It is so likely that you will get hacked at some point, that you will probably be better off just by assuming that “I will be hacked”. With this as a starting point, how do you plan to minimize the damage to your business? Big companies have dedicated incident response teams and advanced technologies – but how can smaller companies deal with the threats from cyber incidents?
Cybersecurity is not only about prevention. Prevention would be ideal, but it is not realistic in the long run because the bad guys only need one single vulnerability for their evil plot to work. They may not even be targeting you; cybercriminals are casting a wide net to see who they can capture. Usually the goal is some form of fraud, or to steal personal or sensitive data that they can sell on the dark web. So, if you cannot rely on avoiding all incidents, how should you proceed?
First, make sure you follow good cyber hygiene to make the general risk level reasonable.
- Use a firewall. Most operating systems come with a software firewall by default. Deny incoming connections from the internet to your computer and phone.
- Choose the most secure settings on your devices and in your apps. Use strong passwords and turn on two-factor authentication where possible.
- Limit access to systems and data to the necessary minimum. The less privileges a user has, the less problematic it will be if that account is compromised. The fewer people who has access to a system, the lower the risk of a compromise.
- Protect yourself from viruses and malware. Keep your software up to date and use antivirus. Only install software from trusted sources.
- Patch software quickly, install security fixes as soon as possible. Turn on automatic updates when you can. Never use software after it is no longer supported by the vendor.
- Awareness: make sure all users are trained to know how to use technology and to be careful to avoid being tricked by phishing and other social engineering scams.
Now, start with risk. Risk is the combination of consequences of events and the uncertainty associated with that event occurring. Creating a risk model can be a big and complex undertaking, but it can also be a relatively straight-forward process. For most companies a scenario-based approach will work well to define the key scenarios that will shape your incident response needs. A typical process would look as follows.
- Create a list of your most important data and systems and evaluate what would happen if an adversary got control over those in terms of confidentiality loss, integrity loss or simply that the asset becomes unavailable – for example if a laptop is stolen. Rank the severity of the worst-case outcomes.
- Go through scenarios that could happen using a list of common attack patterns. Estimate how likely each scenario would be.
- Plan security controls to reduce the risk, see if there are additional things to do beyond the baseline controls. Assign tasks to people to make sure they are implemented.
- Create an emergency plan for responding to incidents based on the expected outcomes.
So, the risk assessment is your first step. You should focus on risk reduction before you plan incident response, so you can prioritize in a good way and make it less likely that you will get hacked. Then it is time to deal with “residual risk” – the risk that remains after introducing risk controls. There are 2 main things one should focus on in practice:
- Get insurance. Most basic business insurance policies do not cover costs related to hacking, so ask for a quote on cyber insurance too.
- Plan how you will respond to attacks getting through the cybersecurity net.
Planning to defend yourself
Now it is time to plan your incident response process. If you are like most smaller companies, you don’t have a dedicated incident response team – so following the typical guidance found in cybersecurity publications can be hard, or even impossible to do. Most frameworks and academic literature are focusing on big enterprises. You can still learn from that body of knowledge but adapt the strategies to the available resources you have. A typical incident response process will have 6 stages:
- Preparation: plan what you need to have in place in order to detect and respond.
- Detection and analysis: set up metrics and things to check to verify if the incident is real.
- Containment: have a plan to avoid the problem from spreading. This may include communicating with stakeholders – internal and external – to minimize consequences.
- Eradication: removing the problem. Typically formatting drives, deleting compromised data.
- Recovery: reinstalling systems, updating software, recovering from backups.
- Lessons learned: a quick report on what happned, why, how it can be avoided in the future.
When creating your incident response plan, it is a good idea to keep the following 5 best practices in mind.
- Focus on preparation for the most likely events with serious business impact first, then deal with unlikely but catastrophic events. Use the risk assessment as input to this process. Think about who will be affected by the incident.
- Write down how you can detect that an incident is happening using alerts or user reports for each of the key scenarios.
- Create a “playbook” for what you want to do when a certain type of attack happens. The playbook should contain the required steps to take through each of the 4 middle incident response stages (preparation and lessons learned can be general and not repeated for each scenario)
- Decide who is responsible for doing what and give each person time to get to know his or her role in incident response. If you have access to external help for example from consultants, work with them on roles and the response plan.
- Conduct “fire drills” as part of your corporate governance for cybersecurity incidents the same way you would do for fires. Such drills should be done at least once every year.
The boutique accounting firm that got hacked
Let us consider an example. Say you are the manager of a small accounting firm with 5 employees. The company is using cloud-based email and a cloud-based accounting system. Both of these systems are password protected but they do not have two-factor authentication. The accounting software contains customer data that is very important to keep confidential for most of your customers. Based on the risk assessment you have found that your biggest risk is:
Accounting software being hacked, and industrial spies are getting access to client data. The primary target is your customer, not your company.
