Many organisations’ response to a breach, or cyberattack is the only time they truly pay attention to the controls and plans which should have been in place…
Recent news stories about cyber breaches, as a result of vulnerabilities, such as those involved in the MoveIt file transfer attack, have resulted in a scramble to recover and respond to the breaches, but many people are not aware of the work involved in such recovery.
For the purposes of this illustration, we will focus on the specific threat realised by these MoveIt revelations, although many of the following details would apply in other ransomware or breach scenarios as well.
What was the breach?
MoveIt is a Managed File Transfer (MFT) solution, which is trusted to securely consolidate and transmit data between IT systems. Organisations rely on MFT for critical business processes like payroll, purchasing, payments and tax, among others.
Due to the nature of the information being handled within MFT solutions, they present a lucrative opportunity to criminals and other malicious actors, as the information can be leaked and the organisations extorted to prevent the unauthorized disclosure of the victim’s data, as we saw happen in this case, exploiting an unknown vulnerability in the systems to exfiltrate and threaten to disclose data.
So, what does the response to these breaches look like? – Often, unfortunately, the response can be best described as PANIC!
There are several workstreams which kick into action quickly and in parallel, which should be detailed within incident response plans:
1- Breach identification and containment
The IT teams within the organization will work to identify the nature of the breach, what data may have been exposed and the mechanisms used by attackers to gain access.
IT teams will also look to close vulnerabilities, which can often involve changes being made without regard to usual change control procedures, such as emergency patching of systems.
The IT team will also feed into the communications team the nature of the information exposed, and the extent of that information, such as number of people impacted, whether it is customer or employee information and other details which must be included in breach notifications.
Often, incident response plans are found to be lacking, in terms of assigning ownership and accountability to activities within the IT workstreams. This can be especially prevalent in heavily-outsourced environments and considerable effort can be expended in avoiding blame, rather than focusing on response – sad but true.
Based on the nature of the information which has been compromised, a number of reporting and communication workstreams must invoke their IR plans. In the case of personal data within the EU, GDPR regulations require that the information commissioners office is notified within 72 hours.
In addition, impacted individuals whose personal data may have been leaked may need to be informed, so external communications will be drafted. Failure to notify can result in hefty fines and further loss of confidence.
Finally, internal reporting to senior leadership will be prepared, so the executivs can be aware of the enterprise impacts, this will feed into financial analytics to determine the cost to the business in terms of reputational damage, service recovery and associated costs. Risk planning will be invoked to address these elements.
3- Recovery and Response
IT and functional business teams, having determined the impact and nature of the breach, will work to recover any impacted data, plug any gaps in defenses and update incident response plans. In the case of a criminal exploitation such as this, these plans will include patching, backup and recovery and business continuity contingencies.
The costs for the response will be calculated to feed into planning, and this information will be communicated to the executive committees to update budget allocations for improvements to defenses.
4- Updating cyberdefenses
These types of breaches often highlight elements of the layered cyberdefense for the organisation which should be improved, whether these are technical or process based in nature, nothing drives investment in defense, like being the victim of an attack, unfortunately.
Often contracts will be reviewed and more attention will be paid to solutions such as Data Loss Prevention and vulnerability management programmes. In addition, third-party risk management will be a key area of focus for improvements, ensuring supply chains for software and services meet updated standards for cyberdefense.
Executive and Legal (playing the “blame game”?)
In addition to these workstreams, in the case of ransomware attacks, there will be a large volume of executive legal involvement, including invoking cyber insurance policies, exploration of payments and assessment of damages to the organization, as well as enterprise response to the breach.
Incident response plans, having been tested in a real scenario will now be updated to better reflect the activities which must be conducted and try to avoid the panic responses, with clearer ownership and accountability assigned.
These processes can be far-reaching in their consequences, and accountability will be assigned following the event, especially if the nature of the breach causes significant loss to the organisation.
Lock the stable door…
…Even though the horse may have bolted, we often see increased investment in protections.
First, try to prevent the breach, but no matter how effective your vulnerability management programme may be, a zero-day flaw, or an attack which exploits a string of vulnerabilities may still result in a loss of data, such as this. How well your organisation can respond is tied to the effectiveness of the incident response plans you have in place.
Making response more stable
Make sure you have clear accountability and that everyone responsible for duties in the response to a plan knows their activities, lines of reporting and priorities in tasks. Ensure that change control planning is incorporated to minimise unwanted disruption due to emergency changes and have regression plans in place in case of an issue.
Work to improve your detection capabilities so any breach can be identified and response plans invoked in a more timely fashion and, most importantly, test your response plans before you need them.
If you would like to understand more about defending, identifying or responding to breaches, please reach out to us at firstname.lastname@example.org