detection of threats are the cornerstone of information security and define a company’s capacity to respond in times of crisis.
Given that most of the procedures mentioned involve non-automated analysis of information, it is crucial to put in place a comprehensive corporate security solution in advance. This will make it possible to instantly deploy actions to block any harm that a malicious agent might attempt to inflict after penetrating your defenses.
The latest generation of ESET corporate solutions was developed to be a key factor in the containment process, thereby preventing the spread of infectious components through the company’s different transaction systems.
Step 4: Mitigate the infection and eliminate the line of attack
Removal of the malicious part is a complex procedure which initially involves a detailed analysis of the code in order to understand how it works. Antivirus solutions support this type of activity by enabling automatic disinfection and saving valuable time in the process of responding.
It is essential to understand that if the attackers are not completely eradicated from the network, they can resume their fraudulent activity on the infected equipment through another line of attack. Because of this, it is of vital importance to isolate the flaw that allowed them to enter in the first place, and then remove it from the system.
Even after equipment identified as compromised has been cleaned, there remains a risk that other undiscovered infected equipment is still in operation. To prevent this from occurring, we need to reinforce the analysis of the packets transmitted by the network, as we now have the advantage of knowing the communication protocols and commands used thanks to the previous analysis of the infection.
Together with a review of the firewall rules, changing the passwords on corporate networks is another preventive measure to take after detecting compromised resources, as this is one of the favored goals in corporate attacks. While the process of updating keys may take time and effort, it will prevent the attackers from using any stolen information to disguise themselves as a legitimate user.
At this point, it is worth establishing whether the infection was the simple result of carelessness online, or whether it constitutes a successful link in a chain of persistent targeted attacks.
If it is established that the infection was specifically targeting the organization, the real question to answer will be who lies behind these events, bearing in mind that another attack could be imminent.
Step 5: Learn from any errors
Carrying out an in-depth investigation into what happened will give cause for improving the processes within the organization. The removal of any vulnerabilities whose existence was previously unknown provides an opportunity to reinforce the perimeter of the corporate networks by identifying any other potential points of access to the system that had not previously been considered as falling within the scope of lines of attack.
Infections are always absolutely negative events for a company; however, they offer opportunities to learn. They show which elements of the system’s design need to be strengthened and they allow you to discover the flaws in the current defense measures.
Author Denise Giusto Bilić, ESET