There are several ways this could happen according to the risk assessment:
- A hacker steals username and password through phishing
- The login process of the application has vulnerabilities that hackers can exploit
- A hacker takes control over an employee’s computer using malware
As phishing is the most common attack method used by hackers, let us start planning our incident response for this case. The attack would then have multiple phases as follows.
- Reconnaissance: the hacker works to identify targets and their email addresses. They want to know what each person works on, what they are interested in, and who has access to what in the company. They use company web pages, LinkedIn, look for online activity on relevant forums, etc. to get the background on each potential target. They may contact employees under a false pretext to build trust or extract further information.
- Attack planning: they plan how to trick employees to give up their password and username for the accounting application. The attackers decide that they will copy the login page and put it on their own server. They buy a domain to give the fake app a URL (internet address) that looks similar to the real one. If the real app has the URL quickaccounts.com, perhaps the hackers set up another domain as quickaccomts.com, something that is known as a typosquatting attack.
- Payload delivery: a phishing email with a pretext to click a link to go to a page and log in is shown. Having researched the organization, they have identified that John Clark is the CEO, and is them pretending to send an email from John Clark to the other employees asking them to log in and check something in the accounting system. Sending this email from their new typosquatting domain as email@example.com would probably not lead to everyone detecting the fake email.
- Exploitation. The victim clicks a link and is taken to the fake login portal. Logs in with username and password, that the hackers then store in their system. The victim is then redirected to the real login page and will most likely thing that they must have mistyped their password or something.
- Actions on target: log in with the captured credential. Target compromised.
Let us plan potential incident response actions for each phase in the table below. When doing this we will probably get ideas for further risk reduction we could do to reduce the need for incident response. That can be added back to the risk assessment in this case; risk management is often iterative.
|Reconnaissance||Attack planning||Payload delivery||Exploitation||Actions on target|
|Detect and analyze||Report strange requests||Get warnings from threat intelligence sharing||User report on suspicious email. Spam filter signals.||User detects unusual behavior and reports it||Review logs to detect actions Alerts on unusual logins|
|Contain||Warn colleagues||Actively block emails Warn colleagues||Reset passwords||Revoke access Reset passwords|
|Eradicate||Block access to malicious domain if known||Delete emails form user inbox||Force sessions to end||Force sessions to end|
|Recover||Reestablish changed data from backup|
We have not included the phases “Preparation” and “Lessons learned” in the table above. Preparation is about what we need to do to make the incident response process work. We see that human intervention is necessary even for detection here, we are to some degree relying on user reports. This means one step of preparation for incident response would be to train users on recognizing unusual behaviors indicating reconnaissance or to detect phishing attacks. This should go into the cybersecurity awareness training, an essential part of cyber hygiene.
Getting warnings from threat intelligence feeds and vendor warnings means we need to set this up. This may or may not be a priority. At this point, we don’t have the capacity to automatically ingest threat intelligence feeds from security vendors, nor do we have budget for it, but we can read emails from the accounting software vendor, and they do warn users about known risks. If other customers of their cloud-based accounting software are being hacked, they would probably send out a warning, so another part of the incident response plan would be to sign up for emails from that vendor (newsletters, security bulletins) and to follow them on social media.
Reviewing logs is a key part of detecting unusual behavior in the app. In a big organization there would be automation in place for this and a dedicated team. If there is budget for it and the risk is seen as high enough, it could be useful to buy access to security monitoring from an external security vendor. If not, we may have to rely on creating some alerts on unusual behaviors. For example, if people normally work at some time between 7:00 in the morning and 17:00 in the afternoon, it could be possible to set up the software to send an email or sms alert on logins outside of that time interval. Many cloud software solutions will also send email alerts when there is a login from an unknown IP address, or from a computer or browser that has not been used before.
Let’s say the software will send out emails to the account owner when there are unusual logins. If this is going to help, someone must react to that email. The company can make a procedure that everyone is trained in.
- Set up your phone to show a push notification for emails of this type
- Automatically forward emails of this type to the CEO using an email rule.
- When you notice an email like this, immediately log in to the application and change your password. Log out from all places you are logged in if possible.
A natural risk mitigation tactic would be to add more layers of security than just a password to log into the user accounts. Most cloud-based software today will for example offer two-factor authentication.
After going through the actions like this, a playbook can be designed that is possible to work with even for that small team. When the playbook is in place, part of awareness training should be to go through a simulated response exercise.
|Signal detected||Action to take||Who is responsible|
|Strange requests about work and the software we use on social media||Block the stranger asking Warn colleagues by sending an email||The person receiving the requests|
|Phishing email discovered||Warn colleagues Report domain to registrar by sending a complaint Block sender in spam filter||The person receiving the requests to warn colleagues Other measures to be taken by IT person if available.|
|Alert on unusual login||Log in and change password Log out from all logged in instances||The person who owns the account|
Lessons learned: after an incident response process has been run, discuss briefly how this could have been improved, if something didn’t work, and share that knowledge. Update risk assessments, controls and playbooks accordingly.